Denial of Service Attack Archive

The devices and systems we use seem to change or get updated on a daily basis.

As the world changes and our lives become increasingly interconnected, a range of new words and phrases are frequently added to the technological lexicon.

Here’s a few that have popped up during the course of “IoT: Powering the Digital Economy.”

Autonomous vehicle

A vehicle, such as a car or truck, that uses technology and sensors to drive without the need for human assistance.

Uber, Tesla and Alphabet — through its subsidiary Waymo — are just some of the big businesses working on self-driving technologies.

BIM

According to the Institution of Structural Engineers, Building Information Modeling, or BIM, is centered on utilizing digital tools “to efficiently produce information” in order to allow assets to be constructed, maintained and operated.

Biometrics

The U.S. Department of Homeland Security (DHS) describes biometrics as being “unique physical characteristics” that can be utilized for “automated recognition.” Think fingerprints, iris scans and voice recognition.

The applications of biometrics are diverse and wide ranging. Today, we can unlock our smartphones with our fingerprints and use our voices to gain access to sensitive information, such as our banking details. For its part, the DHS says it uses biometrics to, among other things, “detect and prevent illegal entry into the U.S.” and enforce federal laws.

Blockchain

A tamper-proof, distributed digital ledger that records transactions. Instead of different parties in a transaction keeping their own records of that transaction — which could potentially differ and cause confusion — blockchain creates one “master” record. This cannot be changed once a transaction has been recorded. As technology giant IBM notes: “All parties must give consensus before a new transaction is added to the network.”

DDoS

Stands for Distributed Denial of Service. The U.K.’s National Crime Agency (NCA) says that DDoS attacks usually take place when a group of “compromised, controlled computers” send messages to a computer or server simultaneously. The messages are sent involuntarily, the NCA adds.

GDPR

In the European Union, the General Data Protection Regulation will apply from May this year. It will update the 1995 Data Protection Directive, which was introduced at a time when the digital age was in its infancy, and will impact both citizens and businesses.

Among other things, the GDPR will boost people’s right to be forgotten and guarantee free, easy access to their personal data. Organizations and businesses will also have to inform people about data breaches that could negatively impact them, and do this “without undue delay.” Relevant data protection supervisory authorities will also need to be told of any breaches

Internet of Things

The European Commission describes the internet of things as merging “physical and virtual worlds, creating smart environments.”

Think of devices that are connected to the internet and able to “talk” to one another. One example would be a thermostat in your home that you control with your smartphone from your office.

Smartphone

A cell phone that can connect to the internet, enabling users to carry out a host of tasks. These range from visiting websites and sending instant messages to taking photographs and carrying out financial transactions.

Source: https://www.cnbc.com/2018/01/11/from-the-iot-to-bim-and-ddos-to-gdpr-breaking-down-technological-jargon.html

Old Vulnerabilities still available to be exploited
R.O.B.O.T:
Return Of Bleichenbacher’s Oracle Threat

A joint study by researchers from Ruhr-Universitat Bochum/Hackmanit GmbH and Tripwire VERT has revealed a re-tread of an old vulnerability from 1998 that allows an attacker to leverage RSA decryption and cryptographic operations. It does so by using the private key configured on the vulnerable TLS servers. This latest CVE, dubbed ROBOT (Return Of Bleichenbacher’s Oracle Threat) has a surprisingly large target area, affecting almost a third of the top 100 domains (according to ALEXA).

I won’t detail the history and specifics of the exploit; there is a pretty good overview over at The Hacker News and of course at the researchers own website, where they have provided an online and downloadable tool for testing for this exploit.

What I will bring to attentionare the hardware vendors that are identified as being susceptible to this exploit even today , as it contains some of the biggest names in the IT industry: Cisco, F5, Citrix, and the most surprising isRadware, who specialize in building cybersecurity products. Granted some of the listed platforms are older legacy platforms, but given that the RSA cipher has been deprecated for over a decade, one would assume that patches to remove it would have been offered and applied years ago. One may be led to believe that this type of negligence is one way to incentivize customers to continually spend on expensive hardware upgrades, but of course we all know better than that…..

With regards to DOSarrest and R.O.B.O.T, we’ve long known about the weakness of using RSA ciphers, and only use strong, hardened cipher suites in our operations.

If you are using one of the affected hardware vendors, we can help. With our DDoS Proxy Defense Network, we can take all HTTPS connections and ensure your origin server/s are protected from this CVE, as well as many other vulnerabilities.

Jag Bains, CTO

DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/old-vulnerabilities-still-available-to-be-exploited-robot/

Shortly after the Securities and Exchange Commission (SEC) warned investors to question cryptocurrency exchanges about the “substantial risks” of loss or theft of cryptocurrency, including those associated with hacking, Bitfinex reportedly experienced a distributed denial of service (DDoS) attack that paralyzed the exchange.
“We are currently under heavy DDoS. API is also down. We are working on further mitigation,” the exchange tweeted Tuesday.
Noting that “bitcoin made the top-10 most targeted industries list, despite its relatively small size and web presence,” Igal Zeifman, security evangelist at Imperva, said, “This young and exponentially growing industry presents a lucrative opportunity for extortionists and other cybercriminals who are always on the lookout for potentially vulnerable and high-profit targets.”

As bitcoin prices fluctuate, Zeifman expects to see attacks escalate. An “alarming number of attacks” over 100Mbps in Q3, “targeting a relatively high number of cryptocurrency exchanges and services,” was “likely related to a recent spike in the price of bitcoin, which more than doubled in the span of the quarter,” he said.

Tuesday’s DDoS attack against Bitfinex “could have been also launched to manipulate bitcoin prices, something offenders have been known to do,” Zeifman said.

Source: https://www.scmagazine.com/ddos-attack-paralyzes-bitfinex/article/718191/

One of the hackers also open sourced the code, enabling criminals to launch their own attacks

Three men have admitted to being the authors of the devastating Mirai botnet, which was used to launch a DDoS attack that took large parts of the internet offline last year before being widely shared with cyber criminals.

Paras Jha, 21, of Fanwood, New Jersey; Josiah White, 20, of Washington, Pennsylvania; and Dalton Norman, 21, of Metairie, Louisiana, all pleaded guilty to operating Mirai last week, in a court case unsealed by the US Department of Justice yesterday.

The trio built the botnet over the summer and autumn of 2016, targeting IoT devices like routers and wireless cameras, and targeting device vulnerabilities that would let Mirai enslave connected gadgets.

Mirai was behind one of the most effective DDoS attacks ever, hammering DNS provider Dyn with access requests from tens of millions of different IP addresses to force it offline and thereby bring down Github, Reddit, Twitter, Spotify and other huge companies that rely on Dyn to route users to their sites.

The Hidden Costs of Moving IT operations onto the Cloud

As the CTO of a Cloud DDoS Protection Service, it would seem that I would be shooting myself in the foot by raising alarms about hidden costs in moving onto the cloud. After all, shouldn’t everything IT (including Security) be moved to cloud, with it’s promises of low cost, high flexibility and immediate scalability? On the surface, this sounds like a great opportunity for CIO’s and CSO’s who are trying to deal with a volatile budget, but like anything else in life, it’s best to take a closer look before committing.

When I speak with our customers, many of whom have been transitioning their system and storage to a cloud provider, we’ll often have discussions about support of their new setups within Amazon, Azure, etc. These migrations pose no problems for the DOSarrest service, and the conversations will invariably pivot into a Q&A on ideal hosting setups within these popular platforms, as I have had experience working with cloud hosting in my past lives. What I have noticed in conversing with these customers is that the same mistakes of the past are still occurring with high frequency even now, which is the pursuit of short term saving without fully auditing their existing setups and requirements. IT managers are still often attempting to take a snapshot of their server inventory and attempt to replicate it in the cloud during a migration, without fully appreciating that they have excess server capacity. This results in buying extra capacity when it is not required. What’s even worse are when IT managers are blissfully ignorant of the resources and processes operating within their environment that typically have little cost, and have no idea what that will look like on the invoice sheet when those same processes get moved into the cloud. Some good examples of areas that get overlooked in the migration are:

  1. CPU & Memory – it’s a safe bet you could walk into any enterprise datacenter and the vast majority of the systems will be running idle with the occasional 10% CPU load and minimal RAM. Yet each system will have robust specs (eg. 8 core, 32 Gb/s of RAM). Do you really need to replicate those specs in the cloud, even if it is cheaper than buying the actual server yourself?
  2. Storage –Similar to point 1, you will see a lot of disk space being unused in a datacenter. We all have to deal with growing and shrinking volumes, but have you recorded peak disk usages on a system for 1 day, 1 month, 1 year? Doing so would help ensure you don’t simply get the 5 TB option when it’s not needed
  3. Data Transfer/Bandwidth – it’s surprising to me how bandwidth generated by a server farm is often ignored by IT managers. BW plans with their upstreams will allow them to be ignorant of that I suppose. However, when moving to the cloud, you could end up with a hefty bill if you are unsure how much traffic your systems can generate during peak loads. You should also be aware of charges for data transfer between regions and zones.

When it comes to Security in the cloud, there are again other considerations one should account for to avoid paying extra costs.

a) Service Level Agreements – Does the cloud service provider have triple 9’s, Quadruple 9’s? More importantly, does the SLA have a limit to the size of attacks it will support? Is there a different price for each tier of SLA’s?

b) Throughput – the Service provider may say that they have Tb/s of capacity, but is there extra charges if there is a sustained attack over 50 Gb/s? 100 Gb/s? 500 Gb/s?

c) Tiered Support – often you will see a different price schedule for the types of support. 30 minute response versus 15. Phone support being extra

d) Cost for features – Are their additional charges for CDN? How about Web Application Firewall? Machine Learning for identifying anomalous traffic patterns?

At DOSarrest we recognize the cost risk for IT managers, and put all services under one fixed price, simplifying their budgetary exercises and minimizing potential cost over runs in the face of an unknown threat landscape. I know that if a customer of ours is fully using the services we offer that have no extra cost to them they can save thousands of dollars a month on a cloud hosting platform invoice.

In summary, do your due diligence. The cloud can be incredibly powerful with significant savings, but understand what your requirements are.

Jag Bains

CTO, DOSarrest Internet Security

Source: https://www.dosarrest.com/ddos-blog/throwing-caution-to-the-cloud/