Blog
-
DDoS attacks and how to mitigate them
- General
- by Jacob Riggs
- 01-07-2020
4.99 of 101 votesIn this era, cyber-attacks are gaining in popularity with more sophisticated techniques and attack deployment strategies being seen in the wild than ever before. DDoS (Distributed Denial of Service) attacks have gained popularity over the years, and as network systems advanced these types of attacks grew to become more refined. Many types of DDoS attacks now exist including HTTP flood attacks, SYN flood attacks, volumetric attacks, DNS amplification attacks, UDP flooding, ICMP flood attacks, and many others. In this blog post, I will walkthrough the basic and advanced concepts of a DDoS attack, what they are, the different types, and how companies can mitigate DDoS attacks with preventive techniques or measures to mitigate their effects. What are DDoS attacks? DDoS attacks or Denial of Service attacks are a malicious attempt to disrupt services offered by a server. In a typical DDoS attack, the intent of the attacker is to disrupt normal traffic of the target by maliciously overwhelming it with a coordinated flood of traffic, consequently denying any legitimate traffic access to the service. This attack is possible by bridging various types of computers and devices into a centrally controlled botnet and collectively pointing them all towards a target endpoint. As multiple systems are required to carry out a DDoS attack successfully, IoT devices are the low-hanging fruit for attackers aiming to grow their own botnet. This is because the nature of the IoT market means manufacturing processes are often rushed and security controls are considered secondary. As a result, many IoT devices are released with high severity vulnerabilities which are trivial for opportunistic hackers to exploit. Types of DDoS attacks There are many ways to disrupt or suspend a server’s resources or computing operations, and hackers have found various ways to overwhelm servers using various simple techniques. Approaches like using botnets and automation to issue requests demand the targeted servers employ more computational power to handle them. Thus, most of the time, such attacks are successful. DDoS attacks can be broadly divided into three types, which reside within specific layers of the OSI model. The layers of the OSI Model The first type are volumetric attacks. In this type, the attacker intends to saturate bandwidth of the target server and measures the intensity in bits per second. These include spoofed packet floods, ICMP floods, and UDP floods. The second type of attacks are protocol attacks, which are together termed Layer 3 and Layer 4 attacks. These are initiated by targeting vulnerabilities in the network and transport layers of the OSI model. In this type, the main intention is to consume computational resources and can impact the infrastructure used to manage network traffic, such as firewalls and load balancers. The third type are known as application layer Attacks. These include flooding GET / POST requests for images, files, or other large file size assets. These attacks are intended to crash the server and the intensity is measured in requests per second (rp/s). A higher rp/s rate leads to a faster server crash. Layer 3 (L3) attacks This type of attack takes advantage of flaws within the network layer protocols of the OSI model, and commonly include: Ping flood attacks – in this type of attack, the attacker attempts to crash the server by flooding it with ping requests until the server crashes. Smurf DDoS attack – early implementations of ICMP inherently had poor validation measures which made it easy for an attacker to spoof an IP address in an ICMP request. When using this in the context of a DDoS attack, the attacker sends a series of ping requests to thousands of servers. Once the requests are sent, the attacker then spoofs the target IP address and directs the response to the target system rather than their own IP address. However, this is now an uncommon attack vector as modern infrastructure is rarely vulnerable to this type of attack. ICMP ping of death attack – in this type of attack, the attacker deliberately sends ping requests with IP packets that are greater in size than the maximum allowed by the IP protocol. The network infrastructure, in accordance with TCP/IP, then divides the whole request into chunks that are processed and sent in request fragments. However, when all these fragments are combined together at the target server for processing, the server is unable to handle the computational demand and crashes. For this reason, many modern servers block ICMP requests altogether to prevent any variations of this attack getting through. Layer 4 (L4) attacks In this type, the objective is to increase the number of packets sent in under a second to the point that the server crashes. The impact is measured by packet per second (pp/s). In this type of attack, a service running on the server is usually targeted rather than the server itself. SYN DoS/DDoS attack – in this attack, the attackers exploit the ‘three-way hand shake’. This is done by exhausting the target’s resources by waiting through the TCP Timeout period one after another. In this way, the TCP handshake is never completed and the buffer is full of other waiting TCP handshake requests coming from legitimate sources. Eventually, the server crashes due to timeout requests and an overwhelming amount of resource consumption. SYN-ACK flood attack – In this attack, the attacker attempts to occupy all the space in a target server state space by sending SYN requests from spoofed IP addresses. Once the state space of the target server is full, it has insufficient free space to handle legitimate requests. Layer 7 (L7) attacks These attacks are prevalent on the application layer of the OSI model, and commonly include: HTTP Flood attack – in this attack, the upper layer of the of the target application is overwhelmed with HTTP requests. The attacker exhausts the server’s resources by saturating it with GET and POST requests for images, files, or some other asset from a targeted server. DNS amplification attack – in this attack, the goal is to flood a target with fake DNS lookup requests from open DNS servers that consume network bandwidth to the point that the site fails. WordPress DoS/DDoS attack – in this attack, the concept of XML-RPC (Remote Procedure Call) is leveraged by an attacker. The pingback feature is exploited when multiple links can be generated from a compromised host which sends more requests for data from a WordPress server than the target can handle. The impact to companies DDoS attacks create more requests to a server than it can handle, thus refusing the incoming requests of legitimate traffic and customers. As websites are the common gateway to a company’s services, disrupting a web server’s capacity to handle requests can temporarily take a company offline. Where business operations might rely on consistent uptime and availability, service disruptions and outages have the potential to cause significant financial loss and may result in irreparable reputational damage. This not only affects customer trust and satisfaction, but also makes customers move away from online platforms which ultimately brings the customer base down. With a lower customer base, companies are likely to experience reduced revenue and lower conversions. This is why DDoS mitigation measures and techniques are important to consider befoe they occur. DDoS Attack Detection Detection of an active DDoS attack depends on the attack size, the targeted server’s capacity to handle the incoming requests, and whether or not any uptime or performance monitoring systems are already deployed to trigger alerts. The immediate impact of attacks can range from intermittent performance issues such as slow form submissions and page rendering, to issuing 503 error responses and complete server crashes. The following server-side commands can help manually investigate and identify an attack source: Windows: netstat -ano Lists all the listening ports and their connections to remote IPs. netstat -ano | find /i /c “80” Lists all active IP connections being made to port 80. netstat -na 1 | find “{216.58.204.238}” Lists all active IP connections being made to 216.58.204.238 (example IP). Linux: netstat -ntu | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Lists the number of connections each IP address makes to the server. netstat -anp | grep 'tcp|udp' | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -n Lists the number of connections the IP's are making to the server using the TCP or UDP protocol. netstat -ntu | grep ESTAB | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -nr Lists only ESTABLISHED connections, and displays the number of connections for each IP address. netstat -plan | grep :80 | awk {'print $5'} | cut -d: -f 1| sort | uniq -c| sort -nk 1 Shows a list of IP addresses and the number of connections that are connecting to port 80 on the server. For coordinated attacks from multiple source IP addresses, it can be useful to determine whether or not the connections originate from common subnets (such as /16 or /24). netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | cut -f1,2 -d'.' | sed 's/$/.0.0/' | sort | uniq -c | sort -nk1 -r Lists any connected IPs from the same /16 subnet which start with the same two octets (e.g. 216.58.xxx.xxx), and their number of connections. netstat -ntu | awk '{print $5}' | cut -d: -f1 -s | cut -f1,2,3 -d'.' | sed 's/$/.0/' | sort | uniq -c | sort -nk1 -r Lists any connected IPs from the same /24 subnet which start with the same three octets (e.g. 216.58.204.xxx), and their number of connections. DDoS Attack Mitigation DDoS attacks require proficient knowledge and understanding of network security controls to properly mitigate. Once an attack has been detected and the abusing IP address identified, manual steps can be taken to block it. route add 216.58.204.238 reject Blocks 216.58.204.238 from reaching the server. route -n | grep 216.58.204.238 A way to validate if the block was successful. For automation, one or more of following solutions are typically deployed in hardened network infrastructure: Intelligent DDoS mitigation solutions – these are full-fledged systems which deflect and absorb large DDoS attack requests. The providers of such solutions provide load balancing with a scalable distributed architecture and allow for assets to be served through a CDN. Blocking bad traffic – protocol attacks can be mitigated by blocking bad traffic and allowing only legitimate traffic from authorised hosts. These solutions rely on a system which determines from request characteristics whether or not specific requests to a server are legitimate (through a human) or an attack (through a bot or automated). Absorbing based mitigation –a global network of scrubbing centers that scale, as needed and on demand, to absorb large-scale DDoS attacks. DDoS protection for IPs – this mitigation technique includes protection for L7 attacks that target particular websites or services hosted in the cloud. This is now mostly adopted by companies who opt to use cloud-based infrastructure. DDoS protection for websites – this approach detects malicious requests to web servers and protects websites against L7 attacks that target web applications. It is achieved by deploying a cloud-based web application firewall (WAF) to block malicious bots and requests. DDoS protection for networks – this type of solution protects networks with high-packet processing capabilities which mitigate some of the largest DDoS attacks. The various deployment models used to achieve this mitigation technique include GRE tunnels, Equinix Cloud Exchange, and Cross Connect. A flow-based monitoring approach is also deployed where needed along with support for automatic switch-over. Top DDoS Mitigation Solution Providers There are a number of third-party providers on the market offering high-capacity on-demand DDoS attack prevention, detection, and mitigation services. Below are some of the top providers I would recommend. Cloudflare Akamai Imperva
-
Useful network posters you can download and print
- General
- by Jacob Riggs
- 03-06-2020
4.93 of 104 votesI decided to put together some minimalistic posters on network fundamentals that people can download and print for free. I hope these might help individuals, academic institutions, or maybe even companies with an IT ops function looking to decorate their office space with useful reference material. Download OSI + TCP/IP Common Ports Network Topologies All posters are A3 (297mm x 420mm) in size. I therefore recommend that if you wish to print these, you do so in A3 format between 600 and 1200 dpi for optimal print quality.If you like these posters or find them useful for your work, please consider sharing them with friends and colleagues.
-
Been hacked? What to do next
- General
- by Jacob Riggs
- 12-05-2020
4.33 of 61 votesPlease note, the advice below is tailored for online accounts of a personal nature. Any online accounts with existing or potential access to work related data in the context of employment will usually need to follow a more refined internally sanctioned incident response process (likely in accordance with the NIST industry standard). In such circumstances, please refer to your company information security and data privacy guidelines. You’ve just realised one or more of your online accounts has been compromised. Panic sets in. Time is of the essence. You must reassert control. What do you do now? Steps to take Triage – If multiple accounts are involved, you need to quickly self-evaluate risk based on what existing and potential data each account has access to. Things like sensitive pictures and private messages need to be considered. This will enable you to triage according to each account risk profile and prioritise mitigation efforts in order of risk impact. Contain – Firstly, and perhaps most obviously, you want to isolate the attack. Your primary objective should be to cut off the attacker and prevent further unauthorised access or misuse. For this, simply follow the necessary steps to reset your account password. In most cases, successfully resetting your account password will immediately invalidate any actively logged-in sessions being used by the attacker. Once complete, enable soft-token 2FA (Two-Factor Authentication) where possible. Soft-token apps (such as Gauth or Authy) generate authentication codes locally on your mobile device and are preferable to SMS. Harvest – Where possible, harvest screenshots of any new account activities, such as posts, messages, or interactions (likes, follows, etc). Many prominent online websites (such as Twitter, Facebook, and Instagram) offer options to download your full account data in a structured format locally. This evidence will help you assess the full extent of damages and may prove helpful if you later decide to report the incident to the authorities or the web service itself. Discover – Now you want to look at your attack surface by finding any other accounts that may have also been compromised. Searching your email inbox for email subject lines matching keywords such as register, registering, registration will give you insight into many of the online services you have accounts with. For any additional accounts you identify as compromised along the way, repeat steps 2 – 3. Investigate – Now you want to perform some post-incident analysis. Any evidence you harvested in steps 3 – 4 may be helpful. How did this happen? If more than one account was compromised, what security properties did they have in common? Did those accounts share the same or similar passwords? Did you leave those accounts logged in on a missing or potentially compromised device? If you want to understand the attack in detail, building a timeline of events and account activities will help you understand the attack scope and objectives. Recover – Only once the above steps are complete should you assume it is safe to continue using your account normally again. Now you can clean up and delete any bad posts or account interactions. If your account exhibited any anomalous behaviour (abuse/misuse), you may wish to address the circumstances in a public statement. Your findings from step 5 should help you make an informed decision on how best to communicate this to your online following. Prevent – How can you prevent this happening again? Ensure any future passwords you use are long and complex enough. Where possible, enable 2FA. Consider using a password manager such as LastPass or KeePass. Password managers can also help you catalogue your online presence so that you better understand your attack surface in the future. If after following these steps you notice the same accounts are still being compromised, the attacker may have established what we call persistence. This is where an attacker maintains persistent control over a specific device, system, or network that you’re using to login to the affected online accounts. From here they may be able to monitor, intercept, and block your mitigation efforts. In such circumstances, I recommend temporarily moving over to a completely new network and using a clean device to revisit the steps above. I'll focus on how to deal with compromised networks and devices in another blog post. If you are the victim of cyber crime, you reserve the right to report the incident to your local authorities. Below I've included some references that direct to the online reporting forms for each respective country. UK EU US AU Please note, the open nature of the Internet means the law surrounding cyber crime can differ greatly between countries. Duties may be owed within both the presiding jurisdiction of the victim, and that of wherever the attack may have originated.
-
I got a letter of appreciation from Harvard University
- General
- by Jacob Riggs
- 17-02-2020
4.98 of 83 votesRecently, I received a letter of appreciation from Harvard University after responsibly disclosing a critical vulnerability. The letter reads:HUIT Information Security would like to thank Jacob for responsibly reporting Server Side Injection (SSI) along with instructions for reproducing the problem. My report was well received and their triage and remediation efforts were swift.Thanks, Harvard.
-
Welcome to my new blog
- General
- by Jacob Riggs
- 02-01-2020
4.25 of 69 votesMy journey as a security researcher over the past decade has taught me a lot, but I know there’s still so much more to learn. I thought it might be worth creating this blog to document and share some of my personal experiences, and hopefully give something back to the thriving security community I’ve grown to be a part of. The term ‘InfoSec’ encompasses a myriad of fields that make up quite a bizarre industry, but one I’ve come to thoroughly enjoy exploring over the years. I've met some amazing people, and we've built (and broken) some incredible (and peculiar) things together. I think that documenting some of these events will enable me to better measure my personal development and maybe encourage a wider sharing of knowledge. With a little steady effort, I hope to eventually turn this blog into a valuable resource that myself and others can come to rely on when looking to learn and understand new things moving forward.