Tag Archives: the-internet

DDoS attacks have gone from a minor nuisance to a possible new form of global warfare

“In principle, most of the denial-of-service attacks we see have no solution,” a security expert, Peter Neumann of SRI International, told the New York Times at the time. “The generic problem is basically unsolvable.” It still is. Twenty years on, DDoS attacks have increased exponentially in size, and vast swathes of the internet remain vulnerable. Experts say the proliferation of new but vulnerable connected devices, such as thermostats and security cameras, as well as the architecture of the internet itself, mean DDoS attacks will be with us for the foreseeable future. And rather than a mere annoyance that takes your favorite websites offline, they are starting to become a serious threat. According to Arbor Networks, an internet monitoring company that also sells DDoS protection, the volume of global DDoS attacks has grown by more than 30 times between 2011 and 2014. The attacks are also getting more intense. A string of them in September and October, which set records in terms of the volume of traffic (in gigabits per second, or Gbps) in each attack, proved that DDoS can overwhelm the internet’s best defenses. Among those they took down or threatened were a hosting service, a domain-name services provider (whose clients, including Twitter and Spotify, thus became inaccessible across entire regions of the US), a major content-delivery network, and the internet’s best-known blogger on security matters, Brian Krebs.  These are the most powerful DDoS attacks each year, by Arbor Networks’ count.   The September and October attacks are thought to have been carried out using Mirai, a piece of malware that allows hackers to hijack internet-connected devices such as security cameras. These are often sold with weak default passwords that their users don’t bother (or know how) to change. Mirai tracks them down, takes them over, and incorporates them into a “botnet” that launches DDoS attacks as well as finding and infecting other devices. Botnets aren’t new, but Mirai takes them to a new level, argues a recent paper (pdf) from the Institute of Critical Infrastructure Technology (ICIT), a research group. It’s a “development platform” for hackers to customize, the researchers say; the code was made public on a hacker forum, and people are free to innovate and build on it. In the past couple of months it’s thought to have been used to cripple the heating systems of two residential buildings in Finland and the online services of several Russian banks. The researchers speculate that hackers could tailor Mirai to do far bigger damage, such as bringing down a power grid. In September, security expert Bruce Schneier pointed to evidence that a large state actor—China or Russia, most likely—has been testing for weak points in companies that run critical parts of American internet infrastructure. It’s not outlandish to imagine that in the future, DDoS attacks powered by something like Mirai, harnessing the vast quantity of weakly secured internet-connected gadgets, could become part of a new kind of warfare. At the moment, the main defense against a DDoS attack is sheer brute force. This is what hosting companies offer. If a client suffers a DDoS attack, the hosting provider simply assigns more servers to soak up the flood of traffic. But as the latest attacks have shown, the power of botnets is simply growing too fast for even the biggest providers to defend against. There is a fix that would prevent a common type of DDoS attack—a “reflection” attack. This is where a hacker sends messages out to a botnet that seem to come from the target’s IP address (like sending an email with a fake reply-to address), causing the botnet to attack that target. The proposed fix, a security standard known as BCP38, which would make such fake return addressing impossible, has been available for 16 years. If all the ISPs on the internet implemented BCP38 on their routers, the most powerful DDoS attacks would be far more difficult to launch.  But the sheer number of networks and ISPs on the internet makes this idea wishful thinking, says Steve Uhlig, of London’s Queen Mary University, who specializes in the internet’s routing protocols.”Remember that the internet is made of more than 50,000 networks,” he says. If the most important and influential networks implement the fix, but the countless smaller operators don’t, DDoS attacks can continue to exploit spoofing. “Larger networks in the [internet core] can and do filter,” he says, “But they reduce the attacks by only a limited amount.” The internet’s decentralized design is what gives it its strength. But it’s also the source of what is rapidly becoming its biggest weakness. Source: http://qz.com/860630/ddos-attacks-have-gone-from-a-minor-nuisance-to-a-possible-new-form-of-global-warfare/

See more here:
DDoS attacks have gone from a minor nuisance to a possible new form of global warfare

?How to defend against the internet’s doomsday of DDoS attacks

Last week assault on Dyn’s global managed DNS services was only the start. Here’s how to fend off hackers’ attacks both on your servers and the internet. We knew major destructive attacks on the internet were coming. Last week the first of them hit Dyn, a top-tier a major Domain Name System (DNS) service provider, with a global Distributed Denial of Service (DDoS)attack. As Dyn went down, popular websites such as AirBnB, GitHub, Reddit, Spotify, and Twitter followed it down. Welcome to the end of the internet as we’ve known it. Up until now we’ve assumed that the internet was as reliable as our electrical power. Those days are done. Today, we can expect massive swaths of the internet to be brought down by new DDoS attacks at any time. We still don’t know who was behind these attacks. Some have suggested, since Dyn is an American company and most of the mauled sites were based in the US, that Russia or Iran was behind the attack. It doesn’t take a nation, though, to wreck the internet. All it takes is the hundreds of millions of unsecured shoddy devices of the Internet of Things (IoT). In the Dyn onslaught , Kyle York, Dyn’s chief strategy officer said the DDoS attack used “tens of millions” devices. Hangzhou Xiongmai Technology, a Chinese technology company, has admitted that its webcam and digital video recorder (DVR) products were used in the assault. Xiongmai is telling its customers to update their device firmware and change usernames and passwords. Good luck with that. Quick: Do you know how to update your DVR’s firmware? The attack itself appears to have been made with the Mirai botnet. This open-source botnet scans for devices using their default username and password credentials. Anyone can use it — China, you, the kid next door — to generate DDoS attacks. For truly damaging DDoS barrages, you need to know something about the internet’s architecture, but that’s not difficult. Or, as Jeff Jarmoc, a Salesforce security engineer, tweeted, “In a relatively short time we’ve taken a system built to resist destruction by nuclear weapons and made it vulnerable to toasters.” That’s funny, but it’s no joke. Fortunately, you can do some things about it. Securing the Internet of Things First, and this unfortunately is a long-term solution, IoT vendors must make it easy to update and secure their devices. Since you can’t expect users to patch their systems — look at how well they do with Windows — patching must be made mandatory and done automatically. One easy way to do this is to use an operating system, such as Ubuntu with Snap, to update devices quickly and cleanly. These “atomic” style updating systems make patches both easier to write and deploy. Another method is to lock down IoT applications and operating systems. Just like any server, the device should have the absolute minimum of network services. Your smart TV may need to use DNS, but your smart baby monitor? Not so much. That’s all fine and dandy and it needs to be done, but it’s not going to help you anytime soon. And, we can expect more attacks at any moment. Defending your intranet and websites First, you should protect your own sites by practicing DDoS prevention 101. For example, make sure your routers drop junk packets. You should also block unnecessary external protocols such as Internet Control Message Protocol (ICMP) at your network’s edge. And, as always, set up good firewalls and server rules. In short, block everything you can at your network edge. Better still, have your upstream ISP block unnecessary and undesired traffic. For example, your ISP can make your life easier simply by upstream blackholing. And if you know your company will never need to receive UDP traffic, like Network Time Protocol (NTP) or DNS, your ISP should just toss garbage traffic into the bit bin. You should also look to DDoS mitigation companies to protect your web presence. Companies such as Akamai, CloudFlare, and Incapsula offer affordable DDoS mitigation plans for businesses of all sizes. As DDoS attacks grow to heretofore unseen sizes, even the DDoS prevention companies are being overwhelmed. Akamai, for example, had to stop trying to protect the Krebs on Security blog after it was smacked by a DDoS blast that reached 620 Gbps in size. That’s fine for protecting your home turf, but what about when your DNS provider get nailed? You can mitigate these attacks by using multiple DNS providers. One way to do this is to use Netflix’s open-source program Denominator to support managed, mirrored DNS records. This currently works across AWS Route53, RackSpace CloudDNS, DynECT, and UltraDNS, but it’s not hard to add your own or other DNS providers. This way, even when a DDoS knocks out a single DNS provider, you can still keep your sites up and running. Which ones will work best for you? You can find out by using Namebench. This is an easy-to-use, open-source DNS benchmark utility. Even with spreading out your risk among DNS providers, DNS attacks are only going to become both stronger and more common. DNS providers like Dyn are very difficult to secure. As Carl Herberger, vice president for security solutions at Radware, an Israeli-based internet security company, told Bloomberg, DNS providers are like hospitals: They must admit anyone who shows up at the emergency room. That makes it all too easy to overwhelm them with massive — in the range of 500 gigabits per second — attacks. In short, there is no easy, fast fix here. One way you can try to keep these attacks from being quite so damaging is to increase the Time to Live (TTL) in your own DNS servers and caches. Typically, today’s local DNS servers have a TTL of 600 seconds, or 5 minutes. If you increased the TTL to say 21,600 seconds, or six hours, your local systems might dodge the DNS attack until it was over. Protecting the internet While the techniques might help you, they don’t do that much to protect the internet at large. DNS is the internet’s single point of total failure. That’s bad enough, but as F5, a top-tier ISP notes, DNS is historically under-provisioned. We must set up a stronger DNS system. ISPs and router and switch vendors should also get off their duffs and finally implement Network Ingress Filtering, better known as Best Current Practice (BCP)-38. BCP-38 works by filtering out bogus internet addresses at the edge of the internet. Thus, when your compromised webcam starts trying to spam the net, BCP-38 blocks these packets at your router or at your ISP’s router or switch. It’s possible, but unfortunately not likely, that your ISP has already implemented BCP-38. You can find out by running Spoofer. This is a new, open-source program that checks to see how your ISP handles spoofed packets. So why wasn’t it implemented years ago? Andrew McConachie, an ICANNtechnical and policy specialist, explained in an article that ISPs are too cheap to pay the small costs required to implement BCP-38. BCP-38 isn’t a cure-all, but it sure would help. Another fundamental fix that could be made is response rate limiting (RRL). This is a new DNS enhancement that can shrink attacks by 60 percent. RRL works by recognizing that when hundreds of packets per second arrive with very similar source addresses asking for similar or identical information, chances are they’re an attack. When RRL spots malicious traffic, it slows down the rate the DNS replies to the bogus requests. Simple and effective. Those are some basic ideas on how to fix the internet. It’s now up to you to use them. Don’t delay. Bigger attacks are on their way and there’s no time to waste. Source: http://www.zdnet.com/article/how-to-defend-against-the-internets-doomsday-of-ddos-attacks/  

View article:
?How to defend against the internet’s doomsday of DDoS attacks