The 300Gbps March DDoS attack

Subject of the last week, still echoing around, could not be other than the internet war between spam fighters Spamhaus and spam criminals, mainly hosted at CyberBunker. Huge loads of data being created and sent with one single objective: disrupt a company’s service.

CloudFlare, hired to protect Spamhaus, took a ride on the F.U.D. rollercoaster with a self-marketing “Damn! We Are Good!!” post.

They really made all the efforts to explain how they are able to defend clients using cloud-multi-routing-anycast concepts and how our connected lives have been in danger during all these days.


The Attack – according to CloudFlare

One thing is: they really managed to protect Spamhaus.

But, in the other hand, the “biggest attack of all internet history” only truly affected their client, not the Internet, not the Matrix, nor the City of Machines or all existence, as their blog announces.

Gizmodo published one of the first “hold your horses” statements with other side of the story, on Thursday.

We also had Bill Brenner saying pretty much the same thing, one day later.

Being able to browse internet using South and North American internet networks during all those days, and not feeling a single problem, I couldn’t agree more with them.


The Attack – according to the rest of internet

In the end, what I really enjoyed was the amount of thoughts, tips, documents, and incident response discussions at forums that took place.

I’ve been trying to get together all valuable stuff derived from these debates to post here as future reference.

My intention is to concentrate good information and guides I saw around, new or old, but relevant to this kind of attack, from monitoring to response, prevention, preparation and so on.

Basic Definitions:

Real-time info about problems:

Protection tools and configurations:

Incident Response preparation guides:

  • Societe Generale’s CSIRT Cheat Sheet
  • D/DoS Incident Response Plan/Runbook (docx format)
  • Radware ‘survival’ ‘handbook’ – Ok, you can’t use that to survive, but it has good historical information and a sample of an IT admin diary during his first experience with a similar problem. Too bad he ends that experience suddenly.

Cybercrime Laws

This is a work in progress! If you have good reading on this subject to suggest, send me a comment!


Vulnerability Monster Reports? You are a Tool!

If you have a scanner to search your entire network for problems, know this:

1 – The scanner is not the Oracle. No matter how much you trust the vendor, you can’t just send 16.000 “high” vulnerabilities to your IT department, without any kind of relevance classification, expecting they are going to read;

Dr Scanner Evil

2 – If you do this, you are just “washing your hands” and preparing an idiot line like “my last report had this warning to you and nothing was done!” in case something bad happens. Plus, if a breach really does happen, you are not likely to be informed, because the CIO is not going to feed you with rocks to break his own window;

3 – Scanners have some kind of False Positives list. USE IT. This could reduce a lot of that 500 Mb pdf you intend to send;

4 – If you are too coward to pick a vulnerability out of 16.000 and classify it as bullshit not relevant, then everybody else in your company will know you have Zero Knowledge to do vulnerability management;

5 – Choose an application with real severe problems, not those with “too many problems in the report” before asking IT for an action. People will know you are being driven by numbers and they will put almost no effort on testing a new package to minimize amounts in a report;

6 – Don’t use Pivot Tables or Count functions to determine which problem you want to attack first, otherwise, again, you are a slave for numbers. This is not vulnerability management;

7 – If you can’t read blogs and research sites looking for exploits, and when you do, you can’t figure which exploit is suitable for your environment, then you will never be able to call a problem as relevant or classify anything;

8 – Bring the IT teams to your side by explaining with technical details why you would like to test and install that patch to all computers. Be ready to defend your idea with real arguments, not using F.U.D;

9 – If after all of the above tips, you are still planning to keep your way of work, be sure your network is about to be or is already exploited;

10 – Finally, if you think breaches are an IT problem as long as you reported all possible holes with your monster list, you should really start to consider another career away from Information Security.

Did I say anything wrong or obtuse? Write your thoughts below. I’ll be happy to read your ideas!

We close our eyes…

…and the world has turned around again (thanks, Danny Elfman).

It’s seems like it happened yesterday, but no. The world is changing, but I don’t feel it in the water or air (sorry, Galadriel).

I met very nice people at companies that became other companies, or have been swallowed by giants.

You can call me a melancholic. Or simply old. But I saw:

– Internet Security Systems, and the entire X-Force team, a security reference in early 2000’s, to almost disappear into IBM;

– Ciphertrust being acquired by Secure Computing, which was acquired by McAfee, together with the good people of SafeBoot, which is now an INTEL division;

– Sonicwall becomes Dell;

– Netscreen becomes Juniper;

– Cisco acquired Linksys (and now wants to sell it again), together with other tens of companies. Just check their website, they need to organize their acquisitions by year;

– Tipping Point became 3Com, which is now HP;

– NetIQ and Novell purchased by Attachmate;

And what I think about all those moves?

Well, the smallest effect was my trash can filled with old business cards.

The worst? Good people being let go or buried into giants bureaucracy, not to mention less competition in the market.

10x Rolling Eyes

I was wondering this morning if I could build a list of 10 lies bullshits InfoSec “professionals” and C-Levels make up to use as an excuse to their security decisions. Let’s see:

1 – “There is a risk in this project, but I don’t have time to explain it to you in details”;

2 – “Users productivity is an InfoSec concern, so we need to monitor how much time each one is spending on Internet browsing”;

3 – “There is a norm against this” (but if you push them to see it, you will eventually hear they are still writing it to be published);

4 – “There are 415 high vulnerabilities related to this software and they are all relevant in our environment, according to our specialists” (you mean, according to your McAfee Vulnerability Scanner?);

5 – “We must be involved in every single project and acquisition, but we can’t take ownership of anything”;

6 – “If we have ZERO in any of our security measures, we need to check it again. Showing issues is important to make the board realize how important is our work”;

7 – “I can’t pay training sessions to my staff, or they will put it in their resumes and leave the company” (OK, I agree this is not an InfoSec exclusive line);

8 – “We need to keep the 27001 certification, so I cannot approve this project / software / printer supplier / risk exception / coffee brand / underwear colour”;

9 – “3-pass wipe? Are you insane? Data can be EASILY recovered. Make sure you do 27-pass, as DoD! And after wiping, pulverize it”;

10 – “Let’s investigate that employee, because the company needs some excuse to fire him”.