Thursday, October 27, 2016

New Stats on Dyn DDoS Attack Size

Imperva Releases More Information on the Dyn Attack

Ofer Gayer, product manager at Imperva for the Incapsula product line, explains:

“There is still quite a bit of speculation swirling on the size of the DDoS attack on Dyn last Friday. We know there were 100,000 Mirai botnet nodes – which is not especially large in our experience. So, in our estimation, there are two likely causes. The attack may have been a high-volume attack – over 500 million packets per second – that overwhelmed the Dyn infrastructure. Or, the attack may have been relatively small – 50-100 million packets per second – and the attack itself was “amplified” by what is known as a retry storm from their millions of legitimate users, making the job of differentiating between good and bad traffic very hard.”
Additional Information:

Q. Is a 100,000-node botnet big?
A. Not really.  Example of a 180,000-node botnet mitigated

Q. Are DNS services especially vulnerable?
A. They do suffer from being open systems:

"Effective DDoS mitigation is synonymous with accurate traffic filtering. For that reason DNS amplification attacks are actually easier to deflate as all uninitiated DNS responses are highly suspect and could be filtered on-edge, without any impact on the regular traffic flow. For example, one could categorically drop all unexpected DNS responses to port 53.

However, this isn’t the case for seemingly legitimate DNS flood queries, which cannot be dismissed before they are individually processed at the server level.

With on-edge filtering bypassed, and the path to the server CPU cores laid wide open, DNS floods have the potential to bring down even the most resilient of networks. "

Q. How can companies prevent attacks on their DNS infrastructure?

Q. Is Mirai that sophisticated?

Q. Has the Incapsula network been hit with Mirai?

Q. What’s a big DDoS attack measured in million packets per second (Mpps)

Wednesday, October 26, 2016

Corero Warns of Powerful New DDoS Attack Vector with Potential for Terabit-Scale DDoS Events

New zero-day attack vector has significant amplification factor and could be used to enhance effectiveness of botnet tools used to launch recent attacks on Dyn, Krebs on Security and OVH
Marlborough, MA and London, UK – October 25, 2016 –  Corero Network Security today disclosed a significant new zero-day DDoS attack vector observed for the first time against its customers last week.  The new technique is an amplification attack, which utilizes the Lightweight Directory Access Protocol (LDAP). LDAP is one of the most widely used protocols for accessing username and password information in databases like Active Directory, which is integrated in most online servers. 

While Corero’s team of DDoS mitigation experts has so far only observed a handful of short but extremely powerful attacks against their protected customers originating from this vector; the technique has potential to inflict significant damage by leveraging an amplification factor seen at a peak of as much as 55x. Therefore, in terms of its potential scale, if combined with the Internet of Things botnet that was utilized in the recent 655 Gigabyte attack against Brian Krebs’s website, we could soon see new records broken in the DDoS attack landscape, with potential to reach tens of Terabits per second in size in the not too distant future.  The DDoS landscape has been extremely volatile in recent weeks, particularly with the release of the Mirai code and subsequent Mirai infected Internet of Things (IoT) devices, and we expect this trend to continue for the foreseeable future. 

Dave Larson, CTO/COO at Corero Network Security, explains: “This new vector may represent a substantial escalation in the already dangerous DDoS landscape, with potential for events that will make recent attacks that have been making headlines seem small by comparison. When combined with other methods, particularly IoT botnets, we could soon see attacks reaching previously unimaginable scale, with far-reaching impact. Terabit scale attacks could soon become a common reality and could significantly impact the availability of the Internet– at least degrading it in certain regions.” 

Reflection and Amplification Attacks
In this case, the attacker sends a simple query to a vulnerable reflector supporting the Connectionless LDAP service (CLDAP) and using address spoofing makes it appear to originate from the intended victim. The CLDAP service responds to the spoofed address, sending unwanted network traffic to the attacker’s intended target. 

Amplification techniques allow bad actors to intensify the size of their attacks, because the responses generated by the LDAP servers are much larger than the attacker’s queries. In this case, the LDAP service responses are capable of reaching very high bandwidth and we have seen an average amplification factor of 46x and a peak of 55x. 

Dave Larson explains: “LDAP is not the first, and will not be the last, protocol or service to be exploited in this fashion. Novel amplification attacks like this occur because there are so many open services on the Internet that will respond to spoofed record queries. However, a lot of these attacks could be eased by proper service provider hygiene, by correctly identifying spoofed IP addresses before these requests are admitted to the network. Specifically, following the best common practice, BCP 38, described in the Internet Engineering Task Force (IETF) RFC 2827, which describes router configurations that are designed to eliminate spoofed IP address usage by employing meaningful ingress filtering techniques, would reduce the overall problem of reflected DDoS by at least an order of magnitude.

“Today’s DDoS attacks are increasingly automated, meaning that attackers can switch vectors faster than any human can respond. The only effective defense against this type of DDoS attack vector requires automated mitigation techniques. Relying on out-of-band scrubbing DDoS protection to stop these attacks will cause significant collateral damage. Given the short duration and high volume attacks, legacy solutions simply cannot identify and properly mitigate in time to protect network availability.

Operational Auditing: Principles and Techniques for a Changing World

Internal auditors are expected to perform risk-based audits, but do so partially because they focus on financial and compliance risks at the expense of operational, strategic and technological ones. This limits their ability to evaluate critical risks and processes. Operational Auditing: Principles and Techniques for a Changing World by Hernan Murdock merges traditional internal audit concepts and practices with contemporary quality control methodologies, tips, tools and techniques. It helps internal auditors perform value-added operational audits that result in meaningful findings and useful recommendations to help organizations meet objectives and improve the perception of internal auditors as high-value contributors, appropriate change agents and trusted advisors.

Tuesday, October 25, 2016

Introduction to Behavioral Biometrics

New Directions in Behavioral Biometrics presents the concept of behavioral biometrics on the basis of some selected features like signature, keystroke dynamics, gait, and voice. This excerpt from the book provides a brief overview of behavioral biometrics.

Monday, October 24, 2016

Risk and Trust Assessment: Schemes for Cloud Services

Both risk and trust have been extensively studied in various contexts for hundreds of years. Risk management, and specifically risk assessment for IT, has also been a hot research topic for several decades. On the other hand, modeling risk and trust for cloud computing has attracted researchers only recently. This chapter from Cloud Computing Security: Foundations and Challenges provides a survey on cloud risk assessments made by various organizations, as well as risk and trust models developed for the cloud.

Tuesday, October 18, 2016

Annual Cost of Fraud and Cybercrime Tops £10.9bn in the UK

Barnet, United Kingdom, October 18, 2016 - According to Get Safe Online, the annual cost of fraud and cybercrime in the UK is £10.9bn – the equivalent of £210 per adult. The research shows examples of online fraud ranging from fraudulent phishing messages to extract the personal details of victims, to ransomware and the theft of data through hacking.

Commenting on this, Robert Capps, VP of business development at NuData Security, said “We’re saddened, but not shocked, to see these findings. In this study, the fact that online fraud costs the UK £10.9bn a year is a sad state of affairs for consumers who can often bear the brunt of the costs (especially with regard to account takeover and new account fraud). It’s absolutely no wonder that consumers are pushing back on companies to improve security, holding them accountable for it, yet still wanting to have a good experience going through the gates."

Financial fraud offers a lucrative source of income for cybercriminals, totaling £755 million in 2015 in the UK alone. Cybercriminals have grown in their sophistication, exploiting the human interest factor by posing as banks or suppliers and then duping consumers into revealing their personal details. These scams have also proved effective in targeting commercial organizations, as senior executives are tricked into revealing sensitive information which enables access to a company network.

The increasing volume of attacks globally can also be attributed to more fraudsters willing to commit the crime, more data available on the black market, and more financial institutions and merchants that are vulnerable to attacks. Plus, as more countries fully adopt EMV (Europay, MasterCard, and Visa), we'll see fraud continue its migratory path to all available online channels.

We have to remember; fraudsters know us better than we do in that they’ve pegged our vulnerabilities. It’s time we returned the favor. They are vulnerable because they must do very similar behaviors to be successful, and guess what? We can find them by their tell-tale signals.

In order to detect out of character and potentially fraudulent transactions before they can create a financial nightmare for consumers, we must adopt new authentication methods that they can’t deceive.  Solutions based on consumer behavior and interactional signals are leading the way to providing more safety for consumers, and less fraud in the marketplace.

To combat these types of attacks, consumers should always report emails to their banking provider. No legitimate organization will ask for security or banking details so consumers need to be suspicious of any email that requests this information.

Meanwhile there are steps that consumers can take to help secure themselves:
  • Shop with well-known companies online, or use safer payment systems such as PayPal, ApplePay, Android pay, to avoid providing your payment details directly to an unknown merchant.
  • Use strong, unique passwords on each site you register with.
  • Make sure to change your passwords regularly.
  • Don't use public computers or free, unencrypted Wi-Fi to conduct financial or retail transactions or interactions.
  • Don't fall victim to email and phone scams, where a consumer receives a call from "their bank" asking for personal, or financial account information. If it looks too good to be true, it most likely is.  When I doubt, call the bank directly, based on the number printed on the back of your card, or on a recent statement.