Defend Against DDoS Archive

Various implementations of HTTP/2, the latest version of the HTTP network protocol, have been found vulnerable to multiple security vulnerabilities affecting the most popular web server software, including Apache, Microsoft’s IIS, and NGINX.

Launched in May 2015, HTTP/2 has been designed for better security and improved online experience by speeding up page loads. Today, over hundreds of millions of websites, or some 40 percent of all the sites on the Internet, are running using HTTP/2 protocol.

A total of eight high-severity HTTP/2 vulnerabilities, seven discovered by Jonathan Looney of Netflix and one by Piotr Sikora of Google, exist due to resource exhaustion when handling malicious input, allowing a client to overload server’s queue management code.

The vulnerabilities can be exploited to launch Denial of Service (DoS) attacks against millions of online services and websites that are running on a web server with the vulnerable implementation of HTTP/2, knocking them offline for everyone.

The attack scenario, in layman’s terms, is that a malicious client asks a targeted vulnerable server to do something which generates a response, but then the client refuses to read the response, forcing it to consume excessive memory and CPU while processing requests.

“These flaws allow a small number of low bandwidth malicious sessions to prevent connection participants from doing additional work. These attacks are likely to exhaust resources such that other connections or processes on the same machine may also be impacted or crash,” Netflix explains in an advisory released Tuesday.

Most of the below-listed vulnerabilities work at the HTTP/2 transport layer:

  1. CVE-2019-9511 — HTTP/2 “Data Dribble”
  2. CVE-2019-9512 — HTTP/2 “Ping Flood”
  3. CVE-2019-9513 — HTTP/2 “Resource Loop”
  4. CVE-2019-9514 — HTTP/2 “Reset Flood”
  5. CVE-2019-9515 — HTTP/2 “Settings Flood”
  6. CVE-2019-9516 — HTTP/2 “0-Length Headers Leak”
  7. CVE-2017-9517 — HTTP/2 “Internal Data Buffering”
  8. CVE-2019-9518 — HTTP/2 “Request Data/Header Flood”

“Some are efficient enough that a single end-system could potentially cause havoc on multiple servers. Other attacks are less efficient; however, even less efficient attacks can open the door for DDoS attacks which are difficult to detect and block,” the advisory states.

However, it should be noted that the vulnerabilities can only be used to cause a DoS condition and do not allow attackers to compromise the confidentiality or integrity of the data contained within the vulnerable servers.

Netflix security team, who teamed up with Google and CERT Coordination Center to disclose the reported HTTP/2 flaws, discovered seven out of eight vulnerabilities in several HTTP/2 server implementations in May 2019 and responsibly reported them to each of the affected vendors and maintainers.

According to CERT, affected vendors include NGINX, Apache, H2O, Nghttp2, Microsoft (IIS), Cloudflare, Akamai, Apple (SwiftNIO), Amazon, Facebook (Proxygen), Node.js, and Envoy proxy, many of which have already released security patches and advisories.

Source: https://thehackernews.com/2019/08/http2-dos-vulnerability.html

Popular chat service Discord experienced issues today due to network problems at Cloudflare and a wider internet issue. The app was inaccessible for its millions of users, and even Discord’s website and status pages were struggling. Discord’s problems could be traced to an outage at Cloudflare, a content delivery network. Cloudflare started experiencing issues at 7:43AM ET, and this caused Discord, Feedly, Crunchyroll, and many other sites that rely on its services to have partial outages.

Cloudflare says it’s working on a “possible route leak” affecting some of its network, but services like Discord have been inaccessible for nearly 45 minutes now. “Discord is affected by the general internet outage,” says a Discord statement on the company’s status site. “Hang tight. Pet your cats.”

“This leak is impacting many internet services including Cloudflare,” says a Cloudflare spokesperson. “We are continuing to work with the network provider that created this route leak to remove it.” Cloudflare doesn’t name the network involved, but Verizon is also experiencing widespread issues across the East Coast of the US this morning. Cloudflare notes that “the network responsible for the route leak has now fixed the issue,” so services should start to return to normal shortly.

Cloudfare explained the outage in an additional statement, commenting that “Earlier today, a widespread BGP routing leak affected a number of Internet services and a portion of traffic to Cloudflare. All of Cloudflare’s systems continued to run normally, but traffic wasn’t getting to us for a portion of our domains. At this point, the network outage has been fixed and traffic levels are returning to normal.”

Source: https://www.theverge.com/2019/6/24/18715308/discord-down-outage-cloudflare-problems-crunchyroll-feedly

While there were fewer cyber threat incidents in Singapore last year, the republic continues to be the target for cyber attacks by advanced threat actors, the Cyber Security Agency of Singapore (CSA) said in its third annual Cyber Landscape report.

Here is a look at six alarming cyber security trends highlighted in the report:

DATA BREACHES

With data becoming the most valued currency or “commodity” in cyberspace, the CSA said that cyber criminals will try even harder to breach electronic databases.

Those that store large amounts of private and personal information will be the biggest target for hackers and cyber criminals.

The data breach involving healthcare cluster SingHealth was Singapore’s worst cyber attack, with the personal information of more than 1.5 million patients – including Prime Minister Lee Hsien Loong – stolen by hackers in June last year.

THREATS TO GLOBAL SUPPLY CHAINS

Supply chains that consumers depend on for their goods are increasingly becoming interconnected and automated thanks to rapidly developing technology.

But the CSA warned that cyber criminals are trying to disrupt them. This could be for reasons such as extracting information from the companies involved in these supply chains, or holding them to ransom. Industries dominated by a few companies are especially vulnerable as problems in one stage of production could potentially lead to a breakdown in the entire supply chain.

ATTACKS ON CLOUD DATABASES

An increasing number of databases are being hosted in the cloud, which is where software and systems are designed specifically to be deployed over a network.

This means that cyber criminals will be on the lookout to exploit potential vulnerabilities in cloud infrastructure.

“While their primary goal remains data theft, threat actors will also try to exploit cloud services for other malicious aims, such as to amplify Distributed Denial-of-Service (DDoS) attacks,” the agency said in its report.

SMART BUILDINGS AND CONNECTED SYSTEMS

The advent of Internet of Things (IoT) devices and connected industrial control systems in buildings and factories might improve and quicken processes, but it also means that they are open to more danger.

As these buildings and systems become ‘smarter’, the risk of them being attacked to hold their owners to ransom, or be exploited to spread malware or conduct DDoS attacks, also increases, said CSA.

ARTIFICIAL INTELLIGENCE (AI)

AI will be able to significantly enhance the capabilities of security systems in cases such as detecting unusual behaviour and rolling out appropriate responses and mitigation measures in the case of an attack.

But the CSA warned that threat actors can also use AI to search for vulnerabilities in computer systems.

It could also potentially be used to create malicious software that bypasses existing online security measures in an organisation.

BIOMETRIC DATA

As biometric authentication, such as the use of fingerprints or facial scanning, becomes increasingly common, threat actors will shift to target and manipulate biometric data, to build virtual identities and gain access to personal information.

Source: https://www.straitstimes.com/tech/six-alarming-cyber-security-trends-highlighted-by-the-csa

Global communication service providers (CSPs), who are expected to provide customers with continuous, uninterrupted service, are struggling to deal with an increasing number of distributed denial of service (DDoS) attacks.

DDoS attacks involve flooding a network with more traffic than it can handle, which makes the network inaccessible to legitimate users.

According to A10 Networks’ The State of DDoS Attacks against Communication Service Providers report, which quizzed 325 IT and security professionals working for internet service providers, 85% of CSPs believe that there will be an increase or no reduction in the amount of DDoS attacks launched against them in the near future.

Despite the threat increasing, just 39% were confident that their organisation could detect a DDoS attack. Fewer respondents, 34%, were confident that their organisation could prevent an attack.

Respondents said that a lack of actionable intelligence was the top barrier to preventing DDoS attacks. Insufficient talent and expertise, and inadequate technologies were also viewed as significant barriers.

Stopping the botnet

Preventing attacks can be costly for businesses, according to cybersecurity expert Jake Moore, security specialist at ESET, but regulating the internet of things (IoT) space could help to prevent a large number of DDoS attacks before they are launched.

“DDoS attacks have always featured in cyber-attacks and there’s usually not much companies can do to protect their websites other than to attempt to divert as much traffic as possible, but this can be costly,” Moore explained. “The real solution lies in the early production of the internet of things and smart devices, where they are continually created with simple or no security at all.”

According to GlobalData’s recent smart home report, spending on internet-connected smart home devices climbed to $23bn in 2018. The market is expected to grow to $25bn by 2025 as consumers continue to automate their homes using smart speakers, thermostats, lighting and security products.

However, various studies have highlighted how easy it is to hack many of these devices.

This is being exploited by cybercriminals to build botnets, a number of compromised internet-connected devices that are used to carry out automated cybercriminal activities such as DDoS attacks or spam delivery.

The Mirai botnet discovered in 2016, for example, had amassed 380,000 devices by scanning the internet for IoT devices and testing commonly-used default username and password combinations to break into a device.

“Once such devices are taken over by a threat actor, they are simply diverted on mass to targeted sites to crash them,” Moore explained.

Source: https://www.verdict.co.uk/iot-regulation-ddos-attack-prevention/

A DDoS mitigation service is more than just the technology or the service guarantees. The quality and resilience of the underlying network is a critical component in your armor, and one which must be carefully evaluated to determine how well it can protect you against sophisticated DDoS attacks.

Massive Capacity

When it comes to protection against volumetric DDoS attacks, size matters. DDoS attack volumes have been steadily increasing over the past decade, with each year reaching new heights (and scales) of attacks.

To date, the largest-ever verified DDoS attack was a memcached-based attack against GitHub. This attacked reached peak of approximately 1.3 terabits per second (Tbps) and 126 million packets per second (PPS).

In order to withstand such an attack, scrubbing networks must have not just enough to ‘cover’ the attack, but also ample overflow capacity to accommodate other customers on the network and other attacks that might be going on at the same time. A good rule of thumb is to look for mitigation networks with at least 2-3 times the capacity of the largest attacks observed to date.

Dedicated Capacity

It’s not enough, however, to just have a lot of capacity. It
is also crucial that this capacity be dedicated to DDoS scrubbing. Many
security providers – particularly those who take an ‘edge’ security approach – rely
on their Content Distribution Network (CDN) capacity for DDoS mitigation, as
well.

The problem, however, is that the majority of this traffic
is already being utilized on a routine basis. CDN providers don’t like to pay
for unused capacity, and therefore CDN bandwidth utilization rates routinely
reach 60-70%, and can frequently reach up to 80% or more. This leaves very
little room for ‘overflow’ traffic that can result from a large-scale
volumetric DDoS attack.

Therefore, it is much more prudent to focus on networks whose capacity is dedicated to DDoS scrubbing and segregated from other services such as CDN, WAF, or load-balancing.

Global Footprint

Organizations deploy DDoS mitigation solution in order to
ensure the availability of their services. An increasingly important aspect of
availability is speed of response. That is, the question is not only is the
service available
, but also how quickly can it respond?

Cloud-based DDoS protection services operate by routing
customer traffic through the service providers’ scrubbing centers, removing any
malicious traffic, and then forwarding clean traffic to the customer’s servers.
As a result, this process inevitably adds a certain amount of latency to user
communications.

One of the key factors affecting latency is distance from
the host. Therefore, in order to minimize latency, it is important for the
scrubbing center to be as close as possible to the customer. This can only be
achieved with a globally-distributed network, with a large number of scrubbing
centers deployed at strategic communication hubs, where there is large-scale
access to high-speed fiber connections.

As a result, when examining a DDoS protection network, it is important not just to look at capacity figures, but also at the number of scrubbing centers and their distribution.

Anycast Routing

A key component impacting response time is the quality of
the network itself, and its back-end routing mechanisms. In order to ensure
maximal speed and resilience, modern security networks are based on
anycast-based routing.

Anycast-based routing establishes a one-to-many relationship between IP addresses and network nodes (i.e., there are multiple network nodes with the same IP address). When a request is sent to the network, the routing mechanism applies principles of least-cost-routing to determine which network node is the optimal destination.

Routing paths can be selected based on the number of hops,
distance, latency, or path cost considerations. As a result, traffic from any
given point will usually be routed to the nearest and fastest node.

Anycast helps improve the speed and efficiency of traffic routing within the network. DDoS scrubbing networks based on anycast routing enjoy these benefits, which ultimately results in faster response and lower latency for end-users.

Multiple Redundancy

Finally, when selecting a DDoS scrubbing network, it is
important to always have a backup. The whole point of a DDoS protection service
is to ensure service availability. Therefore, you cannot have it – or any
component in it – be a single point-of-failure. This means that every component
within the security network must be backed up with multiple redundancy.

This includes not just multiple scrubbing centers and
overflow capacity, but also requires redundancy in ISP links, routers,
switches, load balancers, mitigation devices, and more.

Only a network with full multiple redundancy for all components can ensure full service availability at all times, and guarantee that your DDoS mitigation service does not become a single point-of-failure of its own.

Ask the Questions

Alongside technology and service, the underlying network
forms a critical part of a cloud security network. The five considerations
above outline the key metrics by which you should evaluate the network powering
potential DDoS protection services.

Ask your service provider – or any service provider
that you are evaluating – about their capabilities with regards to each of
these metrics, and if you don’t like the answer, then you should consider
looking for alternatives.

Source: https://securityboulevard.com/2019/05/5-key-considerations-in-choosing-a-ddos-mitigation-network/