October 26, 2016 at 21:37

Danger and safety - virtual arms race

    What's wrong with us



    The location of the infected devices found involved in Mirai. Illustration of Imperva Incapsula .

    The essence of this reality is that in the world there are always opposing processes, competition or war. And now, cyber terrorism has reached a new level associated with the use of the rapidly developing Internet of things.

    Creating threats and dangers for information, against data security and the normal functioning of the network. The latest example is the attack on the Dyn website, which hit not only the provider company itself, but all its customers. Among them are the most popular platforms and services throughout the network: Amazon, Twitter, GitHub, Heroku, Netflix, Spotify, Airbnb, Reddit, Etsy, SoundCloud, The New York Times, Starbucks, HBO, CNN, Basecamp, PayPal, Etsy. This list is far from complete. It attracted more than 75 participants: an online platform for news resources, financial organizations, service sellers, social networks, and websites of development companies. Approximate losses are equal to $ 110 million - for one day. No one, for now, can reliably name the causes of the attack, and representatives of the FBI (USA) have already joined the investigation. The event went beyond the administration, to the "federal" level. All who are injured will restore their reputation. It became clear that no one is as reliable as it seemed until recently.

    The cyber-arms race has probably been going on since the very concept of the network. “Successful” examples are discussed by the whole planet, no one knows about the unsuccessful except the authors. The latest example showed vulnerabilities in the protection of large sites from the TOP-20 around the Internet. What exactly was the reason and who exactly is responsible is always difficult questions. In any case, this is, as always, a confrontation for the sake of demonstrating superiority . When secrets appear, there are those who want to delve into them. Or vice versa. In the situation of the Internet, the struggle is between cybersecurity and cybercriminals. If there were no threats, then protection would not be needed. Scrap - scrap.

    Krebs and open source


    If you look at the essence of the issue, we will see that the DDoS attack itself is a very simple action. To the understanding of this is added that the malicious code has become open and accessible for anyone to study just before the attack. A Dyn analyst on his blog wondered how the fact that the code was public would affect the company. The answer came very quickly. It was not difficult to use open source for a new powerful attack. What is Kevin Mitnik and his ingenious algorithms, including social ones. These are just directed requests. Journalist Brian Krebs writes a lot about them and cybersecurity in general, who himself was the first to suffer from a new word in the field of cyber terrorism - the Mirai botnet of things. His site was attacked about a month ago, which was reported on GT.



    Akamai provider fought the attack until it became necessary to choose the security of all other clients. The main difference between a large attack and traditional previous ones was that the requests were data packets without amplification. The full story can be remembered at the Giktayms .

    After the “attack” on the website of Brian Krebs, a similar attack was recorded with a power twice as large - this time the site of the French company OVH suffered. Botnet code aggressor about the same time posted in open access.

    Historical background for lovers


    The first DDoS attacks began to complain back in 1996. However, wide attention to the problem arose only at the end of 1999, when almost simultaneously the web services of the world's largest corporations (Amazon, Yahoo, CNN, eBay, E-Trade and others) were disabled. They began to take urgent measures to solve the problem only in December 2000, when the impact on the servers of key corporations was again committed.

    A curious analog story about technology akin to DoS attacks


    An interesting example of the ancestor of a DDoS attack was the so-called Polish Syakkijärvi . In 1941, the USSR left bombs in Vyborg. The radio was activated at a frequency of every five minutes for 15 seconds, and the bomb exploded on condition that a strictly defined melody was played. The Finns were able to neutralize the charges due to the fact that they continuously broadcast Polish Sakkijärvi and this jammed any other signal.

    And now back again in our time.

    How it was


    Dyn is a large provider of a domain name system. Most well-known Internet platforms work with it. According to company experts, the first attack began at about 7 a.m., October 21. Most East Coast sites were unavailable. By 9:30, the problems were fixed. But not for long. The second wave of attack came at 11:52. The third is around 5pm.

    While the investigation is conducted by researchers and the government at the official level, the public gets acquainted with new facts and details. Dan Drew, head of security at Level 3 Communications, said they identified attacks coming from a large number of different locations. And they are sure that the already famous Mirai botnet is involved in these actions.

    Ars Technica added to this:
    “A botnet consisting of devices such as WiFi routers and video cameras connected to the Internet sends a massive number of requests to Dyn servers. At first glance, the queries look legitimate, so it was difficult for the Dyn system to distinguish them from normal, normal user queries. Earlier in October, the Mirai botnet code was publicly opened. He and another Bashlight botnet blew up BusyBox’s vulnerability. ”

    Attacks inserted random lines of text in front of domain names, making them seemingly new, completely legitimate requests for the addresses of domain systems. Caching results to speed up responses is not possible due to random prefixes.

    The full history of attacks is described in English by the New York Times .

    It seems that what happened on Friday is akin to something biblical. Something like a warning that you should never consider yourself too cool and omnipotent. Dyn executives say "the price of freedom is eternal vigilance."

    Are robots already uprising?


    The question relates to the fact that the source of the attacks was installed - a lot of “smart devices”. From baby monitors to CCTV cameras and routers, digital video recorders. Accurate data from Flashpoint’s research department says the botnet’s army consists of IP cameras and DVRs made by the Chinese company XiongMai Technologies. Manufactured parts are sold by a huge stream of vendors - it is difficult to establish a specific buyer. However, it is symbolic that Chinese devices attacked the US server.

    Reasons for Attacks


    The power of DDoS attacks is increasing. Do you remember, huh? First Krebs (attack 612 Gb / s), later OHY and now Dyn (attack at 1Tb / s). This happens along with the use of unprotected and infected devices from the Internet of things connected to the global network. Huge numbers of fake requests are addressed to a specific server or set of servers and they become unavailable because they cannot handle requests or simply because the network or server does not have enough power to process them.

    More from here :
    “Custom attacks on competitors in order to reduce profits and worsen image. The way in which companies do not improve their positions directly, but worsen the condition of competitors, achieving a goal, takes place to be, despite all dishonesty. Although who can provide statistics, it would be cheaper: pay for powerful DDoS attacks or invest in your development. Probably, attacks are still cheaper, faster, and thus easier. Once paid - the reputation is restored for a long time. Whether it’s a matter of thinking, investing, developing ... it’s a long time.

    The availability of hacking tools also plays a significant role in the described processes. Everything that is open can be used. This is easier than asking an idea and writing your own.

    Human nature do evil


    No matter how pathetic it may sound, this cannot be taken away. Starting with the first DDoS attacks, commercial companies like Amazon suffered primarily. So, one can also find the eternal question among the reasons: “Why does someone knock glass out and unscrew light bulbs in the entrance?”. Yes, because they just can do it and want to. So it is with attacks. It’s just that there are 1 and 0. There are those who invent the Internet, and there are those who harm it for the sake of harm. History is constantly repeating, and strength is increasing.

    If all the evidence leads to the Russians, then it’s definitely not them.


    It is only logical, if not to assume that if the hackers use the message that they will not be suspected, and they are so stupid and left a lot of traces directly pointing to them. And they did it on purpose, in addition to cast a shadow on someone. The assumptions about what happened on Friday wave cyberterror confused.

    Reputable security experts put forward their versions. Who can be behind the attacks: hackers from China, Russia, Iran, North Korea? Government supported or independent? Investigations continue to be carried out by the forces of Dyn specialists, and by the state, and scientists.

    Lesson learned?


    Things connected to the Internet are not protected at all (not taking into account the factory password and login). And things that have suffered from the attack once are no longer suitable. If no one will specifically repair and disconnect them from the Internet. But this will not happen, there are too many of them. Nevertheless, the trend is that the Internet of things will grow steadily.

    No short domain names and centralization


    Many people think that it is necessary to introduce standards on things. Perhaps this issue should be raised at meetings of Internet keepers.

    True, it is unlikely that all manufacturers of gadgets connected to the Internet will release so many firmware and maintain them constantly, simply because of the remaining low probability of being one of the “attackers”.

    How fragile were the DNS systems. There was a lack of backups for websites and companies that rely on outsourcing providers. CTO at Intel Security Steve Grobman expressed concern that “this could happen again due to the success of the previous attempt.” Of course, it will take place and will be more interesting and / or more powerful. He says that “trusting cloud services in connection security may be unnecessary. We must choose the basic, privileged providers that can be trusted with backups and other security measures in the fight against such attacks. "

    Most services should aim for higher TTL values. Day - not so much and you need to keep the old IP-requests, in any case, within 24 hours due to the cache, which does not take into account the value of TTL. In this case, the services will not depend on what happens to the state of the central domain. In this way, the DNS providers will get out of sight of the attackers.

    Loss of traffic is equal to loss of profit. In the event of an attack, there should always be ways to get around immediately. If nothing is done from drastic measures, then there is only one forecast - attacks will be stronger and more frequent.

    Internet too unsafe things


    It turns out that the Internet of things is a fashionable topic that is constantly being discussed. In reality, it has no centralized platform, and the market is full of different devices with software updates. Security is not just a “feature” like a library file. Problems arise due to the fact that no one is updating the firmware.

    It is not surprising that the decision-making structures of the Internet are managed using methods reminiscent of initiation into Masons.

    Order of the Phoenix


    The secret bed of the people who "hold" the Internet on seven keys ...
    A symbolic and yet important ceremony took place . Which, against the backdrop of the attacks of the East Coast, takes on new meanings. If you can control the DNS, then you can control the entire Internet.

    ICANN (Internet Corporation for Assigned Names and Numbers) has been meeting every three months for the sixth year. Together they perform a top-secret ritual known as the key ceremony. During it, the keys to the metaphorical lock of the Internet are tested and updated. ICANN is responsible for assigning numeric Internet addresses (IPs) to websites and computers.

    To protect DNS, the organization selected seven people for the key-keeper roles. Each of them received an actual key to the Internet. Another seven people became reserve key keepers. For the ceremony, at least three participants with their keys are required. That is how many keys are needed to access the DNS security equipment.

    Physical keys open security deposit boxes. Inside them are smart keys in the form of cards.

    The master key is a code. This is the password to access the ICANN master database. This key generates several keys that protect individual parts of the Internet in different places and are used by different Internet security organizations.

    The ceremony is also surrounded by several levels of security protection. Participants walk through several locked doors using key codes and hand scanners. As a result, they enter a room from which it is impossible to transmit electronic communication signals.

    Tomorrow, October 27, ICANN will hold another historic ceremony. During it, for the first time, the main key will change independently. In technical terms, this means that the pair on which all DNS security rests will change. Her name is the root zone signing key.
    Tags:

    Also popular now: