dos

itsecurity.co.uk October 17, 2016

DOS challenges with ITsecurity.co.uk

We were faced on ITSecurity.co.uk with a problem which was at first out of our control: “somebody” is creating, probably without knowing, a denial of service on this website. The consequence was that it was “consuming” the accesses to the database behind this WordPress site. The ISP hosting the website limits the accesses to 50K a day. More accesses require a high plan, three times more expensive. The “somebody” is an IP from Canada which, considering the fact that it is retrying every second, it is most probably a script out of control. First thing, I contacted the owner of the IP address at their abuse email. I didn’t receive any kind of feedback from them and I don’t think that they did anything about it. Second, I installed the Wordfence plugin and instructed it to block that IP address: 72.55.186.72   The reason why I write this post is related to Denial Of Service attacks in general: What do you do when you’re under attack (DOS) ? What about a distributed attack (DDOS)? I remember the case of Brian Krebs who had his site hosted on Akamai hit with one of the largest DDOS in recorded history  (link).   Do you have experience…

No Image

News, published-external March 20, 2015

The mysterious OpenSSL vulnerability has been patched

No, it doesn’t have a name like Heartbleed or POODLE, it was “just” a denial-of-service. “Just” is by no means something to be ignored, but it is less dangerous with the previous vulnerabilities. All users of OpenSSL 1.0.2 should upgrade immediately to version 1.0.2a. In the advisory published on their website the OpenSSL vulnerability is called “ClientHello sigalgs DoS (CVE-2015-0291)”. If a client connects to an OpenSSL 1.0.2 server and renegotiates with an invalid signature algorithms extension, a NULL pointer dereference will occur. This can be exploited in a DoS attack against the server. According to OpenSSL’s Security Policy, a “high severity issue”  includes issues affecting common configurations which are also likely to be exploitable. Examples include a server DoS (like this one), a significant leak of server memory (Heartbleed), and remote code execution. OpenSSL promises that such issues “will be kept private and will trigger a new release of all supported versions”. They will attempt to keep the time these issues are private to a minimum, but the goal would be “no longer than a month” where this is something that can be controlled, and significantly quicker if there is a significant risk or we are aware the issue is…

No Image

security July 7, 2014

Cyberattacks can damage your business. Permanently. Here is how to prepare yourself.

Dieser Artikel ist auf Deutsch verfügbar: http://tcadistribution.wordpress.com/2014/07/01/wie-cyberangriffe-auch-ihrem-unternehmen-schaden-konnen/    We’ve learned after the Code Spaces incident that started as a DDOS, continued with hacking and then blackmailing that cyberattacks are not something one should ignore. The long story of CodeSpaces put short was: a hacker started a DDOS on the company’s website and services. Nothing unusual, just another attack, thought the company. Later on, probably the same person, breached into world-wide distributed Amazon EC2 where the assets of the company were stored and got access to its control panel. The attacker left messages trying to extort a large fee in order to resolve the DDOS. When the company refused to pay, the attacker started to randomly delete settings, data, backups, virtual machines. Customer data included. All these happened in less than 12 hours. At the end of this time, the company was faced with a close to total loss of data and was forced to throw the towel. They had shut down the operation since they weren’t able to serve their customers anymore. But there is more than not being able to service the customers. Code Spaces will not be able to operate anymore beyond this point because, the cost of resolving…

No Image

security March 28, 2013

The anatomy of a live attack from China

I am maintaining a free service that provides IT Security news called ITSecurity News. Some time ago, it was called URLAggregator. It does nothing else than aggregate various IT news websites, selects IT security news and republishing them in the name of the original authors. I was asking myself why I get so much traffic on this website without having real visitors. So, I installed the free edition of the WordPress plugin Wordfence in order to study who visits my website. The results were… surprizing.   90% of the traffic was Spiders, Bots, Crawlers from Google, Baidu, 8% of the traffic were attempts to register an account like the one below:    Shanghai, China left http://urlaggregator.net/ and landed on http://urlaggregator.net/forum/member/register 1 hour 19 mins ago   IP: 112.111.160.79 [block] Browser: IE version 6.0 running on WinXP Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1;) 2% real visitors checking either the website or the RSS feed This is how an attack from these IP ranges looks like: 112.111.160.0 – 112.111.160.255 222.77.203.1 – 222.77.203.254 222.77.202.1 – 222.77.202.254                     After adding these rules in Advanced Blocking, the situation looked much better: Browser Pattern: Block visitors whos browsers match the pattern: crawler Browser Pattern: Block visitors…

%d bloggers like this: