The era of big DDOS?
I have been tracking DDOS's for a number of years, and quite frankly, it has become boring. Don't get me wrong, I am not complaining, just stating a fact. A number of factors seem to have contributed to its fall from mainstream consciousness. Some of these factors being; somewhat better filtering practices, more awareness of timely patching, and probably the most significant being the novelty has worn off. Occasionally I will still see a multi-Gbps DDOS, but mostly it has been relegated to booter traffic which is not even a nuisance for most providers.
Over the last few days though there have been two very significant DDOS events. Firstly, on Tuesday, Sep 20, hosting company OVH was hit with DDOS which peaked near the 1Tbps range, and also on Tuesday evening (Sep 20), InfoSec journalist Brian Krebs website was hit with a DDOS peaking at over 600 Gbps.
These are believed to be the two largest DDOS on record and significantly exceed what it was believed could be achieved by any one DDOS group.
While the nature of the DDOS attack traffic used against OVH has not been revealed, the attack against Brian Kreb's site is unusual in that the traffic is not your typical reflective UDP DDOS traffic, but rather TCP traffic that made connections with the web server and GRE (generic routing encapsulation) packets. The reason why this is unusual is that this traffic cannot be spoofed, but rather an analysis of the traffic should reveal which devices were used to launch the attack.
Is this a sign that big DDOS is making a comeback or just a couple of isolated attacks?
UPDATE: It appears Akamai is not happy with the extra excitement hosting Brian Kreb's site is bringing them. Brian is looking for a new hosting provider.
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
YAHDD! (Yet another HUGE data Breach!)
It looks like Yahoo! is the latest victim of a large scale data breach. It looks like the released data dates back to at least 2014 and contains more than 500 Million user accounts, so if you haven't changed your Yahoo! password in the last couple of years then it is time.
As one of the other ISC Handlers pointed out...not all Yahoo! customers may know they are Yahoo! customers. Yahoo! white labels email services on behalf of ISPs and email providers. I assume those white label providers will need to do notifications to their customers as well?
-- Rick Wanner MSISE - rwanner at isc dot sans dot edu - http://namedeplume.blogspot.com/ - Twitter:namedeplume (Protected)
OpenSSL Update Released
As announced earlier this week, OpenSSL released an update today for all currently supported versions (1.0.1, 1.0.2, 1.1.0).
The update fixes 14 different vulnerabilities. Only one vulnerability is rated "High". This vulnerability, CVE-2016-6304, can lead to memory exhaustion and a denial of service if the client sends multiple large OCSP requests.
With this update, the latest versions of OpenSSL for the various branches are 1.0.1u, 1.0.2i and 1.1.0a. All three branches are currently supported.
The table below shows which vulnerabilities apply to each branch.
| CVE | Description | Rating | 1.0.1 | 1.0.2 | 1.1.0 |
|---|---|---|---|---|---|
| CVE-2016-6304 | OCSP Status Request extension unbounded memory growth | High | x | x | x |
| CVE-2016-6305 | SSL_peek() hang on empty record (CVE-2016-6305) | Moderate | x | ||
| CVE-2016-2183 | SWEET32 Mitigation (CVE-2016-2183) | Low | x | x | |
| CVE-2016-6303 | OOB write in MDC2_Update() | Low | x | x | |
| CVE-2016-6302 | Malformed SHA512 ticket DoS | Low | x | x | |
| CVE-2016-2182 | OOB write in BN_bn2dec() | Low | x | x | |
| CVE-2016-2180 | OOB read in TS_OBJ_print_bio() (CVE-2016-2180) | Low | x | x | |
| CVE-2016-2177 | Pointer arithmetic undefined behaviour (CVE-2016-2177) | Low | x | x | |
| CVE-2016-2178 | Constant time flag not preserved in DSA signing | Low | x | x | |
| CVE-2016-2179 | DTLS buffered message DoS | Low | x | x | |
| CVE-2016-2181 | DTLS replay protection DoS | Low | x | x | |
| CVE-2016-6306 | Certificate message OOB reads | Low | x | x | |
| CVE-2016-6307 | Excessive allocation of memory in tls_get_message_header() | Low | x | ||
| CVE-2016-6308 | Excessive allocation of memory in dtls1_preprocess_fragment() | Low | x |
---
Johannes B. Ullrich, Ph.D.
STI|Twitter|LinkedIn
Comments
Anonymous
Dec 3rd 2022
9 months ago
Anonymous
Dec 3rd 2022
9 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
8 months ago