DDoS

WMD in Second Life

hi guys and gals, how are you all doing? :)

i’ve always been a fan of virtual worlds (although for my own life’s sake, i don’t participate in them). this time around it’s about what some refer to as a wmd, and i like it.

http://www.joystiq.com/2007/05/28/user-created-wmds-do-massage-damage-in-second-life-beta-test/

funny how history repeats itself and he couldn’t control his “virus”. :)

gadi evron,
ge@beyondsecurity.com.

Botnets are old-fashioned – P2P networks are behind of massive DDoS attacks

The new trend in organizing Distributed Denial of Service attacks are P2P networks.

This is the way how Netcraft describes the situation:

large numbers of client computers running P2P software are tricked into requesting a file from the intended target of the DDoS, allowing the attacker to use the P2P network to overwhelm the target site with traffic.

The Netcraft entry points to FL-based Prolexic Technologies alert too sharing more technical details and information about the number of clients and the traffic being generated.
A very nice catch, Rich Miller of Netcraft!

DDoS against Finnish broadcasting company took 3 days

Today was the third day when the Web site of Finnish broadcasting company YLE (Yleisradio) suffer problems of large-scale DDoS attack.

From the YLE News site:

The company’s web pages were targeted by of a concerted attack on Monday and Tuesday. Two other major web sites, those of the telecommunications service provider Eniro, and the Suomi24 portal also reported similar attack.

There are several possible motives – Finland was the host of Eurovision Song Contest 2007 last weekend and our second place in hockey World Championship during the next day.

Some people said earlier that there was connections to recent DoS attacks on Estonian government sites too.

Broadband routers and botnets – being proactive

in this post i’d like to discuss the threat widely circulated insecure broadband routers pose today. we have touched on it before.

today, yet another public report of a vulnerable dsl modem type was posted to bugtraq, this time about a potential wireless flaw with broadband routers being insecure at deutsche telekom. i haven’t verified this one myself but it refers to “deutsche telekom speedport w700v broadband router”:
http://seclists.org/bugtraq/2007/may/0178.html

if you all remember, there was another report a few months ago about a uk isp named bethere with their wireless router being accessible from the internet and exploitable, as another example:
http://blogs.securiteam.com/index.php/archives/826

two issues here:
1. illegitimate access to broadband routers via wireless communication.
2. illegitimate access to broadband routers via the wan.

i’d like to discuss #2.

some isps which provide such devices (as in the example of #2 above) use them as bridges only, preventing several attack vectors (although not all). many others don’t. most broadband isps have a vulnerable user-base on some level.

many broadband isps around the world distribute such devices to their clients.

although the general risk is well known, like with many other security issues many of us remained mostly quiet in the hope of avoiding massive exploitation. as usual, we only delayed the inevitable. i fear that the lack of awareness among some isps for this “not yet widely exploited threat” has resulted in us not being proactive and taking action to secure the internet in this regard. what else is new, we are all busy with yesterday’s fires to worry about tomorrow’s.
good people will react and solve the problem when it pops up in wide-exploitation, but what we may potentially be facing is yet another vector for massive infections and the creation of eventual bot armies on yet another platform.

my opinion is, that with all these public disclosures and a ripe pool of potential victims, us delaying massive exploitation of this threat may not last. i believe there is currently a window of opportunity for service providers to act and secure their user-base without rushing. nothing in security is ever perfect, but actions such as changing default passwords and preventing connections from the wan to these devices would be a good step to consider if you haven’t already.

my suggestion would be to take a look at your infrastructure and what your users use, and if you haven’t already, add some security there. you probably have a remote login option for your tech support staff which you may want to explore – and secure. that’s if things were not left at their defaults.

then, i’d also suggest scanning your network for what types of broadband routers your users make use of, and how many of your clients have port 23 or 80 open. whether you provide with the devices or not, many will be using different ones set to default which may pose a similar threat. being aware of the current map of vulnerable devices of this type in your networks can’t hurt.

it is not often that we can predict which of the numerous threats out there that we do not address currently, is going to become exploited next. if you can spare the effort, i’d strongly urge you to explore this front and be proactive on your own networks.

the previous unaddressed threat which most of us chose to ignore was spoofing. we all knew of it for a very long time, but some of us believed it did not pose a threat to the internet or their networks for no other reason than “it is not currently being exploited” and “there are enough bots out there for spoofing to not be necessary”. i still remember the bitter argument i had with randy bush over that one. this is a rare opportunity, let’s not waste it.

we are all busy, but i hope some of you will have the time to look into this.

i am aware of and have assisted several isps, who spent some time and effort exploring this threat and in some cases acting on it. if anyone can share their experience on dealing with securing their infrastructure in this regard publicly, it would be much appreciated.

thanks.

gadi evron,
ge@beyondsecurity.com.

A Botted Fortune 500 a Day

support intelligence releases daily reports on different fortune 500
companies which are heavily affected by the botnet problem, with many
compromised machines on their networks.

you can find more information on their blog:
http://blog.support-intelligence.com/

they are good people, and they know botnets.

gadi evron,
ge@beyondsecurity.com.

On-going Internet Emergency and Domain Names

there is a current on-going internet emergency: a critical 0day vulnerability currently exploited in the wild threatens numerous desktop systems which are being compromised and turned into bots, and the domain names hosting it are a significant part of the reason why this attack has not yet been mitigated.

this incident is currenly being handled by several operational groups.

this past february, i sent an email to the reg-ops (registrar operations) mailing list. the email, which is quoted below, states how dns abuse (not the dns infrastructure) is the biggest unmitigated current vulnerability in day-to-day internet security operations, not to mention abuse.

while we argue about this or that tld, there are operational issues of the highest importance that are not being addressed.

the following is my original email message, elaborating on these above statements. please note this was indeed just an email message, sent among friends.

date: fri, 16 feb 2007 02:32:46 -0600 (cst)
from: gadi evron
to: reg-ops@…
subject: [reg-ops] internet security and domain names

hi all, this is a tiny bit long. please have patience, this is important.

on this list (which we maintain as low-traffic) you guys (the
registrars) have shown a lot of care and have become, on our sister mitigation and research lists (those of you who are subscribed), an integral part of our community we now call “the internet security operations community”.

we face problems today though, that you can not help us solve under the current setting. but only you can help us coming up with new ideas.

day-to-day, we are able to report hundreds and thousands of completely bogus phishing and other bad domains, but both policy-wise and resources-wise, registrars can’t handle this. i don’t blame you.

in emergencies, we can only mitigate threats if one of you or yours are in control.. just a week ago we faced the problem of the dolphins stadium being hacked and malicious code being put on it:

1. we tracked down all the ip addresses involved and mitigated them (by we i mean also people other than me. many were involved).
2. we helped the dolphins stadium it staff take care of the malicious code on their web page – specifically gary warner).
3. we coordinated with law enforcement.
4. we coordinated that no one does a press release which will hurt law enforcement.
5. we did a lot more. including actually convincing a chinese registrar to pull one of the domains in question. a miracle. there was another domain to be mitigated, unsuccessfully.

one thing though – at a second’s notice, this could all be for nothing as the dns records could be updated with new ip addresses. there were hundreds of other sites also infected.

even if we could find the name server admin, some of these domains have as many as 40 nss. that doesn’t make life easy. then, these could change, too.

this is the weakest link online today in internet security, which we in most cases can’t mitigate, and the only mitigation route is the domain name.

every day we see two types of fast-flux attacks:
1. those that keep changing a records by using a very low ttl.
2. those that keep changing ns records, pretty much the same.

now, if we have a domain which can be mitigated to solve such
emergencies and one of you happen to run it, that’s great…
however, if we end up with a domain not under the care of you and yours.. we are simply.. fucked. sorry for the language.

icann has a lot of policy issues as well, and the good guys there can’t help. icann has enough trouble taking care of all those who want money for .com, .net or .xxx.

all that being said, the current situation can not go on. we can no longer ignore it nor are current measures sufficient. it is imperative that we find some solutions, as limited as they may be.

we need to be able to get rid of domain names, at the very least during real emergencies. i am aware how it isn’t always easy to distinguish what is good and what is bad. still, we need to find a way.

members of reg-ops:
what do you think can be conceivably done? how can we make a difference which is really needed on today’s internet?

please participate and let me know what you think, we simply can no longer wait for some magical change to happen.

sunshine.

thousands of malicious domain names and several weeks later, we face the current crisis. the 0day vulnerability is exploited in the wild, and mitigating the ip addresses is not enough. we need to be able to “get rid” of malicious domain names. we need to be able to mitigate attacks on the weakest link – dns, which are not necessarily solved by dns-sec or anycast.

on reg-ops and other operational groups, we came up with some imperfect ideas on what we can make happen on our own in short term which will help us reach better mitigation, as security does not seem to be on the agenda of those running dns:

1. a system by which registrars can acknowledge confirmed bad domains (under strict guidelines) and respond to the reports according to their aup and icann policy, thus “getting rid” of them in a much quicker fashion, is being set up at the isotf.
a black list for registrars, if you will. this is far from perfect and currently slow-going. naturally, this can not be forced on all registrars, nor do the black hat ones, care.

2. a black list for resolvers (hopefully large service providers) is also being created at the isotf, so that the risk of visibility of bad domains, as will be defined, can be minimized. naturally, no provider can be forced to use this list and there are millions of unaffiliated resolvers, etc.

other options that have been raised as technically possible, but considered unlikely and indeed, bad:

3. setting up a black list of domain names for tld servers, for them not to respond on.

4. creating an alternate root which we could trust.

another suggestion which was raised:

5. apply to change the icann policy.

we need a solution. this operational issue needs to be added as a main agenda item today so that tomorrow we will be ready to mitigate it. i blame myself to some degree for not raising this with higher echelons 2 and 3 years ago due to respect to those who have been working on dns for many years, but what’s done is done.

the operational communities do not always know how to voice their needs or the difficulties they face. nor will everyone agree on what the issues are. it is my strong belief (which is obviously my personal opinion), based on facts we see in daily security operations on the internet that this issue is paramount, and i am sending here a call for help to the dns experts of the world: what is our next step to be?

what do we currently intend to do (not my personal opinion):
we are formalizing a letter to icann’s ssac, as they are the top experts on dns infrastructure security issues, coming from operational folks at the isotf dealing with daily usage of the dns for abuse purposes (and specifically fastflux).

further, the isotf is moving forward with items #1 and #2 as mentioned above. #3 will have to remain as a contingency, #4 we have no influence to affect. #5 is currently being explored.

are we missing a possible solution? what does the larger community suggest?

gadi evron,
ge@beyondsecurity.com.

Targets of Allaple DoS-worm released

Information about the target Web sites of polymorphic worm Allaple has been released. Finnish CERT-FI unit has posted information to Bleeding Edge Threats Wiki database.

According to the report the targets are

www.starman.ee,
www.if.ee and
www.online.if.ee.

Note: The report is not fully visible when browsing with Safari. Firefox on XP and Mac are working OK.

AS Starman is Tallinn-based cable-TV operator and an ISP. If P&C Insurance Company is a subsidiary of Finnish Sampo Group.
Reportedly the worms have absolutely no Command and Control channels in them. I.e. if the author of the worm wants to disable these worms he or she can’t do it. The only solution is to patch these affected machines with MS04-012 – or format these workstations.

The first reports of the worm are from July 2006. This DoS attack is not a minor issue.
If you see this worm in your organization there are some typical characteristics:

* ICMP packets with the mystery string ‘Babcdefghijklmnopqrstuvwabcdefghi’
* HTTP GET requests to www.if.ee
and
* TCP SYN packets to www.if.ee (port 97)

This worm has several names – aka W32/Allaple-B, Rahack.W and Rahack.BB.