Home gateway routers are being targeted by cybercriminals launching denial-of-service attacks They are standard pieces of kit, without which no home or small office can connect to the internet. And millions of them harbour a security vulnerability that threatens to do untold damage to the workings of the web. Welcome to the humble home gateway – the little routers sitting on our desks are being inducted into battle by criminals launching denial-of-service (DoS) attacks to bring down websites and hold organisations to ransom. A subtle flaw in some home gateways (they act as ‘open DNS proxies’) allows attackers to use them for ‘amplification’ where very small DNS queries (50 bytes) generate very DNS large answers (4 , 000 bytes). Attackers employ another simple trick – IP address spoofing – to disguise their own identity and cover their tracks while directing waves of traffic to any target they choose, anywhere on the internet. An amplification attack can create and send a target trillions of bytes of unwanted data over a few hours. The attack on Spamhaus in 2013 generated traffic measured at an enormous 300Gb/s. Many web resources aren’t equipped to deal with such large volumes of traffic and either become unavailable, or slow down to the point where visitors notice. There is also considerable collateral damage to the infrastructure over which these attacks are launched. These attacks are effective because the amplification effect makes the results wildly disproportionate to the effort needed to launch them. Moreover, home gateways acting as DNS proxies make queries appear legitimate to DNS resolvers and mask the ultimate targets of attacks. As such, they are becoming the weapon of choice for those who aim to damage or hold to ransom any target they wish with impunity. Nor is there any shortage of opportunity for these criminals. Research has found there are 24 million home gateways (home routers) that can be used for amplification attacks. These exploitable routers exist across the globe and it is not a problem limited to developing nations. For online criminals, there really is no place like ‘home’ from which to launch an attack. One of the systems most impacted by DNS amplification attacks are ISP resolvers. The fact they’re typically provisioned with ample network bandwidth and deployed on high-performance hardware to ensure they are always responsive and highly available make them ideal for attackers, as they can piggyback on someone else’s high performance infrastructure. ISPs get drawn directly into the mire when open DNS proxies on home routers forward queries received on their WAN interface to whatever DNS resolver they are configured to use. In most cases this is an ISP ’ s resolver (consumers may also configure alternative DNS services from Google and others), and even those who go to great lengths to protect their infrastructure can become collateral damage in the path on an attack. Bandwidth taken up by DDoS traffic causes networks to suffer from congestion and lowered performance. If quality of service falls noticeably, customers will vote with their feet and walk away to another service provider. And the ultimate recipients of the traffic, the targets themselves, often legitimately enquire about what ISP have done to limit the effects of attacks. Since this vulnerability provides enormously rich pickings for criminals at little cost, fixing it should be a priority for ISPs. As with any type of online threat, denial-of-service attacks are protean in nature; they evolve and adapt to circumvent attempts to prevent them. Unfortunately, existing perimeter defences are useless against this new generation of attacks because they’re designed to deter DDoS traffic coming into a provider network instead of traffic going out. What’s called for is the applications of DNS-based security intelligence techniques; by incorporating DNS-level security tools, organisations and ISPs can effectively counter amplification attacks. Deterrence starts with monitoring DNS query data as it is generated so suspicious activity on the network can be identified quickly. Something else that’s needed is dynamic threat lists that track special purpose-built DNS domains designed and deployed specifically for these kinds of attacks. To eliminate false positives, it’s also crucial these lists are carefully vetted. Servers should be configured with highly targeted filters to manage malicious traffic, while ensuring legitimate traffic is not affected. Additional rate limits based on response size can catch malicious traffic not caught by other filters. And, following best practice, DNS data logging is also useful for forensics and reporting. DNS-based security can be used by network operators in a layered security approach. The insidiousness of malware threats requires a defence-in-depth strategy based on various layers of firewalls, packet filters, anti-virus software, intrusion detection and prevention, and many more. Owing to its strategic place in the network, DNS-based security must be added to this portfolio of protection: observing, as it does, every Internet communication, it serves as a lightweight but powerful tool in the armoury. For far too long, people have unknowingly been hosting a serious security weakness in their houses and in their offices. With DNS-level security we can finally plug this breach, and turn the home once more into a castle. Source: http://www.information-age.com/technology/security/123457905/there-no-place-home-gateway-ddos-attackers
Read More:
There is no place like home gateway for DDoS attackers
“Cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity” says Lancope CTO Tim Keanini. 162,000 reasons to tighten up WordPress security WordPress may be one of the most popular website systems used to publish on the Internet, but its open source nature – and consequent security challenges – have been highlighted this week after around 160,000 WordPress sites have apparently been used as DDoS zombies. Security research firm Securi reports that the WordPress pingback option – which allows WordPress sites to cross-reference blog posts – has been misused in recent times by unknown hackers to launch large-scale, distributed denial-of-service (DDoS) attacks. The attack vector used is not unknown as, back in the summer of last year, Incapsula reported that one of its clients was targeted in a pingback DDoS attack involving 1,000 page hits a second. Securi says it has been monitoring a swarm attack involving more than 162,000 WordPress sites and collectively generating many hundreds of IP requests to a single WordPress site. Whilst Daniel Cid, Securi’s CTO, has declined to identify the site, this suggests the attack may have been a proof-of-concept trial. On a technical level, the attack vector exploits an issue with the XML-RPC (XML Remote Procedure Call) code within WordPress and which is used for pingbacks, trackbacks and remote access from mobile Web browsers. SCMagazineUK.com notes that WordPress has known about the issue for several years, but the problem is that it a key structural issue with WordPress’s kernel architecture. Despite this, WordPress development teams have changed the default setting of sites to operate with a Web cache, meaning there is less load placed on the hosting server concerned. The hackers, however, have generated fake website addresses within their IP calls, so bypassing the web cache. Securi’s CTO says he been talking to WordPress developer teams about the issue, who are reportedly investigating a workaround. Tim Keanini, CTO of Lancope, said that the structural natures of the issue mean that it is not something that will ever go away. “Think of it as a supply chain and these criminals need compromised connected computers for their botnets – if you are connected for whatever reason to the Internet, you are a part of this supply chain,” he said, adding that cyber-criminals continue to innovate and find vulnerabilities to exploit for their criminal activity. To add to this, he explained, we – as Internet users – continue to put insecure devices on the Internet and with the Internet of Things ramping up, he warns there is just no end to the supply of targets. “What we need to do is to focus on the precision, timeliness, and leadership through these crisis – not the fact that they will just go away. They are here to stay and a part of doing business in the Internet age. When these events happen, what does leadership look like that provides business continuity and restores customer confidence? That is the question we need to be asking because hanging your head in shame does no one any good,” he said. Sean Power, security operations manager with DDoS security vendor DOSarrest, said that the vulnerabilities in old versions of WordPress mean that hackers can exploit them to be used for DDoS attacks. “This is nothing new – in fact, it was first recognised back in 2007. Attackers exploited a vulnerability in the core WordPress application and therefore it could be used for malicious purposes in DDoS attacks,” he said. “The fix for this feature was actually released in the 3.5.1 version of WordPress in January 2013 and would be picked up by most good vulnerability scanners,” he added. Power went on to say that this a prime example of how users aren’t regularly performing updates to their websites – “because if they were, we wouldn’t still be seeing DDoS attacks being carried out by websites taking advantage of this old flaw.” Source: http://www.scmagazineuk.com/162000-reasons-to-tighten-up-wordpress-security/article/337956/