Tag Archives: DDoS

DNS Flag Day Aims to Make DDoS Attacks Harder

Since the 1st of February multiple major DNS (defined) resolvers removed resolver workarounds. The resolvers involved in the initiative include ISC, Cloudflare, Facebook, Cisco, Google (among others).

The workarounds were removed to stop DNS queries not compliant with the following official Requests for Comments (RFC) 1035 and 2671 from being completed(resolved). In more depth; the DNS Flag day page explains these workarounds are being removed due to:

==============
The current DNS is unnecessarily slow and inefficient because of efforts to accommodate a few DNS systems that are not in compliance with DNS standards established two decades ago.

To ensure further sustainability of the system it is time to end these accommodations and remediate the non-compliant systems. This change will make most DNS operations slightly more efficient, and also allow operators to deploy new functionality, including new mechanisms to protect against DDoS attacks.
==============

It appears that DNS amplification and DNS flood attacks are the threats attempting to be mitigated with these changes. A full list of the types of DDoS (defined) attacks is available from the following Cloudflare page (at the end of that page):

It will be interesting to see the effect of these changes on the DNS infrastructure when it is again targeted by botnets (defined) (e.g. made up of Internet of Things (IoT)(defined) or compromised systems or by other means. Such botnets can make use a command and control (C2) (defined) infrastructure.

Thank you.

Blog Post Shout Out: New Wireless Routers Enhance Internet of Things Protection

Happy New Year to all readers of this blog!

With attacks on routers increasing (e.g. this article concerning D-Link) and vulnerabilities being patched within internet of things (IoT) (defined) devices; it’s great news that security technologies are adapting to monitor and protect them.

I wanted to provide a respectful shout out (although not to blog posts) to products from several vendors that promise to better protect from threats such as the Mirai malware and other examples.

Full disclosure: I’m not receiving any incentives or benefits from any of these vendors; I simply wish to promote awareness of existing and upcoming technologies that we can use to better secure the increasing number of IoT devices that we are using in our everyday lives.

For example, early last week Symantec began accepting pre-orders for their new wireless router. Initially this will only be available in the US but will be extended to more regions in the future.

While a wireless router is nothing new, it is one of first that I have encountered that includes protection for Internet of Things (IoT) devices.

In their words it “constantly monitors your connected devices like WiFi thermostats, smart locks, appliances or home security cameras for suspicious activity and identifies vulnerabilities. If a device becomes compromised, it quarantines the threat before it spreads ensuring your digital world is safe.”

A similarly powerful offering from F-Secure is also in progress. Like Symantec, F-Secure’s is scheduled for release in Q2 of 2017.

These solutions are further refinements to wireless router/access point security solutions that have been available since late 2015. For example, Asus’ Ai-Protection feature (using technology licensed from Trend Micro) incorporates most of the features that F-Secure and Symantec offer just without the IoT management and reporting.

There are interesting times ahead as Internet of Things (IoT) devices and wireless router become increasingly more managed and monitored devices allowing us to secure them better. My sincere thanks to a colleague (you know who you are!) for assistance with this post.

Thank you.

Blog Post Shout Out: SHA-1 Migration and Internet of Things (IoT)

With the transition to SHA-2 rapidly approaching (January 2017) if you have not already begun the migration process for your website or are having difficulties locating all of the certificates that need migrating; the following article that I wish to provide a respectful shout out to may be of assistance. The article includes advice on making the best use of the remaining time:

SHA-1 Time Bomb: One Third of Websites Have Yet to Upgrade by Phill Muncaster (Infosecurity Magazine)

This issue is also of note since Google (like the other browser vendors is moving away from SHA-1) will remove support for SHA-1 in Chrome version 56. Further details are provided in their blog post. The source of the statistics for the Infosecurity Magazine article was this blog post from Venafi, an organisation that provides cryptography related solutions and services to enterprises.

=======================
With the DDoS attack (defined) against the DNS service Dyn last month attributed to Internet of Things (defined) devices further steps need to be taken to secure them. To assist with this, the US CERT have written a PDF document titled “Strategic Principles for Securing the IoT”. It is intended for consumers, operators and manufacturers of IoT devices. It is available from the link below:

Securing the Internet of Things (US-CERT)

=======================
Thank you.

Linux Routers Potentially Vulnerable To Telnet Worm

In late March ESET security published a blog post detailing how an updated version of an existing malware infection can exploit many consumer broadband routers and wireless access points.

Why Should This Infection Be Considered Important?
If your router becomes infected with this malware it can communicate back to its creator via a command and control (C2) server (defined). Under their control your router can be used for purposes such as a distributed denial of service attack (DDos) attack (defined) among any other action the attackers may choose. An example of a DDoS attack occurring in the past using routers is the subject of this article and this article.

Given that the malware comes to reside on a router by attempting to connect to random IP addresses (defined) that have port 23 open it may only be a matter of time before your router is tested for this open port.

By convention port 23 is used by the now deprecated Telnet (defined) protocol. If your routers firewall (defined) does not block access to this port from external sources the attackers have a favourable opportunity to infect your router since the malware can download various versions customized to the individual CPU architecture used within the router e.g. MIPS, ARM etc. The malware attempts to gain access to your router using a stored list of username and passwords that are commonly used or are used by default by consumer routers. Once access is obtained the malware is downloaded and installed.

How Can I Protect Myself from This Malware?
As discussed in a previous blog post, please follow the recommendations provided by the US-CERT to secure your router. This will involve (among other changes) changing the default username and password of the router (making it much harder for the malware to guess the correct credentials).

Blocking commonly used protocols from being used to access your router (which in this case is the Telnet protocol) using your firewall is explained here. Use of a tool (e.g. Steve Gibson’s ShieldsUP!) to test the effectiveness of your router’s firewall will also provide additional protection against this threat and other threats that may attempt to access your router is discussed here. A guide for using ShieldsUp to do this is here with a video demo here. Scanning your router using Nmap (a more advanced tool) is discussed in this article.

Since many Internet Service Providers (ISPs) block/prevent end-users/consumers from making many changes to their routers, please contact your ISP for advice on how to block port 23 from being accessed externally to protect against the threat discussed in ESET’s blog post.

Thank you.

Blog Post Shout Out December 2015

Earlier this year CloudFlare published an informative blog post detailing how malicious JavaScript (defined) can be used to cause a distributed denial of service attack (DDos)(which is defined within CloudFlare’s post linked to below).

As a preventative measure they also provide a recommendation to enable HTTPS for your website (which CloudFlare also provide as an option). If you are using a self-hosted WordPress installation (namely where WordPress is installed on a server that you manage/administer), this blog post may be of assistance in enabling HTTPS by default (by using HSTS (discussed/defined at length within a previous blog post of mine)).

Given the severity of DDoS attacks I wanted to provide a respectful shout-out to following CloudFlare blog post:

An introduction to JavaScript-based DDoS by Nick Sullivan (CloudFlare)

=======================
In addition, earlier this month US-CERT created a useful security alert containing a list of tips for securing your home broadband/fibre optic router/wireless access point. In addition, their alert also links to an updated list of routers with known security vulnerabilities with advice on addressing them:

Securing Home and Small Business Routers (US-CERT)
=======================

I hope that the above mentioned blog posts and resources are of assistance to you in defending your website from becoming part of such DDoS attacks and securing your home router/access point against malicious use.

Thank you.