Denial of Service Attack Archive

With the rapid advancement of internet-based technologies, cybersecurity is a constant cloud looming on the horizon. As the technology evolves, so too, do the cybercriminals. Their constant efforts to steal valuable data and disrupt business through DDoS attacks are increasingly sophisticated.

Holding companies hostage and monetizing data through ransomware techniques is sadly par for the course. In fact, it’s estimated that cybersecurity alone costs the global economy some $450 billion a year. With IT professionals scrambling to stay one step ahead of the hackers, how can blockchain be used to aid cybersecurity?

No Single Point of Failure

The decentralized nature of the blockchain means that there is no single point of failure, nor one central database waiting to be hacked. Information is stored over several databases, and each block is linked to the next in the chain, making no “hackable” entrance. This provides infinitely greater security than our current, centralized structures.

Removing Human Error

The weakest link in our current system is simple logins that are vulnerable to being cracked. Blockchain can remove human error in cybersecurity, as businesses can authenticate devices without the need for a password system. Each device is provided with a specific SSL certificate, rather than a password. Human intervention becoming a potential hacker vector is consequently avoided.

Bitcoin advocate, adjunct professor at NYU Law School and practicing attorney, Andrew Hinkes, explains, “Using a public blockchain with proof of work consensus can remove the foibles of human mistake or manipulation.”

Detecting Tampering in Real Time

The blockchain can uncover and reject suspicious behavior in the system in real time. Say, for example, that a hacker tried to interfere with the information in a block. The entire system would be alerted and examine all data blocks to locate the one that stood out from the rest. It would then be recognized as false and excluded from the system.

Improving IoT Security

With the rise in IoT devices, come inherent security risks. We’ve already seen problems occur when trying to disable compromised devices that become part of botnets. According to Kevin Curran, IEEE senior member and professor of cybersecurity at Ulster University, the blockchain can put an end to that:

“The blockchain, with its solid cryptographic foundation offering a decentralized solution can aid against data tampering, thus offering greater assurances for the legitimacy of the data.” This would mean that potentially billions of IoT devices could connect and communicate in a secure ecosystem.

Traceability

All transactions on the blockchain are highly traceable, using a timestamp and digital signature. Companies can easily go back to the root of each and every transaction to a given date and locate the corresponding party. Since all transactions are cryptographically associated to a user, the perpetrator can be easily found.

Says Hinkes, “Blockchains create an audit trail of all activity by its participants, which simplifies access control and monitoring.” This offers companies a level of security and transparency on every iteration.

The Takeaway

Currently, the impending threat of DDoS attacks comes from our existing Domain Name System. Blockchain technology would disrupt this completely by decentralizing the DNS and distributing the content to a greater number of nodes. This would make it virtually impossible for cybercriminals to hack and create a secure environment to host the world’s data.

Source: https://blocksleuth.com/category/ddos-attacks/

Multiple vendors this week say they have seen a recent spike in UDP attacks coming in via port 11211.

Multiple security vendors this week are warning about threat actors for the first time exploiting unprotected Memcached servers to launch dangerously large denial-of-service attacks against target organizations.

German DDoS mitigation service provider Link11, one of those to report on the new activity, says that over the past few days it has observed massive UDP attacks in which Memcached servers have been used as an amplification vector.

Each of the high-bandwidth attacks that Link11 observed in late February has exceeded 100 Gbps, with peaks of well over 400 Gbps. The attacks went on over multiple consecutive days and lasted up to 10 minutes on average, according to the company.

Akamai Technologies says this Monday it mitigated a 190 Gbps Memcached attack that generated over 17 million packets per second. Cloudflare, another vendor to report on the previously unseen attack type, says that over the past two days it has seen an increase in UDP attacks coming in via UDP port 11211, the port associated with Memcached services.

The company says the peak inbound UDP Memcached traffic it has seen so far is 260 Gbps, which is massive for a completely new amplification vector.

Memcached is open source software that many organizations install on their servers to increase performance speed. It works by caching data in system memory and is designed purely for use behind firewalls and on enterprise LANs, says Link11 CTO Karsten Desler. But many organizations have deployed Memcached hosts that are completely accessible from the public Internet. All that attackers have to do is to search for these hosts and then use them to direct high-volume DDoS traffic at a victim.

Desler says a recent Link11 scan showed at least 5,000 Memcached servers deployed on the public Internet that are open for exploit. These servers give attackers a way to generate massive volumes of DDoS traffic with even a relatively small bandwidth connection and minimal input.

“The amplification factor with Memcached servers is hundreds of times larger than DNS,” says Desler. “You need a lot fewer servers to get the same bandwidth [compared to] using DNS, NTP, or any other amplification vector,” he says.

With DNS amplification, for instance, an attacker might be able to generate a 50KB response to a 1KB request. But with a Memcached server, an attacker would be able to send a 100-byte request and get a 100MB or even 500MB response in return. In theory, at least, the amplification could be unlimited, Desler says.

Security researchers have previously warned about Internet-facing Memcached servers being open to data theft and other security risks. Desler theorizes one reason why attackers have not used Memcached as an amplification vector in DDoS attacks previously is simply because they have not considered it and not because of any technical limitations.

Exploiting Memcached servers is new as far real-world DDoS attacks are concerned, says Chad Seaman, senior engineer, with Akamai’s Security Intelligence Response Team. “A researcher had theorized this could be done previously,” Seaman says. “But as Memcached isn’t meant to run on the Internet and is a LAN-scoped technology that is wide open, he thought it could really only be impactful in a LAN environment.”

But the use of default settings and reckless administration overall among many enterprises has resulted in a situation where literally tens of thousands of boxes running Memcached are on the public-facing Internet, Seaman says. “And now the DDoS attackers have found them and appear to be capitalizing on them before significant clean-up efforts take place.”

What makes the attacks worrisome is that Memcached services are deployed on servers and in hardware pools with plenty of bandwidth and resources. Unlike typical reflected attacks with mostly static payloads — like CharGen and NTP — that cannot be easily modified, with Memcached reflection an attacker has much more control over the payload. This gives them to the potential to do a lot more damage, Seaman says.

The primary problem is that Memcached, with its lack of authentication or controls, is world readable and writable. It’s also very fast, as it does all data management directly in memory, and by default it supports key value stores of up to 1MB.”

So, if attackers can find suitably beefy machines and load them up with as many keys as they want, they can use the box to launch waves of traffic with amplification rates far exceeding the norm for DDoS attacks, Seaman says. “In theory, an attack could unleash gigs of traffic from a single machine with a packet that’s only a few dozen bytes.”

Mitigation at this point is basically blocking traffic from source port 11211 at the router, firewall, and elsewhere along the network edge, adds Domingo Ponce, director of global security operations at Akamai. Organizations also need to ensure they have the bandwidth to absorb the attacks while allowing legitimate traffic to remain up.

“It’s real and we’ve seen it,” Ponce says. “At the end of the day, your pipes better be big enough.”

Source: https://www.darkreading.com/attacks-breaches/memcached-servers-being-exploited-in-huge-ddos-attacks/d/d-id/1331149?

Enterprises need to exercise vigilance in protecting their networks from botnets.

Beware the botnet. A botnet is a collection of Internet-connected devices, including PCs, servers, mobile devices, and Internet of Things devices, like sensors and home appliances, that are infected and controlled by malware. Owners and users of the Internet-connected devices are usually unaware of a botnet infecting their devices.

The botnet can be used for a distributed denial-of-service (DDoS) attack. The collection of devices, as part of the botnet, consume the bandwidth or resources of a targeted system such as Web servers.

Protection against botnets has become an international issue. Vendors create the products that are susceptible to botnets, and enterprises don’t do enough to combat the problems.

Report to the President
I read the draft, “A Report to the President on Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats,” by The Secretary of Commerce and The Secretary of Homeland Security. The draft report, posted on January 5, 2018, included some thoughts that are worth reviewing for the enterprise.

The Departments of Commerce and Homeland Security pursued three Approaches: hosting a workshop, publishing a request for comment (the report mentioned above), and initiating an inquiry through the President’s National Security Telecommunications Advisory Committee (NSTAC). This is aimed at collecting input from experts and stakeholders, private industry, academia, and civil society. The final draft will be based on the received comments before submission, due to the President on May 11, 2018.

Opportunities and Challenges
The draft report highlights the efforts needed to reduce the threats from automated distributed attacks. One of my conclusions is that the time-to-market vendor mentality produces the opportunities for botnet creation. The efforts are divided into six areas:

  • Automated, distributed attacks are a global problem. Most infected devices in recent botnets have been located outside the United States.
  • Effective tools exist, but are not widely used. The tools are available, but they are not part of common practices in product development and deployment. Both product developers and enterprises need to invest more and increase their awareness of the problems.
  • Products should be secured during all stages of the lifecycle, not as an afterthought. Devices are vulnerable at time of deployment. The lack of methods and procedures to patch vulnerabilities after discovery are the fault of the device vendors as well as the enterprises that own the devices.
  • Education and awareness are needed. Knowledge gaps in home and enterprise customers, product developers, manufacturers, and infrastructure operators impede the deployment of the tools, processes, and practices that would create more resiliency.
  • Market incentives are misaligned and are not driven to fully address the botnet threats.
  • Automated, distributed attacks are an ecosystem-wide challenge. There is no single party, vendor, government, academia, or enterprise that can alone mitigate the botnet problems.

The Enterprise Perspective

Enterprise networks, whether they are business, government, or academic institutions, are routinely connected to the Internet. These networks are complex, enterprise owned, and include a number of devices that can be used in the support of botnets. This also includes cloud-based services. These devices can be anything from simple PCs, servers, and mobile, to IoT devices. These enterprise networks can simultaneously be a victim of a botnet or be part of a botnet. Besides the DDoS attacks, botnets can be part of ransomware attacks.

The report envisions the enterprise application of the NIST Cybersecurity Framework. The report postulates that there are five concurrent and continuous functions that need to be applied:

  1. Identify and locate devices that cannot be secured. Enterprises should remove and retire these high-risk devices and replace them with inherently secure devices or those that can be secured.
  2. Protect the system and network architectures to provide additional layers of protection for any remaining high-risk devices and deploy DDoS mitigation services.
  3. Detect using a combination of ISP-based detection services and enterprise-operated network monitoring for both inbound and outbound malicious traffic, and identify infected devices in near real-time.
  4. Respond to attacks by creating policies and procedures to address detected infected devices. Enterprises should have processes and procedures to contact their ISPs and anti-DDoS service providers when attacks are detected.
  5. Recover the enterprises ability to reestablish infected systems instead paying ransomware to resume operations.

A Possible Remedy
My last blog, “Compliance: A Cost or Savings?,” dealt with existing IT and data compliance requirements. No one likes compliance, as compliance regulations demand a number of security functions and implementations. However, compliance regulations can create positive incentives.

My thought is that if there were some government-imposed security compliance requirements for endpoint devices connected to the Internet, that significant fines and penalties could be possible. Those harmed by botnets could sue the botnet creators and those who allow their devices to be used in the botnet. Penalties could be levied. This may go a long way toward creating incentives for vendors and enterprises to select and install devices to improve the resilience against botnets. Setting goals or acknowledging the botnet problems will not stop the botnets.

Source: https://www.nojitter.com/post/240173237/building-resilience-against-distributed-threats

CANADIAN cybersecurity company DOSarrest has released a new service which allows organizations to test their systems’ resilience against distributed denial of service attacks.

The Cyber Attack Preparation Platform (CAPP) allows anyone to choose from a variety of options which specify the attack type, velocity, duration, and vector. The service is paid for according to the options chosen, and can be used by anyone – previously, only DOSarrest’s clients had access to this type of facility.

The attacking machines are distributed across the world and employ a variety of methods, thus accurately emulating an attack “in the wild.”

The company’s literature states that in some cases, larger hosts (such as cloud provider services like AWS or Google Cloud) simply scale up their hosted sites’ provisions in order to mitigate an attack: in short, when the going gets tough, the tough throw resources.

However, this style of mitigation can cost companies large sums of money if they are funding their cloud computing activities on the basis of pay-as-you-use.

Users of DOSarrest’s service can choose to pick specific attack types from a range of TCP attacks, plus a focussed range of attacks usually aimed at web services.

DOSarrest’s CTO, Jag Bains commented:

“It’s interesting to see how different systems react to attacks; CAPP not only shows you the traffic to the victim but also shows you the traffic response from the victim. A small attack [on] a target can actually produce a response back that’s 500 times larger […] This is the best tool I’ve seen to fine tune your cybersecurity defenses, if you fail you can make changes and launch the exact same attack again, to see if you can stop the attack.”

The company advises that attacks are chosen carefully as it is plainly possible to bring down an entire enterprise’s systems – by equal measures alarming and reassuring that large attacks can be emulated.

The company provides a handy pricing calculator by which interested parties can scope out what their testing might cost them: a ballpark of $US1,500 might be considered a bare minimum.

Of course, the cost of an attack by unknown actors will be much more, by some significant factor, and DOSarrest’s facility should hopefully go some way in mitigating the chances of such an attack being successful.

Source: http://techwireasia.com/2018/01/test-your-cyber-defenses-with-diy-ddos/

Latest version targets systems running ARC processors.

The authors of the Satori IoT malware family have dramatically increased their pool of bot recruits for attack botnets with a new version of the tool targeting systems running ARC processors.

The latest Satori variant, the fourth since the malware first surfaced in Dec. 2017, appears to be the first aimed specifically at ARC chipsets, DDoS attack mitigation vendor Arbor Networks said in an advisory this week.

ARC processors are 32-bit power-efficient CPUs that are used in a wide range of applications including automotive, industrial, and IoT. More than 1.5 billion embedded systems containing ARC cores ship every year, including electronic steering controls and infotainment systems in cars, as well as personal fitness bands and digital TV set tops, and smart thermostats.

Like other Satori variants, the newest one also leverages the Mirai code base. Like Mirai, it is designed to propagate through credential scanning, meaning the malware can potentially infect any ARC device with default and easily guessable telnet usernames and passwords. The previous Satori variant specifically targeted Huawei routers.

It’s hard to say which specific ARC-based devices the Satori authors are hoping to target because of the huge installed base of systems, says Peter Arzamendi, security researcher at NETSCOUT, Arbor’s Security Engineering & Response Team.

However, “botnets that target new and novel types of IoT devices is the new normal,” he says. “With the proliferation of IoT and BYOD, enterprises will need to understand how to both defend these devices and be able to respond when they are compromised,” Arzamendi says.

Support for ARC processors allows Satori variants to target a wide range of systems including those based on Intel, ARM, MIPS, PPC, and SuperH processor architectures. All of the variants differ slightly in targeting and in capabilities.

Building malware for a new processor architecture like ARC is not too difficult an endeavor and only requires a compiler that supports the architecture, and some open source tools to help with porting code, says Arzamendi.

“IoT [botnets] depend on compromising as many devices as possible. Threat actors will have less competition by focusing on new types of devices that others are not targeting,” he says of the latest Satori development.

On Defense

With DDoS-capable malware available for a wider range of Internet-connected devices than when Mirai first surfaced in late 2016, network operators need to review their defense strategies, according to Arbor.

In addition to protections against DDoS attacks, businesses need to ensure their own IoT network and device is not being used in DDoS attacks, Arbor said. “The collateral damage due to scanning and outbound DDoS attacks alone can be crippling if network architectural and operational best current practices are not proactively implemented,” the security vendor said in its advisory.

Adam Meyers, vice president of intelligence at CrowdStrike, says organizations need to invest in DDoS protection if they haven’t done so already, and ensure they know what to do in the event of an attack. Tabletop exercises are a great way to ensure that all stakeholders are in lockstep when an attack does occur, he says.

“Protecting against IoT botnets will become increasingly difficult as IoT devices age in place,” Meyers says. “A bulk of these devices is going to remain deployed as long as they continue to function, and patching will not be widespread. In addition, new vulnerabilities in some of these platforms will continue to be identified.”

In addition to DDoS attacks, enterprises should also be aware of the fact that IoT botnets can be used for other purposes such as: creating a non-attribution proxy network for criminal enterprises, distributing spam, and hosting Web content for phishing.

Source: https://www.darkreading.com/vulnerabilities—threats/satori-botnet-malware-now-can-infect-even-more-iot-devices/d/d-id/1330875?