PDF Version: types-of-targeted-ddos-attacks
Tag: DDoS Attacks
Enemybot is a new botnet that is conducting DDoS (Distributed Denial of Service) assaults on several routers and websites. It is attacking various routers and websites by leveraging existing vulnerabilities in ARM, BSD, x64, x86, and other architectures. Enemybot was identified by FortiGuard labs in mid-March.
This botnet is mostly based on the source code of Gafgyt, however it has been reported to borrow various modules from Mirai’s original source code. To avoid detection, the Enemybot employs a number of obfuscation techniques and hides Command and control (C2) server on the TOR network. The Enemybot botnet spreads and assaults other IoT devices through a variety of tactics. It attempts to gain access to systems using weak or default credentials by logging into devices with a list of hardcoded username/password combinations. By running shell commands, the bot also attempts to infect misconfigured Android devices that expose the Android Debug Bridge port (5555). Enemybot has been observed infecting Seowon Intech and D-Link routers as well as abusing a previously disclosed iRZ router vulnerability.
The bot leverages a number of known and previously disclosed loopholes, which include: –
- SEOWON INTECH SLC-130 and SLR-120S routers are vulnerable to CVE-2020-17456.
- Earlier D-Link routers were vulnerable to CVE-2018-10823.
- CVE-2022-27226 affects iRZ mobile routers.
- CVE-2022-25075 to 25084 affects TOTOLINK routers, which were formerly used by the Beastmode botnet.
- CVE-2021-41773/CVE-2021-42013 is a vulnerability that affects Apache HTTP servers.
- CVE-2018-20062: This vulnerability affects the ThinkPHP CMS.
- CVE-2017-18368 is a vulnerability that affects Zyxel P660HN routers.
- CVE-2016-6277 is a vulnerability that affects NETGEAR routers.
- CVE-2015-2051 is a vulnerability that affects D-Link routers.
- CVE-2014-9118 is a vulnerability that affects Zhone routers.
Once one of the foregoing problems has been exploited, the bot will use the shell command LDSERVER to download a shell script from a URL that the C2 server will dynamically update. The script then downloads the real Enemybot binary, which is adapted to the target device’s architecture. If the download server goes down, the botnet managers can update the bot clients with a new URL. The bot connects to its C2 server after being placed on a device and waits for new orders.
Enemybot’s Capabilities
Enemybot connects to the C2 server and waits for orders to be executed when a device is infected. Although the majority of the instructions are connected to DDoS assaults, the virus is not just focused on them. Fortinet presents the following set of supported commands: –
- ADNS: Perform a DNS amplification attack with ADNS.
- ARK: Stealth survival while launching an attack on the game’s servers.
- BLACKNURSE — Flood the target with ICMP packets indicating that the destination port is unreachable.
- DNS – Inundate DNS servers with DNS UDP requests that have been hardcoded.
- HOLD – Flood the target with TCP connections and keep them alive for a certain amount of time.
- HTTP — Send a flood of HTTP requests to the destination.
- JUNK — Flood the destination with non-zero-byte UDP packets at random intervals.
- OVH – Send custom UDP packets to OVH servers.
- STD — Send a flood of random-byte UDP packets to the destination.
- TCP — Send a flood of TCP packets to the target with forged source headers.
- TLS — Carry out an SSL/TLS attack.
- UDP — Send UDP packets with forged source headers to the destination.
- OVERTCP — Use randomized packet delivery intervals to launch a TCP assault.
- STOP — Put an end to continuous DoS assaults.
- LDSERVER – Update the exploit payload download server.
- SCANNER — SSH/Telnet brute-force attacks and vulnerabilities spread to additional devices.
- TCPOFF/TCPON — Turn the sniffer off or on at ports 80, 21, 25, 666, 1337, and 8080, potentially to gather credentials.
Preventing Botnet Attacks
Always apply the latest available software and firmware updates for your product to prevent Enemybot or any other botnet from infecting your devices and recruiting them to malicious DDoS botnets.
One of the most common signs that your router may be infected with a botnet malware infection is that the router may become non-responsive, internet speeds drop, and the router becomes hotter than usual. In such a scenario, you should restart the router and change the passwords. It is also advised to take services of specialized cyber-security professionals to find and weed out the problem.
Centex Technologies provide state-of-the-art cybersecurity and network security solutions for businesses. To know more, contact Centex Technologies at Killeen (254) 213-4740, Dallas (972) 375-9654, Atlanta (404) 994-5074, and Austin (512) 956-5454.
30th Aug 2017
Iot devices have given users a smarter control on various applications. These devices can connect and communicate with users and can be operated from almost any location in the world provided you have access to Internet. As IoT devices can be managed from remote locations, it is important to maintain their security and also of the network to which they are connected. The recent DDoS attack (of Oct 2016), which took down prominent service providers across US, is believed to be made possible by use of large number of unsecured IoT devices such as cameras, DVRs etc. So, security of IoT devices should be maintained, specifically to prevent such large scale DDoS attacks.
How to reduce the risk of DDoS attacks?
Use Of Unique Username And Password
A manufacturer should not rely on the end user for securing the device. A unique username and password needs to be set for the device along with a prompt to change these settings as soon as the device is powered on for the first time. The users also need to set strong passwords for the devices to avoid any kind of breach.
Protect Your Device And Servers
A number of monitoring functions should run on the devices to check for any kind of malicious activity from an unknown IP address. This will prevent the bot from accessing your internet and from repeatedly guessing the username and password. Make sure that you update your device and have its security analyzed regularly. Ensure that the server you are running, whether it’s your own or someone else, is secured and properly maintained. The data from the devices should be recognizable and difficult to spoof.
There are a few more things that can be done to prevent your devices from these attacks, which include:
- Users should turn off remote access to the IoT devices and limit the devices that can access your network.
- Get details of the network settings and its chain of communication with the devices from the connectivity supplier.
- The manufacturers should make sure that the device has sufficient DDoS mitigation capabilities.
- Users should learn how to scan their own networks for any security flaws. There are different tools which can
- help them in finding loopholes before the attackers do.
By securing the network and devices, the users not only prevent themselves from the potential DDoS attacks, but can also improve their device’s performance.
For network security solutions, contact Centex Technologies at (855) 375 – 9654.
14 February, 2017
Distributed denial-of-service (DDoS) attacks are becoming increasingly common and one of the major concerns for most business organizations. There are thousands of ways in which these attacks may be carried out, the basic intent is the same, i.e. to cease the functioning of the target internet network. Safeguarding your corporate network against a DDoS attack requires a well-planned crisis management program. For this, you must need to understand how a DDoS attack is launched and the potential harm it can cause to your organization.
What Is A DDoS Attack?
A DDoS attack mainly involves flooding an IP address with traffic from unidentified sources. This, in turn, results in an overloading of the web server which makes it unable to respond to ‘genuine requests’ in a timely manner. The hacker may create a network of multiple computers, termed as a botnet, and use it as a vector for the attack. Due to overflow of data packets received at the same time, your website becomes unavailable to be accessed by the users.
Certain DDoS attacks may also be initiated on your company’s virtual private network (VPN) which prevents employees from logging into their email accounts when they are out of the office. If your organization has been a victim of DDoS attack, here are some steps that you need to take in order to minimize its consequences:
Identify A DDoS Attack At The Onset
Firstly, it is important to identify a DDoS attack in its initial stages, particularly if you manage your own web servers. You should have a fair idea about how much traffic you usually receive and from which IP addresses. When you detect a steep increase in the amount of traffic, it may be due to a DDoS attack.
Get Extended Bandwidth
Another useful step can be getting more bandwidth for your web server than you actually require to handle the traffic. This way, even if a DDoS attack is launched, you would be able to manage the sudden upsurge of traffic before the resources get completely exhausted.
Identify The Source
If possible, try to identify the source of the DDoS attack. When you know the computers that are sending the fake requests, the IP addresses can be easily blocked. You can also form a cyber security strategy to protect yourself against such attacks in future.
For more tips on how to prevent and manage DDoS attacks against your organization, you can contact Centex Technologies at (855) 375 – 9654.
February 27, 2015
A ‘Distributed Denial of Service’ (DDoS) attack can be defined as an attempt made by the hackers to make a system unavailable to the users. This is usually accomplished by interrupting the functioning of the host network or a server to which the system is connected. Unlike a Denial of Service (DoS) attack, DDoS uses multiple remotely monitored computers to overpower the target system and making it unable to respond to the requests of legitimate users.
In a DDoS attack, the hacker begins by exploiting certain vulnerability in a particular computer. Using this, the attacker can easily identify and infect the other connected systems. These computers, also called as zombies or bots, are then directed to launch a flood attack towards the target systems.
Tips To Prevent DDoS Attacks
- Buy More Bandwidth: This is one of the easiest techniques to ensure that you are protected against DDoS attacks. With this, you can easily distribute your traffic to different servers and create a lot of space to handle the persistently increasing users. Purchasing more bandwidth can allow you to handle more requests, thus, tackle low intensity outbreaks.
- Restrict Connectivity: If you have multiple computers that directly connect to the internet, you must properly configure routers so as to restrict connectivity. For instance, if you need to receive some information from the client’s system, you can configure it to pass from some selected ports through the firewall.
- Buy Intrusion Detection System (IDS): These are the software applications that are attached to the network in order to monitor all the malicious activities. If anything suspicious is detected, the IDS alerts the network administrator so that preventive measures can be taken well before time.
- Encode Your Website Efficiently: If you have programmed your website in an efficient way, the botnets need to be more sophisticated to be successful in the attack. Thus, you must make sure that your web pages are properly encoded and involve minimum server requirements to load.
DDoS attacks are becoming increasingly common due to the vulnerabilities in most of the devices. Cyber criminals are finding it very easy to implement these attacks, particularly against small businesses. Following the above mentioned tips can help you to create a resistant web network that is capable of preventing or mitigating the effects of a DDoS attack.