In its last quarterly report, Nexusguard stated that after the FBI closed 15 websites providing cyberattacks services, a decrease of 85% of the DDoS attacks’ scale and 24% of big attacks were observed.
In the same way, these closings would lead to the decrease of 11% of the
attacks’ volume comparing to the same period in 2018 and at an international
level.
Indeed, it was in December 2018 that the FBI successfully shut down 15 websites proposing DDoS attacks services, called “booters” or “booters services” in the business.
To achieve their goals, these booters use IP stresser, which originally are tools allowing to test the server or the network’s resilience. The cybercriminals hijack these IP stresser and send through them a large volume of requests towards the servers until they are overloaded and unable to respond anymore.
The Nexusguard report also indicates that the 15 websites closed by the FBI would be the technical source of about 11% of the global DDoS attacks of various sizes since 2014. Of course, this decrease might only be temporary, the multiplication of bot networks being the real plague of our decade in terms of cybercriminality.
Remember, in June 2014, Nominet, the registry of .CO.UK, launched the
opening of the .UK registrations. At the time of the extension’s launch, the
registry applied a 5 years restriction during which the .UK registration rights
were restricted to the holders of the corresponding names in .CO.UK, .ORG.UK,
.ME.UK, .NET.UK, .LTD.UK or .PLC.UK.
The 1st of July 2019 will mark the end of the period when .UK extensions were blocked from registration if the .CO.UK was not already registered. The names will then be opened to all! If you are already a .CO.UK domain name’s holder, don’t hesitate to contact your Nameshield’s consultant before the end of the priority period to reserve your corresponding name in .UK and thus prevent a third party to do it on the general availability period.
Last weekend, the media has widely communicated on the consequences of
an unprecedented attack that targeted the domain names.
Indeed, during the night of 22-23 February ICANN reported the large-scale attacks on the domain names: it is DNS hijacking. These attacks consist in “replacing the authorized servers addresses” with “addresses of machines controlled by the attackers”, as explained by the organization, allowing the attackers to examine the data in order to find passwords, email addresses etc., even to completely capture the traffic towards their servers.
A wave of attacks that began in November 2018
Actually, this is not an attack but a wave of attacks that the domain
names system has endured for several weeks now.
Since the end of November 2018, an attack has targeted Lebanon and the
United Arab Emirates and affected .GOV domain names. In this attack, the
cybercriminals have proceeded with DNS hijacking.
At the beginning of January 2019, the company FireEye reported in an article, a wave of DNS hijacking that has affected domain names belonging to government, telecommunications and internet infrastructure entities across the Middle East and North Africa, Europe and North America.
If the attackers were then not identified, the initial research
suggested the attacks could be conducted by persons based in Iran.
Important fact regarding the attack of February 22: this time, it
struck, sometimes successfully, important actors of the Internet.
What are these attacks?
The method used is the DNS hijacking deployed on a large scale. This is
a malicious attack, also called DNS redirection. Its aim: overwrite the TCP/IP
parameters of a computer in order to redirect it towards a fraudulent DNS
server instead of the configured official DNS server. To do this, the attacker
takes control of the targeted machine through different techniques to alter the
DNS configurations.
The American government, among others, recently warned about these
series of highly sophisticated attacks of which the aim would be to siphon a
large volume of passwords. These attacks would target more specifically
governments and private companies.
Between DNS hijacking and cyber espionage
According to Talos’ article of November 2018, the attackers behind these attacks would have collected emails and connection information (login credentials – passwords) by hijacking the DNS, so that the traffic of the emails and the VPN (Virtual Private Networking) of the targeted institutions would be redirected to a server controlled by the cybercriminals.
Once the connectors collected, other attacks can be launched for
espionage purposes, like the Man-In-The-Middle.
Then how to effectively protect yourself?
You must be aware that if these attacks essentially aim the domain names
system, we can never say it enough, the
first entry point of your domain names portfolio for an attacker is your access
to the management platform.
The first and utmost recommendation is to protect your access
For many years, Nameshield has developed securing measures for the access to the domain names management platform (IP filter, ACL, HTTPS) and in addition proposes the 2 factors authentication and the SSO.
If these complementary solutions are still not implemented, Nameshield
strongly recommends to implement them, in particular the 2 factors
authentication in order to fight against passwords thefts.
To implement the DNSSEC protocol
The implementation of DNSSEC, if it was more widely deployed, would prevent or at least lessen the impact of these attacks by limiting their consequences.
It’s becoming increasingly urgent that DNSSEC is adopted on a massive
scale, for both resolvers and authoritative servers.
To protect your domain names
The implementation of a registry lock on your strategic names will prevent their fraudulent modifications.
Although no perfect solution exists today to fully protect the infrastructures from cyberattacks, it is the implementation of several preventive measures combined that will allow to reduce the vulnerabilities (so) easily exploited by the pirates.
On February 13, 2019, the Duma (lower Chamber of the Russian Parliament)
has begun to study a draft legislation with the aim to create a “sovereign
Internet” in Russia, meaning an ability to function in total independence if
Russia was cut from the major global servers. To achieve this, it will be
necessary to create an “infrastructure allowing to ensure the functioning of
the Russian Internet resources in case of the impossibility for the Russian
operators to connect to the foreign sources Internet servers”.
The Internet providers will have to implement systems allowing a
“centralized control of the traffic” on their networks.
The measures proposed would allow the Russian Internet (RuNet) to ensure
that the Russian part of the Internet functions efficiently. In other words,
the test will allow Russia to ensure that its domestic networks can operate in
full autonomy.
A response to the penalty threats?
If Russia talks about an assurance for a maintained
local availability, particularly in case of a large-scale cyberattack, this
draft legislation is also and clearly presented as a response to the
“aggressive nature of the new American cybersecurity strategy adopted in
September 2018” [mentioning Russia as a threat]. Indeed, Russia is the object
of many accusations regarding cyberattacks and cyber espionage (disruptions of
the American presidential elections in 2016 -exhortation of Stuart Peach, Chief
of the UK Defence staff in NATO, to take measures against Russia in December
2017, after the Russian submarines were detected near the Atlantic submarine
cables, which carry the communications between Europe and the USA – in January
2018, the Minister of UK Defence, Gavin Williamson, also accuses Russia of
spying the critical infrastructure of his country with the aim to create a “total
chaos” which could “result in thousands and thousands of deaths”, etc). NATO
and its allies have then threatened to punish Russia for these cyberattacks.
It’s in this context that Russia is planning a
full-scale test of disconnection of the global Internet network.
A full-scale test
For several years, this test has been prepared
by Russian authorities, who planned a DNS local backup (tested in 2014 and in
2018).
Indeed, the law plans the creation of Russia’s
internal DNS system, which would ensure the link between web address and IP
address of the corresponding web servers, without resting on the root servers
of the global Internet.
Validated by president Poutine, the draft
legislation has all its chances to be quickly adopted despite the reluctance of
some branches of the government because of the potential expenses entailed. On
the Russian Internet providers’ side, they seem to agree with the draft
legislation, as mentioned in the Russian press, but to this date, they do not
validate its technical implementation, which could create important
disturbances and other traffic disruptions in Russia.
Of course, it is easy to see that this
experience will simultaneously test the Internet providers‘ ability to direct
data towards routing points controlled by the Russian government, since a
filter would be implemented to stop the flow of data towards foreign servers.
Would Russia move towards a system of traffic
filtering, beyond ensuring a national intranet that maintains an operational
connection inside the borders even in case of a massive cyberattack? It is reminiscent
of the significant Chinese firewall (Internet monitoring and censorship project
managed by the Ministry of Public Security of the People’s Republic of China,
initiated in 1998 and of which activities began in November 2003).
The Russian test could happen on the 1st of
April 2019. To be
continued.
Lately, the DNS keeps being talked about! After the first KSK rollover
of October 2018, then the deactivation of the former KSK key on last January
11, here comes the time of the DNS Flag
Day!
DNS Flag Day: What is it all about?
The Flag day is an expression used in IT to indicate the deadline and/or
radical change.
Let us remember that when it was created, the weight of cybercrime
threats affecting the DNS infrastructure didn’t exist. If the security was
relegated to the background, the evolution of attacks have made it absolutely
necessary: The DNS must be strengthened!
It’s in this context that the EDNS standard has been created in 1999 (updated in 2013 in the RFC6891). EDNS has particularly allowed the implementation of DNSSEC, the DNS’ geolocation and other measures aiming to strengthen the security.
This transition was not without difficulties. Abusive EDNS standard
adoptions, lack of updates, bypasses have led to the creation of many patches
and accommodations of the recursive servers’ code (particularly, in order to be
able to differentiate DNS servers which cannot properly support EDNS from the
ones unreachable for other reasons).
Two decades later, the maintenance of all these patched software has
become more than difficult and leads to bugs that can compromise the DNS
security. Obviously, the weight of these patches affects the speed of the
response times.
It’s time for this standard to be implemented by all, or they will no
longer be able to efficiently deal with new DNS attacks, like amplification or
layer 7 attacks.
That’s why, major IT actors (Google, Cloudfare, Facebook, Cisco..), of which the developers of recursive servers decided as one to no longer support DNS servers that do not respect the EDNS standard as of February 1, 2019. The Flag Day arrives!
And concretely?
From the DNS Flag Day, on
February 1, all the DNS servers not in
compliance with the EDNS standard (or not functioning because of a firewall
incompatible with EDNS), thus not responding to EDNS requests will be considered as unreachable;
accommodations and other patches being removed from the new versions of the DNS
software.
To simplify, not placed on compatible DNS, your domain name may no
longer respond.
How to anticipate?
That is why it is important to ensure that DNS servers hosting your
names‘ zones are compatible EDNS, in particular if they are not placed on
Nameshield’s DNS infrastructure or if your company maintains its own
infrastructure.
The DNS Flag Day website also allows to test the compliance of your name: https://dnsflagday.net/
Of course, our team is at your disposal for any question.
In June 2018, .NZ registry, DNCL (Domain Name Commission Limited) sued the American company specialized in tools of monitoring and investigation, on the ground that it violated the registry’s terms of use.
The DNCL was successful and the Federal Court
in the State of Washington granted a preliminary injunction that banned
DomainTools to collect the whois data of .NZ and ordered the suppression of the
data used in the existing publications, while the lawsuit proceeded.
Indeed, since June 2016, .NZ registry has indicated
in its terms that it was now forbidden to copy the domain names holders’ data.
DomainTools appeals the
injunction decision
Without surprise, DomainTools, that first indicated
that the use of these data was also of general interest, these data being used
by its customers in the context of the fight for cybersecurity, appealed the
preliminary injunction.
Of course, this trial reflects the terms of the
debate which took place at ICANN regarding the General data protection
regulation (GDPR).
DomainTools is mentioned in the American draft
legislation unveiled by the Internet Governance Project, which indicates as
such, that this attempt would be led by different lobbies. The Transparent,
Open and Secure Internet Act of 2018, dated from August 16, 2018 mentions these
two possibilities of evolution:
The
first called “large” proposes keeping a whois with a wide enough spectrum of
information (more or less the same as our old fashioned whois)
The
second, more limited, would keep this obligation to publish the data to the American
residents or to the actors targeting a business activity on the US market.
An intense debate about the GDPR
This trial reminds us how the debates regarding
the GDPR implementation are intense within ICANN, opposing actors using the now
so precious data and the privacy advocates, supported by the WP29 (Article 29
Data Protection Working Party) that mentions in particular the applicable sanctions.
Finally, it should be reminded that the GAC
attempts to minimize the consequences of the European regulation. After being
dismissed by the German Court from their attack in May 2018, which aimed a
registrar that stopped to provide customers data under the GDPR, the GAC aims
to obtain from the EU’s Court of Justice a favorable decision on this subject.
The debate about the DomainTools case deserves
to be followed closely!
After the first changing of the cryptographic
key in last October, it is now, on January 11, that the old KSK key (Key
Signing Key) of the root zone will be deactivated.
The process initiated in October 2018 to improve the security of the root zone, with the deployment of the Key Signing Key-2017, finds its achievement with the revoking of the root of the old key KSK-2010.
As indicated by Paul Hoffman, ICANN’s Principal Technologist, “The ICANN organization does not expect problems with the revocation. However, this is the first time a KSK in the Domain Name System (DNS) root has been revoked, so the ICANN org and the DNS technical community will be watching carefully for at least 48 hours after the publication of the revoked KSK-2010.”
To note, during the rollover on October, the
negative impacts were extremely limited and it would seem that only two
Internet services providers were impacted by interruptions during the process.
Of course, ICANN encourages solutions providers to no longer ship KSK-2010 in their products. ICANN should later publish a white paper about the full rollover process, including the lessons learned from this operation. ICANN communities will then be able to open discussions regarding upcoming rollovers that could happen.
As a result of the violation of the anti-abuse policy, the .me registry decided to suspend the Incels.me website for an indefinite period. For reminder, the website possesses a forum that regroups members claiming to be single despite themselves, or “incels”, and who exchange on their daily lives through this mean.
Disturbing comments, the source of the suspension
It is not without surprise that the administrators of the incels.me website saw their forum become inaccessible. The investigations done by the registry have allowed to discover hate speeches, threats of rape and even murder in the comments exchanged between the participants. The decision to shut down the website was promptly made on October 15th, 2018, due to the content that violated the anti-abuse policy. According to the registry, this measure was taken to force the Incels.me administrators to take down the inappropriate contents and to prevent hate speech from appearing on the forum again.
Incels.me website associated to attacks?
Last April, Toronto was the scene of a bloody attack, where a man murdered 10 persons by a vehicle-ramming attack. Before attacking, the man posted a message on social networks, where he declared himself “incel”. This is only after the investigation that the police discovered that the murderer was inspired by some violent contents from the forum of Incels.me. The link is quickly made between the individual and the content inciting hatred, but also rape, exchanged on the forum.
Incels.me financed by a Chinese giant with suspicious activities
The inquiries launched on the website allow to trace back to its main financier. Thanks to these investigations, we know today that the incels.me website is financially supported by a big Chinese entity that in parallel owns more than 54 000 other domain names. The investigators were shocked by the potential of illicit nature of this company’s activities, ZhuHai NaiSiNike Information Technology Co. Indeed, on the thousands of domain names registered, the major part is involved in websites hosting of prescription drugs’ illegal sale.
Despite the suppression requests of the abusive comments present on the incels.me forum, the Chinese company didn’t proceed to the removing. The website will thus remain suspended until the removing of the litigious contents.
In the context of the fight against insecurity on the web, DNS Belgium, the .BE registry, decided to intensify its action by cooperating with the FPS Economy [The FPS Economy, SMEs, Middle Classes and Energy is a Federal Public Service of Belgium which is responsible for contributing to the development, competitiveness and sustainability of the goods and services market in Belgium] in order to shut down fraudulent websites within 24 hours.
Philip Du Bois, general manager of DNS Belgium indicates: “This protocol will enable us to take even more targeted action, together with the FPS Economy, against possible abuses where .be domain names are involved. It underscores our ambition for a high quality and safe .be zone which serves as suitable environment for the further development of the Internet.”
The aim: to ensure
consumers a completely safe Internet browsing on .BE websites.
This procedure will ensure a much higher
reactivity. Indeed, until now, FPS Economy couldn’t request a blocking from the
registry regarding the content, moreover fraudulent websites with correct
identification data (at least of which the forgery couldn’t be proven), were untouchable.
The blocking required a request from the Prosecution, i.e. a two weeks long
procedure, which left plenty of time for the fraudulent website to create
important damages to the consumers. Several hundreds of such websites per year
were concerned!
From December, the 1st 2018, the protocol will then allow at the request of FPS Economy, the DNS Belgium registry to block .BE domain names which:
Are used for fraudulent websites
Host phishing websites
Of course, this procedure will be applied in
the case of serious crimes.
The blocked domain name’s owner will have two
weeks to react against the blocking. Without action of their part within 6
months, the blocked name will expire.
This still too rare initiative is to be
welcomed in a context of the fierce fight against cybercriminality!
The good news just arrived, Webstresser.org, one of the websites most responsible of million DDoS attacks has been dismantled. This shutdown has been possible thanks to Europol’s active intervention.
For reminder, a DDoS is a cyberattack. The operating mode is to saturate queries servers so the websites hosted on these same servers cannot operate for web users anymore.
Many countries hand in hand to dismantle the network
According to the National Crime Agency’s research, Webstresser.org has been used by hackers for the launching of almost 4 million attacks around the world. Among its victims, there are many British banks.
To carry out this large scale operation, five countries, Croatia, Scotland, Canada, Netherlands and Serbia have combined their best policemen to lend a hand to Europol.
Although this is an operation of international concern, the German, Dutch and American authorities were in charge of closing the website definitely. Now, its operators can’t access it anymore and a message left by the American Ministry of Defense serves as the home page.
Heavy penalties for the hackers
The shutdown of webstresser.org also led to a wave of arrests in many countries like Scotland, Croatia and Serbia. According to the French law, a cyberattack is a criminal offence and the penalties are severe. Thus, if the attack aims individuals, the hacker or hackers can be sentenced to 5 years of imprisonment and a fine of 150 000 euros. If the attack touches the State or its institutions, the penalty can go up to 7 years of imprisonment and a fine of 300 000 euros.
Following this great haul, the Europol spokeswoman and operations coordinator, Claire Georges announced that measures will be taken against all users of the website around the world and that arrests will be expected.
Nameshield uses cookies
Nameshield wishes to use cookies to ensure the proper functioning of the site and, with our partners, to measure its audience🍪.
Nameshield wishes to use cookies to ensure the proper performance of the website and, with our partners, to monitor its audience. More information in our Cookie Policy 🍪.
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
Cookie
Duration
Description
cookielawinfo-checkbox-advertisement
1 year
Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional
11 months
The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance
11 months
This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent
1 year
Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy
11 months
The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Cookie
Duration
Description
_ga
2 years
The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_25904574_14
1 minute
Set by Google to distinguish users.
_gid
1 day
Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Cookie
Duration
Description
NID
6 months
NID cookie, set by Google, is used for advertising purposes; to limit the number of times the user sees an ad, to mute unwanted ads, and to measure the effectiveness of ads.
