April 20, 2014

In brief: Callcentric hit by malicious series of DDoS attack

(LiveHacking.Com) – Callcentric, a VoIP Internet phone service, has sent an email to its subscribers telling them about a malicious series of DDoS attacks which have been launched against the service. The company are treating the attacks as a Direct Criminal Act with clear malicious intent. This is based on the persistent, aggressive, and evolving nature of attacks. The company has been in direct contact with the FBI and FCC to report the matter and to prompt and an investigation.

According to the email, the attacks are targeting Callcentric’s SIP Servers:

  • As a result of these attacks, users may experience drops in system registration, which can ultimately lead to inconsistent inbound/outbound calling results.
  • Customer’s using “Call Forwarding” to temporarily route their inbound calls to a 3rd party number (SIP URI, Cellphone, PSTN line, etc.) should not experience difficulty in receiving calls.

“We can appreciate and share in everyone’s frustration regarding these malicious attacks and we continue to work around the clock to deploy software\hardware updates and upgrades in effort to mitigate against them,” said Callcentric. “At Callcentric we have always been and remain committed to providing great value, reliable service, and putting our customer’s first. Once this matter has been fully resolved our corporate management team will be performing a complete review and we will work to provide a fair resolution to address any inconvenience that our customers’ have experienced resulting from these attacks.”

Denial of Service attacks reach 150 gigabits per second, higher rates expected

(LiveHacking.Com) – Alex Caro the Chief Technology Officer for Akamai Technologies has told ZDNet that the company has seen Denial of Service attacks which have reached 150 gigabits per second. This is in line with a growing trend for hackers to use DoS as a means to disrupt a websites for ideological, political or commercial reasons. From 2010 to 2011 Akamai saw the number of DDoS attacks against their customers double. This trend is expected to continue in 2012 and 2013.

Akamai’s experiences are similar to those of others in the security industry. According to a hacker forum study, which security vendor Imperva carried out last year, 22% of discussions focused on DoS, slightly higher than SQL injection which accounted for 19% of all discussions. In its Hacker Intelligence Initiative, Monthly Trend Report #12 the company reveals that hackers are now favoring DoS attacks aimed at the Web application layer (rather than at the IP and TCP layers) as these types of attacks decrease costs and are harder to detect.

Distributed Denial of Service attacks, which split the attack load among many machines simultaneously, are being used most to get the public’s and media’s attention. Such attacks are usually accompanied by announcements that reveal the reasons (ideological etc) behind the attack. However DDoS attacks are not limited to hacktivists. DDoS attacks have been used to disrupt businesses for monetary gain including blackmailing a company to pay a ransom other wise the site will be attacked.

The good news is that companies like Akamai seem able (at the moment) to absorb this malicious data.

“Today, we’re probably serving eight, maybe ten terabits per second of traffic at peak, so a 150 gigabit per second denial of service attack is actually fairly small when all is said and done,” said Caro.

Anonymous Moves Against Multiple UK Government Websites with DDoS Attack

(LiveHacking.Com) – The hacker group Anonymous has attacked three UK government websites, including the Prime Minister’s site, in a protest about the extradition of British citizens to the USA and about a proposed new law to increase the surveillance powers of the British state. The so-called hacktivists disrupted traffic  through a series of distributed denial of service (DDoS) attacks, designed to take the websites offline by flooding them with more traffic than they can handle. The sites attacked were homeoffice.gov.uk (Home Office), number10.gov.uk (Prime Minister’s Office) and justice.gov.uk (Ministry of Justice). By Sunday morning all the sites appeared to be functioning normally again.

It appears that the attacks were in response to a proposed new law would allow the British government to conduct some trials in secret and allow authorities to track the phone calls, emails, text messages and online activity of everyone in the country.

The group took credit for the attack in a series of tweets  (herehere and here) which specifically mention the UK’s proposed “draconian surveillance proposals” and “derogation of civil rights.”

The attack could be considered as quite courageous, especially in light of recent efforts by global law enforcement agencies to crackdown on the group’s cyber protests. Sophos noted on its blog that “other hacktivists who have launched DDoS attacks against websites belonging to British authorities have been arrested in recent history, and are currently facing trial.”

In a separate attack,  the group targeted the website of the US House of Representatives but failed to prevent access.

Oracle Issues Patches for Apache Byterange Filter Bug

Oracle has issued a special security alert for Oracle HTTP Server products that are based on Apache 2.0 or 2.2. The alert covers CVE-2011-3192 or the Apache HTTPD byterange filter exploit as it is more commonly known.

In August a bug was found in the Apache HTTPD server regarding how it byte range headers. By exploiting the bug, remote attackers can cause a denial of service (memory and CPU consumption) attack by sending Range header that express multiple overlapping ranges. A fix was released at the end of August and a few days ago a “more efficient” fix was released. Oracle are basically playing catchup by issuing this alert now.

Affected Oracle Products and Versions

  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

Apache HTTP Server 2.2.20 Released – Fixes Byte-range DoS Vulnerability

(LiveHacking.Com) - The Apache Foundation has released an update to its HTTPD server to fix the much publicized byte range headers problem.  The announcement notes just one fix:

  •  CVE-2011-3192: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.

The vulnerability left over 60% of the world’s websites exposed to a denial of service attack. The problem revolved around how Apache handled byte range headers and due to a tool, which was published to demonstrate the problem, an attack could be easily  launched  and cause very significant memory and CPU usage on the target server.

Range Header DoS Vulnerability Leaves 60% of All Websites Open to Attack

(LiveHacking.Com) - Over 60% of the world’s websites are run using the Apache web server and a recently found vulnerability in Apache has left these millions of web sites open to a denial of service attack.

According to the official Apache HTTPD security advisory, the problem revolves around how Apache handles byte range headers. The advisory links to a tool which is available called “killapache.pl” which effectively demonstrates the problem. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on a server.

Mitigation

Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the following mitigations immediately.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

The number 5 is arbitrary. Several 10′s should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.

2) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

Patch
A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Although still popular, Apache 1.3 is deprecated and as such there will be no official patch.

Cisco Issues Three Security Advisories and Software Updates

(LiveHacking.Com) - Cisco has issued three security advisories, including free software updates, to address vulnerabilities affecting the Cisco Unified Communications Manager, the Cisco Unified Presence Server, and the Cisco Intercompany Media Engine. These vulnerabilities may allow an attacker to disclose sensitive information or cause a denial-of-service condition.

  1. Cisco Unified Communications Manager contains five DoS vulnerabilities that could cause a critical process to fail, resulting in disruption of voice services.
  2. Cisco Unified Communications Manager and Cisco Unified Presence Server contain an open query interface that could allow an unauthenticated, remote attacker to disclose the contents of the underlying databases on affected product versions.
  3. Two denial of service (DoS) vulnerabilities exist in the Cisco Intercompany Media Engine. An unauthenticated attacker could exploit these vulnerabilities by sending crafted Service Advertisement Framework (SAF) packets to an affected device, which may cause the device to reload.

More information can be found:

Multiple Vulnerabilities in ClamAV

Arkadiusz Miskiewicsz from ClamAV has reported about multiple vulnerabilities in ClamAV anti-virus.
These issues could be exploited by an attacker to cause denial-of-service conditions or potentially execute arbitrary code in the context of the application. All the versions prior to ClamAV 0.96.5 are vulnerable.

References: