DDoS Wars

A DDoS attack is easier to inflect compared to the effort necessary in deflecting or defending against it. Think of it as Gurrilla Warefare ensued with a herd of Zombies.

That is exactly what a Botnet based DDoS attack represents in the networking world. Coercion replaces loyalty as Malware perpetrates through the network to increase the size of a herd. All you need is the right triggers (like people who will click through links) and crowd-sourcing takes over. Last year Craig Labovitz at Arbor described a DDoS at over 30Gbps on an Asian mobile operator. It is likely to have been done with a herd numbering in 10s of thousands rather than the order of million botnets known to exist today.

This is a new turn to what was ‘affectionately’ called the Slashdot Effect in earlier days but, with a bad twist. Traffic is intentionally diverted by a botnet herder. Their target might be popular but does not really appreciate (nor can benefit from) the incoming volume.

First thing to note about a DDoS (or DoS in general) is the fact that trying to throttle such an attack is actually playing in the hands of the attacker — a self-inflicted denial-of-service. Trying a selective block is not very fruitful when the attack is distributed well over the Internet landscape and, laden with guerrilla tactics.

It is more of a pipe-dream to expect everyone will protect their end-hosts from
Malware attempts to subvert and assimilate into a growing botnet. And waiting for a curseder (good-guy) that will spread along the malware channels to wipe out the bad-boys has its own risks.

At a higher level, the Internet infrastructure could analyze elements of such a botnet and attempt to sterilize it (a quick and more generally visible example is OpenDNS).

If a potential target (company, nation; Google?) can afford distributed hosting on the Internet, it would make an intimidating challenge to the botnet with multiple points that need to be compromised before a successful DDoS is achieved. This is when a larger Botnet will have to rear its head for a Multiple DDoS.

As malware writers get more sophisticated, the attack itself is more silent and versatile. But, DDoS is not a one-way tool and can be used by both sides. Around the start of this month, Aiplex Software was hired by the likes of MPAA and RIAA to attack piracy sites. This instigated a retaliation which is currently in progress (www.aiplex.com is off-line as of this writing). So, which side wins with this? None, I guess if anyone benefits, it would be the RBN, and ultimately terrorist organizations, probably.

But, this is not yet the end of this story and over time I expect we will hear more on this round of DDoS.

Meanwhile, you can catch the background on this from a recent non-fiction book Fatal System Error – The Hunt for the New Crime Lords Who are Bringing Down the Internet, by Joseph Menn. It runs though an account of such warfare over the last decade taking specific examples (see Prolexic).

DDoS Evolution (Prolexic)

September 30, 2010 Posted by nikunj | reading, security | book-probe, books, DDoS, news, security | Leave a comment

What could become the next Conficker (if we had Vista)

A recent advisory from Microsoft (Microsoft Security Advisory (975497)) says Vulnerabilities in SMB Could Allow Remote Code Execution. This “SMB2 zero day” is focused on the Microsoft VIsta and Server 2008 systems.

Researchers show mixed feelings while all the tools for using it are available in the wild.

If Vista were as wide spread as the Windows XP it would have become a potential addition to the Conficker troupe. Interestingly, even the Windows 7 (gaining momentum at the moment) does not seem vulnerable. Which does not preclude Conficker writers themselves of deciding to add this new ‘tool’ to their variations. Return-On-Investments may be the only reason they would not target Vista…

September 12, 2009 Posted by nikunj | security | conficker, news, zero-day | Leave a comment

Malware with and around Opera Unite

A couple of weeks back I raised a concern about Botnets being Controlled with Twitter.

Security of Opera Unite itself is quite dubious. Here is a recent dissection of Unite technology referred by a friend. The attacker will eventually have the option of using their own local Unite hosted sites and probably even a couple of other pawned ones.

September 1, 2009 Posted by nikunj | security | malware, opera, phishing | Leave a comment

Twitter Command and Control

Recent news about Twitter being used as a Botnet Command Center sounds so natural. At the risk of sounding like a second-guess, it appears like the most simple control path (barring only the frequent down times prone with Twitter service).

Couple that with the Opera Unite concepts and you have a good mobile threat vector. Yes, the Unite technology is also still being stabilized. But, that should not stop us from predicting some threat scenarios we are about to encounter in the near future (“near” as against the usual Science-Fiction measure of future).

I have similar feelings on Facebook, but have never had the patience to hover there long enough to give more thought.

August 16, 2009 Posted by nikunj | security | botnet, opera, twitter | Leave a comment

McAfee False-positive hit

Fresh reports of the McAfee update “felling PCs across the world” is sweeping across the news and help forums.

The problem seems to be a false-positive that surfaces when a new DAT file is patched on an older McAfee engine. The 4th of July holiday probably helped a bit too with people being a little less alert.

These things will happen, and the important lesson to learn is the critical focus required while working with security systems that have a costly false-positive impact. Hollywood has been cashing in on this idea for decades (remember Robocop?). These things will get more interesting as we move to security systems more sophisticated then these.

July 5, 2009 Posted by nikunj | security | false-positive, McAfee, news | Leave a comment

Insecurities

I wonder when people will stop blaming the OS vendors and start taking security of their machines seriously…

June 20, 2009 Posted by nikunj | security | note, security, vulnerabilities, worm | Leave a comment

Conficker and the Curious Yellow

I was not planning on writing another post so soon, but Utopiah here has referred a very nice article in his comments to my previous post. If you have not already read Brandon Wiley’s Curious Yellow: The First Coordinated Worm Design, I urge you to read it through.

It hits right on spot about fast distribution through a peer-to-peer network. I used the concept to hypothesize a patch propagation (described as an anti-worm by him).

The paper describes a scenario comparable to a powerful chess game turning the yellow worm to blue and backwards. Probably in recognition of this idea, Conficker uses latest encryption , very likely making a first field implementation of the MD6 algo and its fixes too!. It appears that the Conficker writer is very well versed with this paper and current technology 🙂

Besides the points made by Wiley on that page, there is one more ‘common goal’ such a network can target, and I am sure its already stated somewhere: These compromised systems can be pooled to brute force encryption security.

April 21, 2009 Posted by nikunj | security | botnet, conficker, security, worm | Leave a comment