Back to overview

Are you a bot already?

Brian Krebs is something of a celebrity in the security scene. All the greater the turmoil, when it recently became known that his website was the target of the largest DDoS (Distributed Denial of Service) attack on record. Even the servers of reknowned internet service provider Akamai were brought down. It is noteworthy that the attacks were not caused by amplification and reflection attacks, but directly by thousands of captured devices.

DDoS: The Techno Zombies attack!

Botnets are regularly used for spam or DDoS attacks. The basic principle of a DDoS attack is to crash the attacked server by request overload. To achieve this, as many hosts as possible need to try and connect to the target system in a short time. The amount of data that the server needs to process is then ultimately responsible for its failure.

Large quantities of computers are needed for such attacks. Hackers, of course, do not usually run their own data center for this purpose. They simply hijack masses of Internet-capable computers.

This can be done by exploiting vulnerabilities in web servers or SSH servers, or simply by guessing the administrator password. The core of the matter is to infect as many computers and servers as possible with a software, which allows remote controlled, targeted communication to the net. Many users do not even know that their PC is part of a botnet, and probably has been for quite some time. Thus, an attacker is provided with an army of zombie machines, ready to start spamming or flooding a target server with useless requests.

The power of reflection

Reflection attacks are triggered by faulty or incorrectly configured servers. Services that use UDP are suitable for this, since no previous connection setup is necessary. Specific DNS queries with less than 100 bytes can trigger a response that is 60-70 times as large. The same is true for NTP and SNMP. The sender address of the request is falsified, so that the response packages are directed to the victims system. The actual sender of the original data packet (the bot) remains unknown this way. Since the bot sends only a tiny piece of data that is not even directed to the target system, but to seemingly harmless web servers, the communication is not so easy to notice.

In the case of Brian Krebs, however, these techniques were not used but apparently adopted systems were used directly for the attack. There is much evidence that this was indeed a kind of demonstration of power, since the attack would have required far fewer bots for the same result by reflection.

An endless army of Smart Devices

Not only classic PCs and web servers can become bots. Unfortunately, many manufacturers of IP cameras, smart home and heating controls, as well as other smart devices directly connected to the Internet, still have next to no security awareness or know-how at all. And when manufacturers have done everything right, it is often the service providers who implement the devices and use simple passwords for convenience or out of ignorance.

A botnet does not create itself. Anyone who wants to build a botnet must first find vulnerable devices. How do attackers do that? Easier than you maybe think: They constantly scan the Internet for devices with vulnerabilities and default passwords.

But this kind of scan can just as easily be executed by IT-security as well. So why not be a step ahead of the Darknet?

Vulnerability Scanning can prevent loss of control

Why is vulnerability scanning so important? Provided you use the obtained information for efficiently closing the gaps, one has hit several flies with one flap: you seal your own systems, infiltration and deducting information is no longer as easy. At the same time, you can check whether the processes for patching work. Additionally, you are doing a service to the public, because your own systems can no longer be used as a jumpboard for DDoS attacks and spam campaigns.

Vulnerability scans should not to be confused with penetration tests. A vulnerability scan consists of highly automated tests on commonly known gaps. Results can serve as the basis for a penetration test. A penetration test is much more sophisticated and is carried out by hand, in order to extract as much information as possible from the target system or to penetrate further into internal systems.

A bot does not steal any data. Usually.

Someone who wants to send spam or carry out DDoS attacks is basically only interested in manipulating easily accessible systems with direct connection to the Internet. Such systems can be checked just as easily by the legal owner with appropriate tools. If everyone did this and closed just “their” known gaps, the risk of corresponding attacks would be much lower.

In order not to become a part of a botnet, it is advisable – in addition to many other measures – the use of anti-spoofing mechanisms, for example on the firewalls, the continuous patching of the systems and the regular scan for vulnerabilities and weak/default passwords. There are automated systems available that can take care of each of these jobs.

 


Links:

https://www.heise.de/security/meldung/Security-Journalist-Brian-Krebs-war-Ziel-eines-massiven-DDoS-Angriffs-3329988.html

http://krebsonsecurity.com/2016/09/krebsonsecurity-hit-with-record-ddos/

 

https://www.heise.de/security/meldung/Source-Code-von-maechtigem-DDoS-Tool-Mirai-veroeffentlicht-3345809.html

Bild: ©iT-CUBE SYSTEMS AG 2016

Leave a Reply