pointer

Tag Archives: cyber attacks

The New Face of Denial-of-Service Attacks

Posted on by .

    In today’s modern web world, a denial-of service (DoS) attack can take down an entire website in a matter of minutes. According to a report by security and network management vendors Prolexic and Arbor Networks, these types of attacks are on the rise, and were recently one of the key forms of attacks in the U.S. Department of Homeland Security’s investigation on America’s water and energy utilities constant cyber-espionage. Whether a governmental organization or business, these types of attacks need to be on everyone’s radar.

    While DoS attacks themselves are nothing new, new techniques and technologies in DoS attacks can be more aggressive than their predecessors and require a different kind of approach to network security. This blog will explain what’s different about these new attacks, how best to approach them and identify measures that are no longer successful in combating them.

    A quick history of DoS/DDoS/AppDoS
    The goal of any Denial of Service attack is simply to overwhelm a service to the point where it no longer works. This is typically done via brute force methods mixed with varying degrees of cleverness.

    A “classic” example of a DoS attack is SYN flooding which attacks a (web) server directly by starting a conversation at the TCP layer, but never finishing it. The attack was effective because there were relatively few resources on servers for partially-open connections. Solutions initially focused on protecting web servers with a proxy server (or security appliance) in front of the real server. These proxies would validate remote clients by ensuring that the TCP 3-way handshake completed into a full connection. The “real” solution came with server OS fixes to reinforce the weaknesses exploited by the DoS.

    The next major advance in DoS technology was Distributed Denial of Service (DDoS), in which large numbers of attackers simultaneously targeted a single service. The coordinated nature of the attack comes from botnets, which are composed of PCs infected by a worm, Trojan, or virus designed to make the PC an unwitting attacker. The infected PCs typically monitor a location on the Internet, looking for orders to attack. The real game changer in DDoS is that the large numbers of attackers can simply use brute force to overwhelm the network resources around a server. Placing a proxy or firewall in front of a server is an ineffective defense if the WAN link itself is flooded. Defense here usually requires either coordinating with the WAN provider to block addresses upstream, or moving the service to a hosting provider with enough bandwidth to simply absorb a DDoS.

    In an interesting twist, self-proclaimed “hacktivist” groups like “Anonymous” have evangelized DDoS as a method of protest. Rather than using botnets of infected PCs, these groups are providing “opt-in” tools – although some versions of these tools provide no later method to opt back out or even uninstall.

    The latest approach in DoS is following the trends of attackers in moving up the stack to applications. Application Denial of Service (AppDoS) uses vulnerabilities in specific server applications to create high-impact DoS with very low attack bandwidth. Whereas DDoS relied almost purely on brute force to overwhelm infrastructure, AppDoS shows a return to the cleverness of the original DoS. What makes AppDoS so effective is that application-specific vulnerabilities use layer 7 attacks. While these attacks will not work on every server, they use the regular behavior of lower-layer protocols like TCP, which makes them harder to detect. A true AppDoS attack on a web server would even use a well-formed HTTP request. Attacks of this kind include Slowloris, which only works against Apache.

    The author of the Slowloris tool has provided some excellent points of comparison about why it’s a new generation attack tool. Compared, to first generation DoS, “This is NOT a TCP DoS, because it is actually making a full TCP connection, not a partial one; however it is making partial HTTP requests. It’s the equivalent of a SYN flood but over HTTP.” Also, compared to brute force DDoS methods, “Slowloris is also NOT a GET request flooder. Slowloris requires only a few hundred requests at long term and regular intervals, as opposed to tens of thousands on an ongoing basis.”

    The new approach to DoS attacks versus the old
    As stated before, today’s DDoS attacks aren’t just against servers, but also against the network infrastructure. A firewall can only protect what’s behind it, so if it’s on-premise, it can’t prevent the WAN links from being flooded. Instead, to properly respond to a DDoS attack, network administrators need to coordinate with their WAN carrier to try and block the traffic upstream. There is a category of service provider offering “clean pipe” hosting with automatic DDoS squelching, but it’s often more cost effective to simply move externally-visible servers to a host with enough bandwidth to absorb DDoS attacks invisibly.

    Secondly, the attack is going to come from a large number of IP addresses. These attackers will likely be a mix of botnets and self-proclaimed hacktivists. With an influx of this size, it is virtually impossible to add entries by hand for each node you are trying to block. In response you may want to try and filter aggregated blocks of addresses, but remember that the nature of botnets implies that the addresses will be widely dispersed rather than clustered together—so a lot of legitimate traffic could potentially be blocked as well. Rate limiting may be useful for brute-force DDoS, identifying each attacker by its aggressive connection rate, and automatically blocking. However, AppDoS attacks can evade rate limits by using high-impact, low-bandwidth techniques.

    Finally, the speed at which the attack commences – sometimes referred to as the “thundering herd” effect – doesn’t leave much time to react and counter the problem. A coordinated DDoS, leveraging botnets and other always-on attackers, can hit without any advance warning. If you don’t have a tested plan to respond to DoS attacks, you’re going to have to invent one on the fly while simultaneously reporting your status every 15 minutes to the CIO.

    How to Combat this New Approach:
    Despite attempts of new tools to avoid automated blocking, there are usually key indicators which uniquely identify packets as belonging to the attack. Analysis by the University of Twente on the LOIC DDoS tool found the techniques to be surprisingly simple from a protocol perspective, featuring high repetition of a similar URL pattern, and absolutely no lower-layer obfuscation like IP spoofing. If you have a packet capture infrastructure in place, the attack packets will be easy to find, as they’ll constitute the majority of your capture. With this in mind, you’ll need to find a signature or behavior which is common to the attack traffic, but not on your normal traffic. In some cases your packet analyzer has visualization or an expert analysis tool to identify a useful characteristic for you. A very useful example of this kind of fingerprint analysis is the SpiderLabs analysis of LOIC, including packet dump and Snort rules.

    The key here is to turn the attack’s strength into its weakness. Highly automated attacks will be fairly homogenous, so an attack fingerprint can quickly be developed and deployed, and the attack impact halted. The strength of DDoS comes from central coordination of large numbers of already-deployed attack engines. While these engines have dynamic target settings, they have fixed methods of attack. Identifying and blocking those attack methods greatly reduces the attack impact. This is true even of tools which are designed to provide increased detection avoidance via mixed attack method and increased randomization. After the HOIC tool was released as a detection-resistant alternative to LOIC, SpiderLabs analysis of HOIC showed that it has certain hard-coded aspects which still allow for detection and blocking. Fixing those mistakes might be easy for the attack tool authors, but the difficulties of distribution of black-hat software make upgrade releases problematic. Anyone who has done PC support knows the pain of large-scale application version management. Imagine performing version upgrades without benefit of an official trusted source of the software.

    As an additional step in combating DoS attacks, once you have a fingerprint identified, you can also use it to determine if any of the hosts in your own network are sending similar traffic, causing someone else the same pain you’re feeling. If you have a network traffic recorder, use your packet analyzer dashboard to examine the historical traffic to and from that host. Even without a fingerprint, you can get started by looking at suspicious traffic. Command and Control of botnets has historically happened via IRC, so look for traffic to port 6667 and surrounding ports (e.g. 6660-6669). Any outbound traffic to a non-standard port is worth investigating to identify the C&C, report it per your CERT process, and block traffic from your network to prevent future botnet activity.

    In the end, no security system on the market is foolproof, but as cyber crimes get more sophisticated, businesses must be able to recognize and constantly adapt to new security threats. In order to ensure that you are completely prepared in the event of a DoS attack, there must also be a security “insurance policy” in place—often in the form of a network recorder. The ability to quickly suspend this new level of DoS attacks is tantamount to protecting your reputation, your data, and your business a whole. Hopefully this blog serves as a reminder that if you don’t have a DoS mitigation plan already, now is a good time to create one before it’s too late.

    Interested in learning more? Check out our post: “Top Trends in Cyber Security and Attacks” and webcast “Cyber Security – IDS/IPS is Not Enough.”

      Top Trends in Cyber Security and Attacks

      Posted on by .

        IT security experts have labeled 2011 as the “Year of the Hack,” and appropriately so. Last year saw a diverse group of breaches that were financially and politically motivated. While each attack has its own unique fingerprint, some common elements are emerging – the quiet, persistent and sophisticated nature of today’s attacks.

        If you compare a hack like the Microsoft MSBlaster Worm of 2003 to Sony PlayStation’s data breach of April 2011, the motivation, sophistication, and direct cost are in stark contrast. The MSBlaster was a fairly rudimentary Distributed Denial of Service attack, and the motivation behind it was hacker glorification, i.e. penetrating a system just to boast about it over beer. It caused mostly embarrassment to the effected companies, and more annoyance than actual monetary losses (though in some cases significant costs were incurred to wipe out the infections). On the other side, the attack on Sony was financially motivated and garnered credit card numbers, passwords, and other very personal information of 70M users directly costing Sony $170 million dollars and an estimated 10 to 100x that much in indirect costs.

        As Distributed Denial of Service (DDoS) attacks and viruses, which are oftentimes associated with the idea of hacking for hacking sake, have steadily gone down in recent years, Advanced Persistent Threats (APT) have gone up. APTs typically have political and financial motivation, and often include an element of revenge. According to a study by Bit9, of the 765 IT executives interviewed for their Endpoint Survey, 60% said that APT is the biggest fear they have with security breaches and 28% feared that theft and disclosure was coming from insiders—APT threats can often be an insider job, or at least aided by risky behavior from within the enterprise network.

        Advanced Persistent Threats are what the name implies: a long-term pattern of sophisticated hacking attacks aimed at governments, companies, and political activists. However, that just skims the surface of understanding what APTs are and how they can affect you, so let’s take a look at each of the words that define Advanced Persistent Threat.

        Advanced
        Hacking techniques have been continually evolving, becoming more advanced at every turn, and often in APTs hackers combine multiple targeting methods. Since the perpetrators of APTs have strong financial backing and serious motivation, they often take time to focus on operational security, not often done in more opportunistic, less advanced threats. But the methods need not always be advanced. Consider the Citigroup breach of 2011. Though the target and the purpose certainly categorize this attack as an APT, the method turned out to be incredibly simple. The perpetrators identified a security flaw in the web-based banking where once logged in with a known good account, they could simply change the account number in the URL string and immediately gain access to another account. It was then a simple task of writing scripts to first guess account numbers, and whenever a good one was found, to scrape the user information from the compromised account. Though perhaps not “advanced” in this case, the method was highly effective resulting in more than 200,000 compromised customer accounts.

        Persistent:
        As stated earlier, and as evidenced by the Sony and Citigroup attacks, APTs are not opportunistic, simply seeking an easy in for boasting rights. These are “low and slow” attacks, meaning they are relatively unnoticeable and steal information over a longer period of time. And the perpetrators will maintain long-term access to the target. Should access be broken along the way, every attempt will be made to regain access and continue with the attack. Similar to what Peter Gibbons was attempting to do in the movie Office Space.

        Threat
        APTs are typically backed by powerful, well-funded organizations (think organized crime or rogue governments), with the intent and the capability to achieve their goals. A key element includes coordination and execution by human action vs. automation, at least until a stealthy, automated process can be implemented that has limited risk of being identified. Oftentimes to stay under the radar an APT will remain manual and incorporate minimal automation.

        As APTs begin to grow and DDoS attacks and viruses become less of a threat, it is important to ensure that you have security policies in place to protect your network. Even though 28% of IT executives fear theft and disclosure will come from within, 60% of these firms are either using the “honor system” or have no internal security policy whatsoever. In addition, a recent survey by Ponemon Institute reported that although 90% of respondents had at least one breach in 2011, 40% of those surveyed had no clue where the breach stemmed from, and 33% could only identify the source of some attacks. Without a clear understanding of the source, how can you possibly protect yourself from another occurrence?

        In addition to the active security systems in place today, you need a security “insurance policy,” since it’s clear that today’s state-of-the-art security systems don’t do a complete job – after all, 90% of survey respondents had at least one breach in 2011, and 70% had two or more! This insurance policy takes the form of a network recorder, which passively records each and every packet traversing your network. When an attack happens, and statistics indicate it will, you’ll have a complete recording of the incident, allowing you to identify how the attack happened, what information was compromised and how tune your existing network security tools to prevent future breaches.

        To learn more about the trends and how to protect your network, check out our webcast “Cyber Security – IDS/IPS is Not Enough.”

          The Clock is Ticking: How Quickly Can You Respond to a Data Breach?

          Posted on by .

            What would the holidays be without the inevitable email phishing campaigns, cyber attacks, and data breaches? This year’s recipients included Apple, Telstra, an Australia-based telecommunications and information services company, and Stratfor Global Intelligence, an Austin, TX-based security group, among others. And when it comes to responding to breaches, time is of the essence.

            “‘Every minute you take to figure this out, you could be losing more e-mails and more credit data,’ Kevin Mandia of Mandiant recently said to the NY Times. The goal is to determine quickly the “fingerprint” of the intrusion and its scope: ‘How did the guy break in? What did he take? When did he break in? And, how do I stop this?’”

            In fact, your cyber security solution needs to address these five key questions:

            1. Who was the intruder?
            2. How did the intruder penetrate security?
            3. What damage has been done?
            4. Did anything get left behind?
            5. Did you capture sufficient information to effectively analyze and reproduce the attack?

            Question 5 is the gotcha for most solutions. While Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) raise an alarm, they fail to provide network engineers with the details they need to quickly locate and correct the source of an attack. Augmenting these systems with a network recorder enables post-event analysis that exposes the attacker, the method, and the damage.

            The following video shows why you should employ data recorders in line with your IDS/IPS systems.

            Join us February 15, 2012 at 8:30AM PST, for a free live seminar, “Cyber Security – IDS/IPS is not Enough,” to learn how with Network Forensics and Network Recording you can characterize not only the breach, but also assess the damage, ensure no further compromise, and comply with corporate and legal requirements for reporting.