October 30, 2014

In brief: Callcentric hit by malicious series of DDoS attack

(LiveHacking.Com) – Callcentric, a VoIP Internet phone service, has sent an email to its subscribers telling them about a malicious series of DDoS attacks which have been launched against the service. The company are treating the attacks as a Direct Criminal Act with clear malicious intent. This is based on the persistent, aggressive, and evolving nature of attacks. The company has been in direct contact with the FBI and FCC to report the matter and to prompt and an investigation.

According to the email, the attacks are targeting Callcentric’s SIP Servers:

  • As a result of these attacks, users may experience drops in system registration, which can ultimately lead to inconsistent inbound/outbound calling results.
  • Customer’s using “Call Forwarding” to temporarily route their inbound calls to a 3rd party number (SIP URI, Cellphone, PSTN line, etc.) should not experience difficulty in receiving calls.

“We can appreciate and share in everyone’s frustration regarding these malicious attacks and we continue to work around the clock to deploy software\hardware updates and upgrades in effort to mitigate against them,” said Callcentric. “At Callcentric we have always been and remain committed to providing great value, reliable service, and putting our customer’s first. Once this matter has been fully resolved our corporate management team will be performing a complete review and we will work to provide a fair resolution to address any inconvenience that our customers’ have experienced resulting from these attacks.”

Denial of Service attacks reach 150 gigabits per second, higher rates expected

(LiveHacking.Com) – Alex Caro the Chief Technology Officer for Akamai Technologies has told ZDNet that the company has seen Denial of Service attacks which have reached 150 gigabits per second. This is in line with a growing trend for hackers to use DoS as a means to disrupt a websites for ideological, political or commercial reasons. From 2010 to 2011 Akamai saw the number of DDoS attacks against their customers double. This trend is expected to continue in 2012 and 2013.

Akamai’s experiences are similar to those of others in the security industry. According to a hacker forum study, which security vendor Imperva carried out last year, 22% of discussions focused on DoS, slightly higher than SQL injection which accounted for 19% of all discussions. In its Hacker Intelligence Initiative, Monthly Trend Report #12 the company reveals that hackers are now favoring DoS attacks aimed at the Web application layer (rather than at the IP and TCP layers) as these types of attacks decrease costs and are harder to detect.

Distributed Denial of Service attacks, which split the attack load among many machines simultaneously, are being used most to get the public’s and media’s attention. Such attacks are usually accompanied by announcements that reveal the reasons (ideological etc) behind the attack. However DDoS attacks are not limited to hacktivists. DDoS attacks have been used to disrupt businesses for monetary gain including blackmailing a company to pay a ransom other wise the site will be attacked.

The good news is that companies like Akamai seem able (at the moment) to absorb this malicious data.

“Today, we’re probably serving eight, maybe ten terabits per second of traffic at peak, so a 150 gigabit per second denial of service attack is actually fairly small when all is said and done,” said Caro.

DDoS Attack Tool Comes to Android

(LiveHacking.Com) – McAfree has reported that the common Low Orbit Ion Cannon (LOIC) denial of service (DoS) tool has been ported to Android. ‘Ported’ might be too strong of a word as this mobile device version is in fact a wrapper around the Javascript version. Nonetheless, this is an interesting advancement in the ubiquity of hacking tools.

Hacktivism (hacking as political or social protest) is becoming increasingly popular with groups like Anonymous using hacking tools to launch distributed denial of service attacks on organizations all over the world. LOIC, one such tool used by the hackers, was originally developed to stress-test websites, however it has now been effectively used by hackers to take websites offline by sending a flood of TCP/UDP packets which overwhelms the server and makes it inaccessible.

Originally written in C#, LOIC inspired the creation of an independent JavaScript version. This version allowed a DoS attacked to be launched from a web browser. In conjunction with PasteHTML, which allows anyone to post HTML onto the web anonymously (no pun intended), and the free AppsGeyser service, which converts web pages into an App, an Android App has been created which encapsulates the Javascript version of LOIC in an Android app. Specifically, the version spotted by McAfee, targets the Argentinian government, but theoretically an Android app can be created to attack any web site. When the app is launched a WebView component is used to run the JavaScript that sends 1,000 HTTP requests with the message “We are LEGION!” as one of the parameters.

“Creating Android applications that perform DoS attacks is now easy: It requires only the URL of an active web LOIC–and zero programming skills–thanks to automated online tools,” wrote Carlos Castillo for McAfee.

Oracle Issues Patches for Apache Byterange Filter Bug

Oracle has issued a special security alert for Oracle HTTP Server products that are based on Apache 2.0 or 2.2. The alert covers CVE-2011-3192 or the Apache HTTPD byterange filter exploit as it is more commonly known.

In August a bug was found in the Apache HTTPD server regarding how it byte range headers. By exploiting the bug, remote attackers can cause a denial of service (memory and CPU consumption) attack by sending Range header that express multiple overlapping ranges. A fix was released at the end of August and a few days ago a “more efficient” fix was released. Oracle are basically playing catchup by issuing this alert now.

Affected Oracle Products and Versions

  • Oracle Fusion Middleware 11g Release 1, versions 11.1.1.3.0, 11.1.1.4.0, 11.1.1.5.0
  • Oracle Application Server 10g Release 3, version 10.1.3.5.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
  • Oracle Application Server 10g Release 2, version 10.1.2.3.0 (Only affected when Oracle HTTP Server 10g based on Apache 2.0 has been installed from Application Server Companion CD)
Due to the threat posed by a successful attack, Oracle strongly recommends that customers apply Security Alert fixes as soon as possible.

Apache HTTP Server 2.2.20 Released – Fixes Byte-range DoS Vulnerability

(LiveHacking.Com) – The Apache Foundation has released an update to its HTTPD server to fix the much publicized byte range headers problem.  The announcement notes just one fix:

  •  CVE-2011-3192: Fix handling of byte-range requests to use less memory, to avoid denial of service. If the sum of all ranges in a request is larger than the original file, ignore the ranges and send the complete file.

The vulnerability left over 60% of the world’s websites exposed to a denial of service attack. The problem revolved around how Apache handled byte range headers and due to a tool, which was published to demonstrate the problem, an attack could be easily  launched  and cause very significant memory and CPU usage on the target server.

Range Header DoS Vulnerability Leaves 60% of All Websites Open to Attack

(LiveHacking.Com) – Over 60% of the world’s websites are run using the Apache web server and a recently found vulnerability in Apache has left these millions of web sites open to a denial of service attack.

According to the official Apache HTTPD security advisory, the problem revolves around how Apache handles byte range headers. The advisory links to a tool which is available called “killapache.pl” which effectively demonstrates the problem. Active use of this tool has been observed. The attack can be done remotely and with a modest number of requests can cause very significant memory and CPU usage on a server.

Mitigation

Apache HTTPD users who are concerned about a DoS attack against their server should consider implementing any of the following mitigations immediately.

1) Use SetEnvIf or mod_rewrite to detect a large number of ranges and then either ignore the Range: header or reject the request.

Option 1: (Apache 2.0 and 2.2)
# Drop the Range header when more than 5 ranges.
# CVE-2011-3192
SetEnvIf Range (,.*?){5,} bad-range=1
RequestHeader unset Range env=bad-range

# optional logging.
CustomLog logs/range-CVE-2011-3192.log common env=bad-range

Option 2: (Also for Apache 1.3)
# Reject request when more than 5 ranges in the Range: header.
# CVE-2011-3192
#
RewriteEngine on
RewriteCond %{HTTP:range} !(^bytes=[^,]+(,[^,]+){0,4}$|^$)
RewriteRule .* - [F]

The number 5 is arbitrary. Several 10’s should not be an issue and may be required for sites which for example serve PDFs to very high end eReaders or use things such complex http based video streaming.

2) Use mod_headers to completely dis-allow the use of Range headers:

RequestHeader unset Range

Note that this may break certain clients – such as those used for e-Readers and progressive/http-streaming video.

Patch
A patch or new apache release for Apache 2.0 and 2.2 is expected
in the next 48 hours. Although still popular, Apache 1.3 is deprecated and as such there will be no official patch.

Cisco Issues Three Security Advisories and Software Updates

(LiveHacking.Com) – Cisco has issued three security advisories, including free software updates, to address vulnerabilities affecting the Cisco Unified Communications Manager, the Cisco Unified Presence Server, and the Cisco Intercompany Media Engine. These vulnerabilities may allow an attacker to disclose sensitive information or cause a denial-of-service condition.

  1. Cisco Unified Communications Manager contains five DoS vulnerabilities that could cause a critical process to fail, resulting in disruption of voice services.
  2. Cisco Unified Communications Manager and Cisco Unified Presence Server contain an open query interface that could allow an unauthenticated, remote attacker to disclose the contents of the underlying databases on affected product versions.
  3. Two denial of service (DoS) vulnerabilities exist in the Cisco Intercompany Media Engine. An unauthenticated attacker could exploit these vulnerabilities by sending crafted Service Advertisement Framework (SAF) packets to an affected device, which may cause the device to reload.

More information can be found:

Apache 2.2.19 Released: Security Update and Bug-fix

The Apache HTTP Server Project team released the new version 2.2.19 of the Apache HTTP Server (httpd).

This new version is a security update and bug-fix release to address CVE-2011-1928 and CVE-2011-0419 DoS vulnerabilities. This release also corrects a versioning incompatibility in 2.2.18 and it is a major release of the stable branch, and represents the best available version of Apache HTTP Server according to the project’s website.

The Apache 2.2.19 includes some new features such as Smart Filtering, Improved Caching, AJP Proxy, Proxy Load Balancing, Graceful Shutdown support, Large File Support, the Event MPM, and refactored Authentication/Authorization.

This new release includes the Apache Portable Runtime (APR) version 1.4.5 and APR Utility Library (APR-util) version 1.3.12, bundled with the tar and zip distributions. The APR libraries libapr and libaprutil (and on Win32, libapriconv version 1.2.1) must all be updated to ensure binary compatibility and address many known security and platform bugs.

Apache HTTP Server 2.2.19 is available for download here.

 

WordPress.com Targeted in Largest Denial of Service Attack in its History

Yesterday WordPress.com was targeted by an extremely large Distributed Denial of Service attack (DDoS) which resulted in disruptions to the service for about two hours. According to the WordPress.com status page the “size of the attack is multiple Gigabits per second and tens of millions of packets per second.”

There is no news yet on who launched the attack and for what reason. TechCrunch spoke to WordPress’ founder Matt Mullenweg, “This is the largest and most sustained attack we’ve seen in our 6 year history. We suspect it may have been politically motivated against one of our non-English blogs but we’re still investigating and have no definitive evidence yet.”

WordPress.com is the commercial side of the popular open source WordPress blogging platform. Its VIP Hosting solutions serve blogs like CNN’s Political Ticker, Dow Jones’ All Things D and the BBC’s Top Gear. WordPress.com itself sees about 300 million unique visits monthly.

WordPress.com is currently reporting normal service on its site and on its Twitter feed, but continues to monitor the situation closely.

PHP Floating-Point bug Found and then Fixed

phpA bug has been found in the popular web site scripting language PHP which theoretically could be used in a DoS attack against a web site. The bug is related to the way PHP 5.2 and 5.3 convert largest double-precision floating-point numbers from strings. The number in question is 2.2250738585072011e-308 and if a script wants to convert this from a string the CPU goes into an infinite loop. This could theoretically be used to mount a denial of service attack on a web site and send the CPU into overdrive.

The problem is known to only affect x86 32-bit PHP processes, regardless of whether the system hosting PHP is 32-bit or 64-bit. This is because 32-bit PHP processes use the x87 FPU for doing the conversion where as 64-bit processes use SSE.

The PHP team saw this as a critical bug and have released versions 5.3.5 and 5.2.17 to tackle the problem. It is strongly recommended that you upgrade to the new versions.

For more details see on the bug see the PHP bug report here and news of the new releases here. You can test whether your system is affected by running this script from the command line.