NEWS
A major UK gambling business has warned that all commercial websites are at risk from a new type of unstoppable and undetectable botnet denial of service attack.
Security from A to Z
Click on the links below to find out more...
A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day
Gala Coral ecommerce's gambling sites were taken down for almost 30 minutes by the next generation 10Gb distributed denial of service (DDoS) attack, delegates at the e-crime congress in London were told this week.
Attackers disguised the build up of traffic from up to 30,000 PC and Apple Mac botnet computers during the attack by analysing and reproducing the browsing habits of the sites' typical users.
Peter Bassill, information security officer with Gala Coral ecommerce, said attackers spent about four months infiltrating the sites ahead of the attack last year, using stolen credit card details to open the thousands of accounts needed to generate the huge volume of web traffic to swamp Coral's servers.
More worrying, during a second attack the botnet blocked attempts by the websites to stop them using a port firewall while continuing sending out data to carry on the attack.
Bassill said: "This is a very worrying step we have seen in botnets, we have no way of responding to this without working with law enforcement. The attacks will come from many hosts in small volumes and they are going to be very hard to spot.
"If they can do that to us, a large gaming company, than think what they could do it they find a way to target companies like BT or the nuclear power industry."
Bassill said DDoS attacks brought its websites down about twice per year and attacks were often preceded by demands for more than $100,000.
Comments
There are 7 comments. Join the discussion
1. Sebastian
If it was undetectable, how did they notice it was happening?
2. John Carrimore
A deeply insightful and much needed presentation which brought together all facets of the congress into what we all needed; a single example of how organised groups can help each other. I do find the article misrepresentative of the message being put across though, yet again the press reports only the doom and gloom of much needed and valuable work. I very much doubt his systems were “brought to it knees”. Mr Bassill provided excellent examples of how to measure and detect attacks and made us think about how we monitor and respond to our infrastructure. I hope Mr Bassill's work into these forms of attack continues and we certainly look forward to developing closer working relationships with him over the next twelve months.
3. Dave Duchesneau
> If it was undetectable,
> how did they notice it was...
Noticing something happen in real time is very different than an after-the-fact post-mortem analysis -- the latter can take as much time as necessary to understand what happened and how it happened, in order to attempt future prevention. In this context, "undectable" refers to the fact that they had no means for differentiating friend from foe in real time ("on the fly"). The warning is a valuable contribution, because, after having analyzed the events, they're essentially saying they STILL don't know how to differentiate friend from foe in real time (at least not as well as they'd like), meaning that there is still a class of attacks that is "undetectable" to them -- at least until some "critical mass" is reached whose negative effect is clearly visible. Kudos to the author for sharing how the sneak attack worked, so others can work to construct detection and prevention strategies.
4. Kaelin Colclasure
How was it established that there were Mac drones among the compromised machines in the botnet(s) used in this attack?
5. anonymous
I guess the other question is... Considering that Mac infected bots are so rare, what forensic evidence could they present that there were Macs involved?
It would certainly be helpful to know as it may portend for more Macs to be used in the future as the users may be less careful about firewalling due to overconfidence in the Mac security paradigm.
6. Karen Challinor
Kaelin Colclasure - "How was it established that there were Mac drones among the compromised machines in the botnet(s) used in this attack?"
assuming the DDOS took the form of rapidly repeated web page requests intended to swamp the web server, then the web server access log would have the user agent string and IP address in it, at least up to the point the server was swamped
the user agent string can be changed but it rarely is as it's useful to web servers to identify the browser type that is surfing so that the pages can be adjusted for different browsers, trying to make a web page look identical across several different browsers is a very black art indeed, so much for standards
but I digress
if the browser is identified as "Safari" then it's a fair bet the platform is a mac and if the same IP has made numerous requests in a short space of time it's a fair bet it's part of the DDOS attack
7. Karen Challinor
for example this is a typical user agent string for a mac
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X; en) AppleWebKit/521.32.1 (KHTML, like Gecko) Safari/521.32.1"
it identifies both the platform "Macintosh" and the browser "Safari"