DDoS progress

The Gala Coral Group reported that last year their gambling sites got hit by a 10Gb DDoS attack. The Information Security Officer spoke at the recently concluded e-Crime Congress 2008.

I'm not sure of the exaggerations but an interesting part is:

Attackers disguised the build up of traffic from up to 30,000 PC and Apple Mac botnet computers during the attack by analysing and reproducing the browsing habits of the sites' typical users.

Windows PCs no longer has the monopoly on botnet herds. The attackers also took the trouble into making it hard to defend against.

It sure is hard to separate the attacks if everything looks like legitimate access. Their firewall also proved to be worthless:

More worrying, during a second attack the botnet blocked attempts by the websites to stop them using a port firewall while continuing sending out data to carry on the attack.

Putting up a firewall during a big DDoS attack is useless even a stateless one. You need to work with your upstream provider to mitigate these attacks and since everything looks like legit, $DEITY help you.

Resistance is futile.

Post Valentine DDoS

As seen from various sources such as Arbor, Shadowserver and a couple of gambling sites, DDoS is back in the limelight. Gambling sites were getting hit since around Valentine's day.

I've noticed small 12-hour attacks from Feb 13-15 on a couple of gambling sites hosted here in the Philippines. I reckon the attack is not directed to the sites I'm monitoring but is getting affected by attacks on other sites hosted by the common provider. A sample from one of them.
     

Another site I'm monitoring which is hosted in Taiwan got hit directly from Feb 18-19, was down and now back up. You will also notice the broken lines which indicate it was up and down during the duration of the DDoS attack.
              
Attacks are a mix of non-/spoofed ICMP, UDP, TCP SYNs and HTTP GETs. DDoS really is the greatest threat to the online gambling industry and yes it won't go away anytime soon.

Top 10 Podcast Episodes

Over the years I have compiled my favorite security podcast episodes. Here is my list of top ten shows. Most of these episodes are interviews. Here they are in no particular order:

1. The Silver Bullet Security Podcast, Show 013 - An Interview with Ross Anderson
   Gary McGraw interviews Ross Anderson author of the book Security Engineering. He is one of the researchers in the Security Group at the University of Cambridge Computer Laboratory which has a blog that I check regularly called Light Blue Touchpaper.
   
   Gary and Ross talk about the book, economics of information security, Ben Edelman's paper, disclosure and RFID MITM attacks
   


2. The Silver Bullet Security Podcast, Show 016 - An Interview with Greg Hoglund
   Gary interviews Greg Hoglund author of Exploiting Software, Rootkits, Exploiting Online Games. In fact Gary McGraw co-authored the first and third book mentioned.
   
   They talk about reverse engineering, disclosure, rootkits, EULAs, exploiting software and cheating online games.
   


3. SploitCast Podcast #008
   Guest Victor Oppleman author of Extreme Exploits discuss the RADB, ISP attacks, darknets, uRPF, botnets, DDoS, DNS attacks, tools.
   
   I originally wanted to feature a ThreatCast interview of Barrett Lyon, founder of Prolexic but I think this interview of Victor covers more ground not just DDoS attacks.
   


4. SploitCast Podcast #016
   The host interviews Dino Dai Zovi, discussing the fascinating topic of virtual machine rootkits, OS X security, wifi attacks, vulnerability development, disclosure and Microsoft security.
   


5. StillSecure, After all these years, Podcast #47 - Web application security with RSnake and Jeremiah
   Alan and Mitchell interview Robert "RSnake" Hansen of ha.ckers.org, founder of SecTheory -- Jeremiah Grossman, founder and CTO of Whitehat Security. Of course they discussed application security and of course focused more on web application security.
   


6. ThreatCast - Great debate podcast : NAC v SNF
   Alan Shimel, Chris Hoff, Richard Steinnon and Mike Rothman debate over NAC, Network Admission Control. Bullshit was thrown, heads were rolling and no conclusions were arrived at.
   


7. Security Now 91: Marc Maiffret of eEye Digital Security
   Leo and Steve interview Marc Maiffret. Marc talks about how he got started with security, Windows and Mac OS X security, 0days, vulnerability development, client side attacks and eEye's products.
   


8. McAfee AudioParasitics Episode 17
   Jim and Dave is joined by Dave Aitel of Immunity. Dave Aitel talks about his stint at @stake, Immunity products, mobile devices, penetration testing, virtualization, vulnerability development and malware.
   


9. McAfee AudioParasitics Episode 19
   McAfee AudioParasitics Episode 20
   This two-part show features guests Rafal Wojtczuk and Rahul Kashyap. The hosts and the guests talk about malware on virtual machines and virtualization security in general.
   


10. PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 1
    PaulDotCom Security Weekly - Interview with Mike Poor & Ed Skoudis - Part 2
    Larry and Paul interviews Mike Poor and Ed Skoudis. They talk about their first computers, how they got started in security, SANS, ISC, botnets, malware, Brazilian hacker groups, physical NOP Sleds, research and security in general.
    

Listen up to these podcasts while they're still online and most of the topics discussed aren't stale yet.

Spoofing

If you have experience doing DDoS mitigation it will be impossible not to encounter IP address spoofing. Spoofing makes it harder to track the source of attacks. That is why it is still an effective although primitive technique for hiding botnets.

Nowadays it is hard to spoof non-routable addresses. Most ISPs, even the small ones does not allow non-routable to leave their networks anymore. Those in the DDoS business does not have a choice but to use routable source addresses, spoofed or not.
Spoofed source addresses can be:

• Random
• Fixed
• Subnet
• En route

Random simply means that a random IP address is used by the attacking host. Filtering done by routers and gateways makes random IP spoofing less effective than the other techniques. Fixed spoofing is done by using an arbitrary chosen address which is mandatory for attacks like DNS amplification/reflection. With subnet spoofing, an address in the subnet is spoofed to bypass filters. For example if the compromised host resides in the 5.25.80.0/24 network it will be able to spoof addresses between 5.25.80.1-5.25.80.255. It will be hard for the router on the next hop to detect spoofing unless it has the capability to begin with. En route spoofing is done when an attacker spoofs an address of a machine that resides along the path to the victim.

The most pervasive spoofed packets are UDP, ICMP and TCP SYN. SYN packets are mainly used for bruteforce attacks. Even if an attacked host has TCP SYN cookies deployed, it will still be vulnerable to TCP SYN attacks that overwhelms the network with a large number of packets which it can not handle. If I am not mistaken spoofed UDP and ICMP packets are more pervasively used for DDoS nowadays. Fortunately this is not the 90's anymore, SMURF attacks are no longer effective. The new use for spoofed UDP packets are direct DNS attacks and DNS amplification/reflection attacks.

For the relevant RFC entries see section 2.5.5 of RFC3871, section 5.3.8 of RFC1812 and RFC2827.

Recently I found a provider here in the Philippines that allows spoofed packets to leave their network. For reference here is a traceroute of the path where I did the test.

 1   [AS9497] [APNIC-CIDR-BLK/DIGITEL-DIAL-UP] [gw.of.host.i.control] 2.2ms
 2   [AS9497] [APNIC-CIDR-BLK/DIGITELONE] 202.138.144.66 1.9ms
 3   [AS3549] [APNIC-CIDR-BLK/ANC-NETBLK01] 203.192.153.201 37.2ms
 4   [AS10026] [APNIC-CIDR-BLK/ANC-NETBLK02] 202.147.16.101 37.3ms
 5   [AS10026] [APNIC-CIDR-BLK/ANC-NETBLK02] 202.147.49.209 73.5ms
 6   [AS3549] [APNIC-CIDR-BLK/ANC-NETBLK01] 203.192.188.14 73.1ms
 7   [AS4775] [APNIC-CIDR-BLK/GLOBET-PH] 203.177.211.217 113.5ms
 8   [AS4775] [APNIC-CIDR-BLK/GLOBET-PH] 203.177.31.86 114.2ms
 9   [AS4775] [APNIC-CIDR-BLK/GLOBET-PH] 203.177.31.46 112.4ms
10   [AS4775] [APNIC-CIDR-BLK/GLOBET-PH] 203.177.31.41 112.9ms
11   [AS4775] [APNIC-CIDR-BLK/GLOBET-PH] 203.177.55.49 118.3/*ms
12   [AS9386] [APNIC-CIDR-BLK/DESTINYNOC] 202.8.224.131 117.9ms
13   * * *
14   [AS9386] [APNIC-CIDR-BLK/DESTINYNOC] [target.host.i.control] 223.4ms

I tested fixed, subnet and en route spoofing. Port 53 was used for the TCP and UDP source port and port 80 as the destination port. Sanitized the target host IP on the sniffer logs.

For fixed source address spoofing I used a Google IP.

IP 64.233.187.99 > 10.10.10.10: ICMP echo request, id 20051, seq 0, length 8
IP 10.10.10.10 > 64.233.187.99: ICMP echo reply, id 20051, seq 0, length 8
IP 64.233.187.99.53 > 10.10.10.10.0: UDP, length 0
IP 10.10.10.10 > 64.233.187.99: ICMP 10.10.10.10 udp port 0 unreachable, length 36
IP 64.233.187.99.53 > 10.10.10.10.80: tcp 0
IP 10.10.10.10.80 > 64.233.187.99.53: tcp 0
IP 64.233.187.99.53 > 10.10.10.10.80: tcp 0

For subnet source address spoofing I used one of the IPs in the subnet where the source resides.

IP ?.?.?.? > 10.10.10.10: ICMP echo request, id 15699, seq 0, length 8
IP 10.10.10.10 > ?.?.?.?: ICMP echo reply, id 15699, seq 0, length 8
IP ?.?.?.?.53 > 10.10.10.10.0: UDP, length 0
IP 10.10.10.10 > ?.?.?.?: ICMP 10.10.10.10 udp port 0 unreachable, length 36
IP ?.?.?.?.53 > 10.10.10.10.80: tcp 0
IP 10.10.10.10.80 > ?.?.?.?.53: tcp 0

For en route source address spoofing I used one each from AS9497, AS10026 and AS4775.

IP 202.138.144.66 > 10.10.10.10: ICMP echo request, id 9299, seq 0, length 8
IP 10.10.10.10 > 202.138.144.66: ICMP echo reply, id 9299, seq 0, length 8
IP 202.138.144.66.53 > 10.10.10.10.0: UDP, length 0
IP 10.10.10.10 > 202.138.144.66: ICMP 10.10.10.10 udp port 0 unreachable, length 36
IP 202.138.144.66.53 > 10.10.10.10.80: tcp 0
IP 10.10.10.10.80 > 202.138.144.66.53: tcp 0
IP 202.138.144.66.53 > 10.10.10.10.80: tcp 0

IP 202.147.49.209 > 10.10.10.10: ICMP echo request, id 35155, seq 0, length 8
IP 10.10.10.10 > 202.147.49.209: ICMP echo reply, id 35155, seq 0, length 8
IP 202.147.49.209.53 > 10.10.10.10.0: UDP, length 0
IP 10.10.10.10 > 202.147.49.209: ICMP 10.10.10.10 udp port 0 unreachable, length 36
IP 202.147.49.209.53 > 10.10.10.10.80: tcp 0
IP 10.10.10.10.80 > 202.147.49.209.53: tcp 0
IP 10.10.10.10.80 > 202.147.49.209.53: tcp 0

IP 203.177.31.86 > 10.10.10.10: ICMP echo request, id 36179, seq 0, length 8
IP 10.10.10.10 > 203.177.31.86: ICMP echo reply, id 36179, seq 0, length 8
IP 203.177.31.86.53 > 10.10.10.10.0: UDP, length 0
IP 10.10.10.10 > 203.177.31.86: ICMP 10.10.10.10 udp port 0 unreachable, length 36
IP 203.177.31.86.53 > 10.10.10.10.80: tcp 0
IP 10.10.10.10.80 > 203.177.31.86.53: tcp 0
IP 203.177.31.86.53 > 10.10.10.10.80: tcp 0

Online gambling security: DDoS

This is the follow-up to the previous online gambling security post.

Distributed Denial of Service attacks is one if not the greatest threat to the online gaming industry and other online businesses. Decreased uptime results to damaged reputation and lost revenue.

During the course of the attack, computing resources and bandwidth are overwhelmed with illegitimate requests. The attackers will likely contact the webmasters or whoever is deemed in-charge and demand for an amount/ransom for them to stop the attack, this is cyber-extortion. DDos is also a tool for competitive sabotage. Some online gambling entities initiate attacks on competitors to boost there own earnings by luring prospective players.

The "Distributed" in DDoS refers to the method wherein several machines ranging from hundreds to thousands of zombie nodes are used to do the actual attack. These network of zombie nodes or machines is referred to as a Botnet. A 5000-strong botnet can pump as much as 1Gb of network traffic and millions of PPS.

Nodes in a botnet are usually Windows machines installed with trojans and or infected by malware. These machines are under the control of the botnet master using a command and control (C&C) server-client system. Recent advancement in C&C techniques allowed the creation of networks without the classical malware infection. JavaScript with Flash and Web 2.0 provided criminals a new vector for C&C and to also increase malware infection rate. P2P communication also can be used for running the C&C.

Zombies are not limited to Windows machines. In December 2005, Prolexic staff spent the holiday season fighting a DDoS attack from Japan wherein the zombies are Linux servers with big bandwidth. The Linux machines were compromised through PHP web application vulnerabilities.

To combat the DDoS threat you have to work with your Internet provider. Before signing up inquire about their policy on DDoS attacks. There are companies like Prolexic that provides DDoS mitigation services. Prolexic first client was online sports bookie BetCris. The company came into existence largely through the work that was done to combat DDoS attacks on BetCris.

DIY mitigating is also possible if it is a small ~1Gb attack. On Linux you can do rate limiting, cleansing and tarpitting. OpenBSD can do rate limiting and cleansing. These capabilities are the ones built-in to the Prolexic, Arbor, Top Layer devices.

There are options besides paying up the ransom. Paying is dangerous because DDoS groups are not united, turf wars are common. If you get tipped paying, others will try to extort from you. Watch as the domino effect takes its toll.