Denial-of-service attack

Tag Archive for Denial-of-service attack

RB | November 10, 2016

Comments Off

Bad Passwords Crippled the Web

Followers of the Bach Seat know that passwords suck and now default passwords really suck. In fact, default passwords seem to be a key part of the massive DDOS attack that disabled large parts of the Internet on October 21, 2016. The cyberattack targeted Internet traffic company DYN. DYN provides DNS services for many high-profile sites. Some of the sites affected by the attack on Dyn included; Amazon (AMZN), Business Insider, New York Times, Reddit, and Twitter (TWTR).

Security researcher Brian Krebs, whose site, krebsonsecurity.com, was one of the first sites hit by a massive 620 GB/s DDoS attack, has reported the Mirai botnet was at the center of the attack on his site. CIO.com reports ‘Mirai’ can break into a wide range of Internet of Things (IoT) devices from CCTV cameras to DVRs to home networking equipment turning them into ‘bots. CIO reports a single Chinese vendor, Hangzhou Xiongmai Technology made many of the devices used in the Mirai attacks.

Level 3 Communications says there are nearly half a million Mirai-powered bots worldwide. To amass an IoT botnet, a Mirai bot herder scans a broad range of IP addresses, trying to login to devices using a list of default usernames and passwords that are baked into Mirai code, according to US-CERT. The Mirai zombie devices are largely security cameras, DVRs, and home routers. Mr. Krebs identified some of the specific devices.

Mirai Passwords

Username	Password	Function
admin	123456
root	123456	ACTi IP camera
admin	password
admin1	password
root	password
admin	12345
root	12345
guest	12345
admin	1234
root	1234
administrator	1234
888888	888888
666666	666666	Dahua IP camera
admin	(none)
admin	1111	Xerox printers, etc.
admin	1111111	Samsung IP camera
admin	54321
admin	7ujMko0admin	Dahua IP camera
admin	admin
admin	admin1234
admin	meinsm	Mobotix network camera
admin	pass
admin	smcadmin	SMC router
Administrator	admin
guest	guest
mother	fucker
root	(none)	Viviotek IP camera
root	00000000	Panasonic printers
root	1111
root	54321	Packet8 VoIP phone
root	666666	Dahua DVR
root	7ujMko0admin	Dahua IP camera
root	7ujMko0vizxv	Dahua IP camera
root	888888	Dahua DVR
root	admin	IPX-DDK network camera
root	anko	Anko Products DVR
root	default
root	dreambox	Dreambox TV receiver
root	hi3518	HiSilicon IP Camera
root	ikwb	Toshiba network camera
root	juantech	Guangzhou Juan Optical
root	jvbzd	HiSilicon IP Camera
root	klv123	HiSilicon IP Camera
root	klv1234	HiSilicon IP Camera
root	pass
root	realtek	Realtek router
root	root
root	system	IQinVision camera, etc.
root	user
root	vizxv	Dahua camera
root	xc3511	H.264 - Chinese DVR
root	xmhdipc	Senzhen Anran security camera
root	zlxx.	EV ZLX two way speaker
root	Zte521	ZTE router
service	service
supervisor	supervisor	VideoIQ
support	support
tech	tech
ubnt	ubnt	Ubiquiti AirOS Router
user	user

US-CERT says the purported author of Mirai claims to have 380,000 IoT devices are under its control. Some estimate the botnet has generated greater than 1Tbps DDoS attacks.

When Mirai botnets are called upon to carry out DDoS attacks, they can draw on a range of tools including ACK, DNS, GRE, SYN, UDP and Simple Text Oriented Message Protocol (STOMP) floods, says Josh Shaul, vice president of web security for Akamai.

rb-

Followers of Bach Seat already know that many of the default passwords used by Mirai are among the worst and should have been changed already. They include:

Password
123456
12345
1234

While reports say, Chinese vendor, XiongMai Technologies equipment was widely exploited, other notable tech firms are included. The Mirai zombie army includes equipment from Xerox (XRX), Toshiba (TOSBF), Samsung (005930), Panasonic (6752), and ZTE (763).

I wrote about security cameras being compromised as part of botnets back in July here.

Terabit-scale DDoS events are on the horizon (helpnetsecurity.com)

Ralph Bach has been in IT long enough to know better and has blogged from his Bach Seat about IT, careers, and anything else that catches his attention since 2005. You can follow him on LinkedIn, Facebook, and Twitter. Email the Bach Seat here.

Category: Uncategorized | Tags: 2016, Botnet, Brian Krebs, Business Insider, China, cyber attack, DDOS, Denial-of-service attack, DNS, Dyn, Mirai, New York Times, Passwords, Reddit, Samsung, Security, Toshiba, Twitter, TWTR, Xerox, XiongMai Technologies, ZTE

RB | July 9, 2016

Comments Off

Security Cam Concerns in Ann Arbor

Security Cam Concerns in Ann Arbor Next time you are in Ann Arbor to get a bite to eat at Zingerman’s or attend a U of M football game at Michigan stadium someone may be watching you. NetworkWorld, says Ann Arbor is one of the top U.S. cities with the most unsecured security cameras. In fact, Ann Arbor ranks seventh nationally.

The report’s author, security firm Protection 1, analyzed the data from Insecam. Inseacam identifies open security cameras and Protection 1 estimates there are over 11,000 open security cameras on the Internet in the U.S. Protection 1 identified the cities with the most cameras that can be viewed by anyone online. The top 10 cities with unsecured security cameras are:

Walnut Creek, CA – 89.69 / 100,000 residents
Richardson, TX – 72.74 / 100,000 residents
Torrance, CA – 72.55 / 100,000 residents
Newark, NJ – 38.07 / 100,000 residents
Rancho Cucamonga, CA – 36.76 / 100,000 residents
Corvallis, OR – 37.98 / 100,000 residents
Ann Arbor, MI – 34.18 / 100,000 residents
Orlando, FL – 34.05 / 100,000 residents
Eau Claire, WI – 22.21 / 100,000 residents
Albany, NY – 20.32 / 100,000 residents

Open security cameras connect to the Internet via Wi-Fi or a cable. They have no password protection or are using the manufacturer’s default password. Malicious people and governments can record or broadcast our lives from unprotected open security cameras. Open cameras are also vulnerable attacks that can turn them into bots.

From a privacy perspective, the most worrisome finding is that 15% of the open cameras are in Americans’ homes. Anyone can watch these cameras if the default password is not changed to a unique password to lock down the camera.

Besides being spied on from the web, open cameras can be exploited by criminals. Cyber-criminals can force online cameras to attack other things on the Internet as part of a DDoS attack.

A DDoS attack against a jewelry shop website led to the discovery of a CCTV-based botnet. A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing a denial of service for users of the targeted system. TargetTech says the flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.

Help Net Security reports that Sucuri researchers discovered the jewelry site was being attacked by a CCTV botnet made up of 25,000+ cameras from around the globe. The website was first attacked by a layer 7 attack (HTTP Flood) at 35,000 HTTP requests per second and then, when those efforts were thwarted, with 50,000 HTTP requests per second.

Sucuri researchers discovered that all the attacking IP addresses had a similar default page with the ‘DVR Components’ title. After digging some more, they found that all these devices are BusyBox based. Busybox is a GNU-based software that aims to be the smallest and simplest correct implementation of the standard Linux command-line tools.

CCTV botnet made up of 25,000+ cameras from around the globe The compromised CCTV cameras were located around the globe:

24% originated from Taiwan,
12% United States,
9% Indonesia,
8% Mexico,
and elsewhere.

rb-

Unless something is done, security flaws, misconfiguration, and ignorance about the dangers of connecting unsecured devices to the IoT will keep these botnets functioning well into the future.

To protect your website from botnets and DDoS, you need to be able to block or absorb malicious traffic. Firms should talk to their hosting provider about DDoS attack protection. Can they route incoming malicious traffic through distributed caching to help filter out malicious traffic — reducing the strain on existing web servers. If not find a reputable third-party service that can help filter out malicious traffic.

DDoS defense services require a paid subscription, but often cost less than scaling up your own server capacity to deal with a DDoS attack.

Arbor Networks is one firm that provides services and devices to defend against DDoS.

Google has launched Project Shield, to use Google’s infrastructure to support free expression online by helping independent sites mitigate DDoS attack traffic.

GetResponse CEO Statement Regarding the DDoS Attack (getresponse.com)

Category: Uncategorized | Tags: 2016, Ann Arbor, Arbor Networks, BusyBox, CCTV, Daniel Cid, DDOS, Denial-of-service attack, DVR, GOOG, Google, HTTPS, Inseacam, Internet of Things, IP address, Jim Harbaugh, Linux, Michigan, Protection 1, Security, Sucuri

RB | October 14, 2014

Comments Off

25 Years of the Firewall

25 Years of the Firewall The firewall has turned 25 years old this year. In commemoration, McAfee created a timeline of the events that shaped the development of the device most of us rely on the protect ourselves from each other. The infographic shows how the firewall’s evolution coincided with high-profile security events:

1995: WM/Concept first virus to spread through Microsoft (MSFT) Word
2000: First denial-of-service attack discovered
2008: Conficker infects 9-15 million Microsoft systems.

These security breaches triggered security developers to react with more advanced firewall technology:

1998: Evasions researched
2009: Native clustering for high availability and performance introduced
2012: Software enabled security introduced, making blade technology obsolete.

The first generation firewalls were called Packet Filters. Packet Filter firewalls look at network addresses and ports of the packet and determine if that packet should be allowed or blocked based on rules programmed by humans. If a packet does not match the packet filter’s ruleset, the packet filter will drop or reject the packet, breaking the connection.

The second generation firewalls do stateful packet inspection. According to Wikipedia, second generation firewalls record all connections passing through it and determines whether a packet is the start of a new connection, a part of an existing connection, or not part of any connection. Though static rules are still used, these rules can now contain a connection state as one of their test criteria.

Third-generation firewalls use application layer filtering which can “understand” certain applications and protocols (such as File Transfer Protocol (FTP), Domain Name System (DNS), or Hypertext Transfer Protocol (HTTP)). This is useful as it is able to detect if an unwanted protocol is attempting to bypass the firewall on an allowed port or detect if a protocol is being abused in any harmful way.

Next Generation Firewall Pat Calhoun, SVP at McAfee, explained in a Help Net Info article that it was not until 2009 when the fourth generation firewall we know and love began to evolve. In 2009 Gartner published its definition and a paper on “Defining the Next-Generation Firewall. (PDF)” According to its definition, NGFWs are:

…deep-packet inspection firewalls that move beyond port/protocol inspection and blocking to add application-level inspection, intrusion prevention, and bringing intelligence from outside the firewall.

In its paper, the Gartner authors explain that “Firewalls need to evolve to be more proactive in blocking new threats, such as botnets and targeted attacks.” Mcafee’s Calhoun points out that NGFW discussions started in 2003 but the technology really didn’t get on the right track until Gartner defined it in 2009.

Intel 25th Anniversary of the Firewall infographic

rb-

Future NGFW development efforts need to integrate application control, IPS, and evasion prevention into a single, purpose-built box with enterprise-scale availability and manageability solution.

Back in the day, 2000, I managed a Checkpoint firewall IPSO ver 3.0 on a Nokia appliance (IP300?). The thing was the network had been up and running for 3 years and included over 3,000 devices before the Checkpoint was put in. Can’t get away with that now, a naked PC on the Innertubes will be compromised within minutes to hours, according to those who know that kind of stuff.

The most vivid recollection of setting the thing up was just randomly mashing on the keys to create the first key. Other network guys were amazed because apparently, this was the first firewall many had seen with a GUI to configure the rules.

I also remember learning the hard way that Deny All goes at the bottom of the list, not the top.

Enterprise Firewall Market: Global Forecast to 2019 by Professional Services (mynewsdesk.com)

Category: Uncategorized | Tags: 2014, application layer filtering, Computer security, Denial-of-service attack, Gartner, IT, McAfee, Microsoft, MSFT, Next-Generation Firewall, Packet filter, Security, stateful packet inspection

RB | January 30, 2014

Comments Off

Cyber Attacks on Schools

Cloud services and data-management systems are multiplying in the edu market. Schools, districts, and states are using online networks to store student data such as records PII, medical records, attendance, and grades. Putting all of this data online is scary enough, these systems are designed to allow parents (and attackers) to get to data from a home PC.

More convenient for teachers and parents

Education Week explains that the switch to online data is often more convenient for teachers and parents. But these changes can also make state agencies, districts, and schools vulnerable to cyber attacks. The author cites the August 2013 DDoS attack on the Kentucky Department of Education’s statewide Infinite Campus information network as a precursor of things to come. The Kentucky agency was able to fight off the DDoS attack before any data was compromised but school DDoS attacks are occurring more often as they get easier to execute. David Couch the Kentucky Department of Education’s chief information officer said.

What I understand from what I’ve seen is that [DDoS attacks are] a commonality now … I think most organizations have to add to their tool suite a way to detect them.

Online attacks

GCN reports another edu DDoS attack. This one is on OnCourse Systems for Education a SaaS that provides software services to K-12 schools. The firm became the victim of UDP flood from Germany and the Netherlands. The firm tried to fly under the radar, Mark Yelcick, chief technology officer and partner at OnCourse said.

This was the first DDoS attack at OnCourse, and we never thought that we would be a target … There’s no money or assets to be gained by attacking an SaaS provider of K-12 educational systems. We felt that the firewall, intrusion protection and DDoS protection from our data center provider would be enough.

In order to turn back the tide of rouge packets, OnCourse brought in P rolexic. Prolexic has solutions tailored for the education market. The company engaged its emergency services, routing traffic through Prolexic’s 1.5 Tbps cloud-based DDoS mitigation platform and stopping the attacks. CTO Yelcick said, “We simply cannot afford downtime brought about by a DDoS attack.”

Because DDoS attacks can target any IP address, it’s impossible to completely prevent them, so for districts and the companies that offer data management services, the focus is on battling these attacks as they come.

“We have to be prepared and understand the environment that we are operating in so we’re prepared to address these issues as they come up,” says Infinite Campus CEO Eric Creighton, the victim of the Kentucky DDoS attack.

Attackers are after student PII

Part of predicting and combating cyber attacks is understanding why people order these attacks in the first place. When the target is a network that stores student grades and attendance information, the immediate thought is that a student is responsible. However, Mr. Creighton says that students rarely attempt attacks and, in his experience, have never succeeded.

“I don’t think these are attacks attempting to get data … There’s no jackpot of valuable data –there’s no payload here.” CEO Creighton may be spinning the results. rb- I wrote about schools collecting and losing PII here.

One reason that schools and districts are targeted is that their systems are designed for convenient access. Easy access for parents and teachers, makes for easier targets. Marcus Rogers, a professor, and chair of the cyber forensics program at Purdue University told Education Week.

For a lot of these attacks, the intended victim or goal is something bigger than the school. Obviously schools want to protect their data, but the bigger threat is when they use those networks now to go out and attack a power plant or a stock exchange or an air traffic control systems. That’s when the stakes go up.

Caused by a BYOD device

Kentucky education officials believe that the attack on their systems was triggered by a beacon. They hypothesize that a beacon was unknowingly placed on a student’s mobile device, which he or she took with them to school. Viruses can cause a device to send out a beacon, instructing thousands of other devices to attack the network the device is connected to. In Kentucky, officials say that this won’t stop individual districts from implementing bring-your-own-device programs. However, schools can decrease the chances of an attack by making sure that these student devices are properly protected according to Education Week. CIO Couch believes schools will start to protect themselves.

I think what you’re going to see is districts making sure that before people plug into their network they have up-to-date, good virus protection … I think you’ll start to see that in K-12.”

Purdue’s Rogers says that even when schools know best practices for avoiding and combating attacks, such measures are often cost-prohibitive. “A lot of times the schools know what to do, but at the end of the day if they’re trying to get library books, a firewall is not going to be their big concern.”

DDoS as a distraction: The one-two cyberpunch (pando.com)

Category: Uncategorized | Tags: 2014, Cloud computing, DDOS, Denial-of-service attack, K12, Kentucky, SaaS, Security, Software as a service

RB | December 27, 2012

Comments Off

F-Secure Top Security Predictions for 2013

As the new year looms, all kinds of firms start making predictions, mostly to boost their sales next year, I will be looking at a number of firm’s predictions for next year, a let’s see how smart they are this time next year. Here are the top security predictions for 2013 from Finland-based F-Secure Labs shared with Help Net Security.

1. The end of the Internet as we know it? – Secure Labs predicts that the ITU WCIT in Dubai could mean the end of the Internet (which I covered here and here). Sean Sullivan, Security Advisor at F-Secure Labs says that the World Conference on International Telecommunications could have a major impact on the Internet as we know it. “The Internet could break up into a series of smaller Internets,” Sullivan says. “Or it may start to be funded differently, with big content providers like Facebook and Google/YouTube having to pay taxes for the content they deliver.”

rb- WCIT has concluded with the U.S. and most of Europe refusing to sign the treaty due to language backed by Russia and China that could have large-ranging impacts on Internet freedom.

2. Leaks will reveal more government-sponsored espionage tools – “It’s clear from past leaks about Stuxnet, Flame, and Gauss that the cyber arms race is well underway,” says Mikko Hypponen, Chief Research Officer at F-Secure Labs. While we may not always be aware of nation-states’ covert cyber operations, we can expect that governments are more and more involved in such activity.

3. Commoditization of mobile malware will increase – The Google (GOOG) Android operating system has solidified in a way that previous mobile operating systems haven’t, extending from phones to tablets to TVs to specialized versions of tablets. The more ubiquitous it becomes, “the easier to build malware on top of it and the more opportunities for criminals to innovate business-wise,” Sullivan says. Mobile malware will become more commoditized, with cyber-criminals building toolkits that can be purchased and used by other criminals without real hacking skills. In other words, malware as a service, for Android.

4. Another malware outbreak will hit the Mac world – First it was Mac Defender and then Flashback that attacked Apple.

Category: Uncategorized | Tags: 2012, AAPL, Android, Apple, Bitcoin, Denial-of-service attack, GOOG, Google, Mac Defender, Mac OS, Security, Smart TV

« Older Entries

Bach Seat

Tag Archive for Denial-of-service attack

Bad Passwords Crippled the Web

Mirai Passwords

Related articles

Security Cam Concerns in Ann Arbor

Related articles

25 Years of the Firewall

Related articles

F-Secure Top Security Predictions for 2013

Meta