The 300Gbps March DDoS attack

Subject of the last week, still echoing around, could not be other than the internet war between spam fighters Spamhaus and spam criminals, mainly hosted at CyberBunker. Huge loads of data being created and sent with one single objective: disrupt a company’s service.

CloudFlare, hired to protect Spamhaus, took a ride on the F.U.D. rollercoaster with a self-marketing “Damn! We Are Good!!” post.

They really made all the efforts to explain how they are able to defend clients using cloud-multi-routing-anycast concepts and how our connected lives have been in danger during all these days.

 

The Attack – according to CloudFlare

One thing is: they really managed to protect Spamhaus.

But, in the other hand, the “biggest attack of all internet history” only truly affected their client, not the Internet, not the Matrix, nor the City of Machines or all existence, as their blog announces.

Gizmodo published one of the first “hold your horses” statements with other side of the story, on Thursday.

We also had Bill Brenner saying pretty much the same thing, one day later.

Being able to browse internet using South and North American internet networks during all those days, and not feeling a single problem, I couldn’t agree more with them.

The Attack – according to the rest of internet

In the end, what I really enjoyed was the amount of thoughts, tips, documents, and incident response discussions at forums that took place.

I’ve been trying to get together all valuable stuff derived from these debates to post here as future reference.

My intention is to concentrate good information and guides I saw around, new or old, but relevant to this kind of attack, from monitoring to response, prevention, preparation and so on.

Basic Definitions:

• Details about DDoS attacks, if you never read anything about it.
• The definition of IXP, where secondary waves took place.
• CloudFlare explains DNS Amplification attacks.

Real-time info about problems:

• Akamai real-time monitoring center – http://www.akamai.com/html/technology/dataviz1.html
• Internet Health Reports – http://www.internethealthreport.com/Main.aspx?Period=RH24

Protection tools and configurations:

• BCP38 against some DDoS attacks using Spoofing techniques
• IETF’s Preventing Use of Recursive Nameservers in Reflector Attacks
• Protecting DNS Servers from dangerous BINDs
• Cloudshield quick tips to limit DNS exposure

Incident Response preparation guides:

• Societe Generale’s CSIRT Cheat Sheet
• D/DoS Incident Response Plan/Runbook (docx format)
• Radware ‘survival’ ‘handbook’ – Ok, you can’t use that to survive, but it has good historical information and a sample of an IT admin diary during his first experience with a similar problem. Too bad he ends that experience suddenly.

Cybercrime Laws

• Tallinn Manual on The International Law Applicable to Cyber Warfare

This is a work in progress! If you have good reading on this subject to suggest, send me a comment!

A glance at Percoco’s Lifecycle of cyber crime – RSA 2013

Watching Trustwave’s VP Nicholas Percoco speak at RSA 2013.

To be honest, I’m having problems on linking his speech to the proposed theme. Yes, it touches it, but it’s kind of something else.

The text below is my tentative on writing about the highlights. [SPOILERs Alert below!!!]

In the first two minutes, you learn about how the world is 7Bi populated, but “only” 1Bi has some kind of IT device, plus information hosted on 25Mi databases. Oh, and of course, criminals don’t want single victims. They need profit and they only can get it if they “fish all around”.

BTW, you can definitely skip from 1’45” to 3’10”, his story about family fishing (real fish). That’s really something not necessary for a RSA conference.

Until minute 4′ you will also learn about which countries have potential victims (a lot of 1st world countries plus some BRIC etc)

On 4’03”, a good info. Companies (in average) take 210 days until they realize they had a breach and start doing something to stop the problem. 5% of companies (good at security) realize a problem in 10 days. But 20% of companies could take TWO YEARS to detect they have been hacked (wtf).

At minute 5′ some jibber-jabber. The “attackers” can be anywhere. Ok, let’s skip that too.

So, jump to minute 6′ and we will hear APT + Zero Days versus common mistakes used by attackers to get in. He’s now talking about how not a single investigation performed by Trustwave found an attack using advanced tech attacks (one very good and impressive conclusion). Investigated actions were actually based on:

– Remote Access

– SQL Injection

– Legitimate Account usage (yeah, people still publish webportals with admin / admin as user / password) – some people beg to be hacked…

– Web-based attack (Java, browser, flash vulnerabilities)

– Malicious files

– Remote file inclusion

– Remote code execution

– Authorization flaw

– Physical theft

We are now close to minute 8′ and we hear that “six major cyber gangs” are running the main crimes around the globe. Well, can I have some names here?

Now, what is really bonded to speech’s title, the life cycle. The process starts with “greed, good living..” and go on like this:

Greed –> Victim identification –> Infiltration –> Propagation –> Aggregation –> Exfiltration –> Buyer identification –> Data Liquidation –> Recycling.

We are now close to minute 13′ and things start to really move away from the process described above.

The attack demo is indeed interesting, but I don’t saw it as a cyber crime life-cycle. Plus, the path to folder “Work” seems different from what was found at destination FTP’s rar file. I sense some BS here.

At minute 17′, he brings Erik Rasmussen from US Secret Service to answer questions sent from people on twitter. Now, I can say, the theme is really gone (the questions & answers are not even interesting…).

Ok, it was a 30 minutes (pretty quick) presentation, but this should be used to actually cover the cyber crime’s process explained above in a deeper way. In the end, it was a sum of screens from different subjects.

Plus, I have always a foot behind when a presentation includes a Secret Service or CIA agent. This may sound obvious, but they are not going to tell you the good stuff. They will speak about public statistics, numbers, what happened on big investigations already covered by news and blah blah blah.

The real good new strategies of attacks or investigation methods will always be classified information and SS / CIA are not going to tell you, no matter how much you have spent on RSA, Def Con or Black Hat credentials.

For me, some aspects served as inspiration to other ideas (will write about them in the future), but thinking about the whole video, it could have added more value.