Spamhaus's web servers came under a DDoS attack starting yesterday at
just after 21:00 GMT. The attack is being carried out by the same people
responsible for the BlueSecurity DDoS last year, using the
Storm malware.
The attack method was sufficiently different to previous DDoS attacks on
us that some of it got through our normal anti-DDoS defenses and halted
our web servers.
At 02:00 GMT we got the attack under control and our web servers are now
back up, www.spamhaus.org is running again as normal.
The attack is ongoing, but it's being absorbed by anti-DDoS defenses.
Also under attack by the same gang are SURBL and URIBL.
Storm is the 'nightmare' botnet, capable of taking out government
facilities and causing much mayhem on the internet. It has 3 functions;
sending spam, fast-flux web and dns hosting mainly for stock scams, and
DDoS. There is a hefty international effort underway by cyber-forensics
teams in a joint effort by law enforcement and private sector botnet and
malware analysts to trace the perpetrators.
--
Steve Linford
The Spamhaus Project
http://www.spamhaus.org
Labels: Attack Tools, Botnet, DoS, Spam
Cyber-mobsters drop DoS attacks
Extortion technique no longer profitable, say experts
Shaun Nichols in California, vnunet.com 27 Apr 2007
The practice of holding websites hostage under the threat of denial-of-service (DoS) attacks is declining, according to security researchers at Symantec.
DoS attacks are carried out by botnet operators using armies of remotely controlled PCs to flood a site with traffic and information requests. The attacks can cause sites and web services to run slowly or shut down altogether.
Criminals use the attacks to extort money from organisations by launching a first DoS attack and then threatening to launch further attacks unless the company pays up.
The tactic has recently drawn the attention of legislators, who passed laws last November allowing for tougher punishments for the crime.
Symantec said that it has seen a steady decline in the number of reported DoS incidents in the past six months, and believes that much of it is due to the inefficiency of the practice.
The problem for the criminals, according to Symantec security engineer Yazan Gable, is that the brute-force attacks are often costly and inefficient for the botnet operator.
"Whenever a botnet owner carries out a DoS attack they run the risk of losing some of their bots," Gable said in an article for the company's security response blog.
"This could happen either because an attacking computer is identified and disinfected, or simply blocked by its ISP from accessing the network.
"Furthermore, if the botnet owner is not careful they could lose their entire network if their command and control server is identified."
Another problem for botnet operators arises when the victim calls the attacker's bluff and refuses to pay.
"Since the target has refused to pay, it is likely that they will never pay. As a consequence, the attacker has spent time and resources on a lost cause," wrote Gable.
The security engineer added that the drop in DoS extortion may also be due to the increased use of botnets to deliver large-scale spam mailings.
Gable noted that the drop in DoS attacks has coincided with a
dramatic rise in spam volumes, suggesting that the lower-risk, more lucrative spam market may be luring botnet owners away from the DoS attack business.
Labels: Botnet, DoS, News Article, Spam
Windows insecurity leads to the creation of botnets which are used to send oceans of spam to everyone. This is about a proposal to try to stem that tide. Of course if spam is stopped the botnets will still be there and used by the criminal gangs for other purposes. Ed.
=====================================
Spam storm needs ISP action, urges security chiefBy Will Sturgeon
Published: Wednesday 14 March 2007
Ispa, the UK's internet service providers' association, will today make a presentation to the House of Lords science and technology committee on computer security and spam.
The session, which follows the submission of a written response, coincides with claims the number of compromised PCs – known as botnets – in the UK has tripled over the past year.
And one security expert claims ISPs are still shirking their responsibilities.
These criminals have a very advanced command and control structure.
Speaking about the growing problem of botnets and the deluge of spam they create, David Rand, CTO of security company Trend Micro, told silicon.com: "I absolutely believe this is the ISPs' responsibility. Yet top ISPs still aren't doing anything."
Rand said: "It's not like the ISPs can't tell this is going on. They can see all this on their networks."
Many leading ISPs currently refuse to take measures such as blocking port 25 traffic, a move which Rand claimed would affect very few users sending legitimate email, while blocking the port used to relay email via the internet on compromised machines.
And he expressed doubts that ISPs would ever volunteer such measures to legislators because they fear taking greater responsibility for the use of their networks and the implications of increased operating costs.
A spokesman for Ispa said it understands the majority of spam originates from compromised PCs connected to its members' broadband services - and those of other ISPs - often unbeknownst to customers. But he said it is not the ISPs' lone responsibility to solve the problem, suggesting legislation and end-user education are essential tools in the fight.
The Ispa spokesman told silicon.com: "No ISP wants to tolerate any criminal activity on their network."
He also denied suggestions ISPs have been slow or unwilling to act on the matter. "If there was a flick-switch solution to this, we would have done it," he said.
Trend Micro's Rand told silicon.com the number of infected PCs has tripled in the UK over the past year, according to his company's research.
This means more UK homes and businesses are operating compromised PCs which - as well as sending vast volumes of spam - could potentially be plundered for sensitive data such as passwords or bank details.
Rand told silicon.com one reason for the upsurge in rogue activity on European networks dates back to a major fibre cut between China and Taiwan in December 2006. At that time botnet activity switched dramatically from China to Europe within around six minutes, he said.
Rand said millions of infected machines in Europe were brought online by the criminals who control them remotely, showing not only a vast amount of redundancy built into these criminal networks but also "highly sophisticated" business continuity plans.
He said: "These criminals have a very advanced command and control structure. We've got a real challenge ahead of us to take that down. And we've not managed it yet."
Labels: Botnet, News Article, Spam