Information Security News
We knew Microsoft was planning to block installation of Windows 7 and 8.1 updates on systems with Intel 7th Generation Core processors (more memorably known as Kaby Lake) and AMD Ryzen systems; we just weren't sure when. Now, the answer appears to be "this month." Users of new processors running old versions of Windows are reporting that their updates are being blocked. The block means that systems using these processors are no longer receiving security updates.
The new policy was announced in January of last year and revised slightly a couple of months later: Kaby Lake and Ryzen processors, and all new processors on an ongoing basis, would only be supported in Windows 10. Windows 7 and 8.1 would continue to support older processors, but their chip compatibility was frozen.
Awkwardly straddling the two policies are Intel's 6th Generation Core processors, aka Skylake. Some Skylake systems will continue to be supported in Windows 7 and 8.1. Others will not. Certain Skylake models shipped by 16 specific OEMs will continue to receive update support. But other Skylake systems will also need to upgrade to Windows 10 to receive ongoing updates.
Akamai researchers Jose Arteaga Wilber Mejia have posted details on a new reflected DDOS apprach, using the Connectionless LDAP protocol (on udp/389).
Reflected UDP attacks arent new, but using CLDAP seems to be. Which made me wonder who are the folks that decided that their AD (or other LDAP directory) should be put on the internet without at least putting a certificate on it. Then I clued in - many SIP implementations use unsecured LDAP for authentication, authorization and for a directory. Shodan lists 12,718 (as of today) sites with udp/389 open - and yes, many of them answer as SIP directories.
The reflection part of the attack is likely a directory list from the root, or even a tell me about yourself query against the root would work nicely (thatd be my attack approach anyway)
And apparently some subset of 12,718 sites can total up to a maximum (so far) of 24Gbps of reflected DDOS traffic - 3Gbps being the average seen to date. Akamai reports 7,629 sites were used, and they also report many more vulnerable sites than Shodan does.
Mitigation? The report offers a mix of dont do that as advice, with a Snort signature to kill the reflection attack. Unfortunately, the Snort signature needs to be applied at the vulnerable site - to which my question is what are the odds that an organization thats posted LDAP on udp/389 open to the internet has an instance of Snort running? As is the case in so many DDOS situations, the hosts that are the source of the problem never see the problem, theyre not the victims. So its unlikely that well see this fixed anytime soon.
The full Akamai report can be found here: https://www.akamai.com/us/en/about/our-thinking/threat-advisories/connection-less-lightweight-directory-access-protocol-reflection-ddos-threat-advisory.jsp