BlackBerry today reported a return to operating profit for its fourth quarter amid sales of 1 million Z10 smartphones. But there was also a decline of 3 million global subscribers, down to 76 million.
Early models of Google's wearable computer, Glass, may be manufactured in the U.S., according to a report.
Red Hat and Rackspace have won an early dismissal of a patent infringement claim brought by Uniloc, in a decision the companies are hailing as a potential landmark in intellectual property law.
A service created by the DCSec research group at the University of Hanover in Germany shows a browser's preferred crypto methods. The result: none of the browsers prefer RC4 – but they all support it



John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
IT and security professionals are increasingly concerned about targeted malware and data breaches. What's worse is that their confidence in their ability to identify and stop them is waning.
UST Global's expansion plans were threatened by a datacenter that had hit its power ceiling. Until IT came up with a two-pronged strategy and saved the day.
PHP 'soap.wsdl_cache_dir' Validation Arbitrary File Write Vulnerability

Weve had a few e-mails come in to the ISC now that the popular media has picked up the story of the distributed denial of service attack on CloudFlare and SpamHaus. For instance, here is the New York Times article on the subject. CloudFlare has their own write-up here. I was peripherally involved (very peripherally) as were some other handlers.

Lets start with some truth. The attack did reach upwards of 300 Gb/sec and is the largest recorded DDoS to date. It combined already known issues on DNS open resolvers but combined it with specific targetted at a choke point which did have a real impact for SpamHaus and CloudFlare. There also were many people who spent many hours helping deal with this problem. A good number of those had no real connection to SpamHaus or CloudFlare, they are just fellow members of the information security community who came together to deal with a threat. This is a Very Good Thing tm that this level of cooperation has built up over time and we respond to these threats as a community.

Here is what did not happen: the Internet did not come close to coming down, not much real impact was felt outside the victims and those in close Internet-proximity to them and we were all still able to get to pinterest and see cat pictures online. The attack was significant, but not globally so despite the media reports to the contrary. When news of the attack reached the Internet Storm Center, we did have a brief moment of panic and contemplated resorting to cannibalism. However, we quickly decided against this option (due to a combination of calmer heads prevailing and a lack of consensus on whether people could be turned into bacon).

Thats not to say it was a non-event. It exposed some real problems, problems that each of us should take steps to help remediate so this doesnt happen again. And by us, I mean those of you reading this that may maintain networks that unknowingly participated in this attack. More on that shortly. The attackers were part of a group dubbed StopHaus who decided to take down SpamHaus. For our purposes here, well leave the politics surrounding the attack out of it and focus on the technical.

DNS Amplification Attacks

Accomplishing a successful denial of service attack with straight up network flooding is difficult to accomplish. In the general case, you have to have more bandwidth than your target. While it might be somewhat easier to take a gaming server offline over an MMO grudge match, going against a protected target requires you to have a greater amount of bandwidth than your victim which is usually not the case.

You can get around this problem two ways: control lots of machines all over the Internet (i.e. a botnet) or find ways to amplify your attacks to make the attacks much bigger in size than it took you to generate. Those of you who remember the Smurf attack knows how this can work with ping (spoof your source and ping a broadcast address and every machines on that network will send an echo reply back to your victim). Weve fixed Smurf with default configurations.

Enter DNS resolvers. Sending a DNS query is not generally a large request. However, due to the security advances in DNS (such as DNSSEC), responses to requests can be quite large in comparison. Interestingly enough, CloudFlare has a pretty good write-up on DNS amplification attacks here. In their example, they have a 64 byte query that generated a 3,223 byte response. That means they can amplify their bandwidth by ~50 times.

In short, here is how it works. The people who were upset at SpamHaus (and by extension CloudFlare) picked a choke point inside CloudFlare that would hurt, the spoofed DNS requests to known open resolves from that victim IP address and they were able to generate a 300 GB/s attack. Estimates ranged from a 30x - 100x amplification of their own bandwidth use. When they were keeping their peak DDoS up, thats what CloudFlare was seeing. (To see the progression to this point, you can read CloudFlares write up linked above). To achieve a DDoS attack of 300 Gb/s you would need access to 3-10 Gb/s of bandwidth. Not insignificant, but also not unachievable for someone with motivation and some money.

The important takeaway is that DNS amplication has been known for some time now and that this DDoS attack was entirely preventable. Not by CloudFlare, mind you, but by the rest of us who maintain networks and DNS servers.

So what can you do about it?

For these DDoS attacks to work, there needs to be two different components and the presence of either is not a best practice.

The first is that networks where these attacks are being launched are not filtering spoofed traffic. In order for spoofed traffic to leave a network, the perimeter devices need to allow packets with a source address not on the internal network to be routed out. This is a bad thing and not good network neighborhood behavior. Everyone that has netspace should make sure all traffic leaving their network does not have a source address that is not their internal network. The second component of this is that networks are not doing ingress filtering per BCP 38. Namely, traffic should not be passed by upstream providers unless it is coming from a known and advertised IP spaces of their clients. If this were adopted universally, spoofed IP traffic would all but disappear.

The second portion of this is having open recursive DNS resolvers on your network. Rarely is this a good thing and in most cases, they are unknowingly present and being used to generate attack traffic. The Open Recursive Project has a tool to check for Open DNS Recursive servers in your netspaces and some advice on what to do if this is an intentional choice (namely rate limiting). Generally speaking though, most DNS servers do not need to perform recursive queries and many of the rest dont need to do it for the entire Internet. Turning off recursion is as easy as putting into your named.conf file and if you need to recurse for local clients, restricting it to just your own netblocks.

If those of you who maintain networks do the above two things, this DDoS (and those that will follow) would be non-events. So please, implement some flavor of BCP 38 and turn off open recursive DNS servers.


John Bambenek

bambenek \at\ gmail /dot/ com

Bambenek Consulting
(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
LinuxSecurity.com: Updated pixman packages that fix one security issue are now available for Red Hat Enterprise Linux 6. The Red Hat Security Response Team has rated this update as having moderate [More...]
Research In Motion Limited, now doing business as BlackBerry, shipped about 1 million BlackBerry Z10 smartphones during its fiscal fourth quarter.
In his first year as Sony CEO, Kazuo Hirai has remade the company, cutting thousands of jobs, selling off large businesses and core properties, and moving divisions around the world.
A targeted phishing attack has been sending Tibetan activists Android malware in their email in what researchers believe is the first use of smartphone malware in such an attack

The UK government has launched an initiative to improve the UK economy's defence against cyber attacks. Businesses and government authorities within this initiative plan to cooperate closely - but any reported attacks won't necessarily become public

Massive distributed denial of service attacks on Spamhaus this week focused widespread attention on the huge security threats posed by millions of poorly configured Internet Domain Name System servers.
The land rush for mobile patents is so feverish that about one-quarter of all patents issued in the U.S. this year will be mobile-related, according to a study released on Wednesday.
Incorrectly configured S3 buckets can expose an enterprise's sensitive data, and there are a lot of incorrectly configured S3 buckets out there on Amazon's cloud storage service

The AWS CloudHSM hardware module is designed to improve Amazon's cloud security

Moodle Multiple Remote Security Vulnerabilities
Linux Kernel NULL Pointer Dereference Denial of Service Vulnerability
IBM Storwize V7000 Unified CVE-2013-0454 Remote Security Bypass Vulnerability
Certain U.S. federal agencies could be hindered from buying information technology systems made by companies with links to the Chinese government under the new funding law signed by President Barack Obama earlier this week.
A man in Wisconsin has been charged with participation in a distributed denial-of-service attack in February 2011 against Koch Industries by hacker group Anonymous.
A piece of malicious software spotted by Trend Micro uses the note-taking service Evernote as a place to pick up new instructions.
Virtualization, cloud services and SaaS is making it much easier to shift IT infrastructure operations to service providers, and that is exactly what many users are doing.

Posted by InfoSec News on Mar 28


The Wall Street Journal
March 26, 2013

Employees beware: Don't fall prey to a cat named Dr. Zaius.

"Check out these kitties! :-)" read emails featuring the photo of a Turkish
Angora cat with a purple mohawk, sent to nearly two million cubicle dwellers so
far. It includes an attachment or link promising more feline photos. Those...

Posted by InfoSec News on Mar 28


By John E Dunn
27 March 2013

Cabinet Office minister Francis Maude will today announce the Government’s
futuristic-sounding ‘Fusion Cell’, a 12-15 person group of elite security
experts who will sit in front of screens at a secret location monitoring
cyber-attacks against the UK and its businesses...

Posted by InfoSec News on Mar 28


By Robert Lemos

A Distributed Denial of Service attack on Internet blacklist maintainer
Spamhaus has topped 300 Gbps, powered by “open recursive resolvers,” which
allow attackers to turn modest attacks into overwhelming floods of traffic.

A Distributed Denial of Service attack on Internet blacklist maintainer

Posted by InfoSec News on Mar 28


By Mikael Ricknas
IDG News Service
March 27, 2013

In a bid to improve data security, Amazon Web Services (AWS) has launched AWS
CloudHSM, which uses a separate appliance to protect cryptographic keys used
for encryption.

There are already a variety of alternatives for protecting sensitive data on
Amazon's cloud. But for...

Posted by InfoSec News on Mar 28


By Ericka Chickowski
Contributing Writer
Dark Reading
March 27, 2013

When it comes to detecting vulnerabilities in mission critical applications,
security professionals often find themselves in a bind. These are usually the
applications that the enterprise can least afford to suffer a hack. But at the
same time, they are also the applications whose...
Eucalyptus Walrus Request Manipulation Security Bypass Vulnerability
Yum Remote Denial of Service Vulnerability
Internet Storm Center Infocon Status