Month: October 2014

How to Start Making a DDoS Response Plan

How to Start Making a DDoS Response Plan

Some organizations exhibit strange behavior today when it comes to distributed denial of service (DDoS) attacks. DDoS assaults are becoming more common, increasingly sophisticated, and more costly all the time. Yet organizations continue to rely on the same dated firewall solutions they have always used to protect themselves.

It’s clear they need a new strategy to update their DDoS response plan. However, developing such a plan can be a difficult proposition, particularly for organizations that have spent years ignoring the possibility of DDoS attacks.

This is where the Incapsula’s new DDoS Response Playbook can help.

This ebook is filled with useful guidance to help prepare your organization for the current threat landscape—no matter what your present DDoS mitigation strategy looks like. It also helps you in creating a plan if you don’t already have one.

The playbook teaches you how to prepare for a DDoS attack, what to do if one hits, and how to ultimately respond to it.

Here is a brief look at a few of the things you’ll learn from this document.

What Are DDoS Attacks, and Why Should You Be Worried About Them?

For the uninitiated, all the hype surrounding DDoS attacks may seem excessive.

However, after reading the playbook, you’ll come away with a better understanding of what a DDoS attack is, how different types of assaults work, and how much one could cost your organization—in relation to both financial and non-financial losses.

As a result, you’ll grasp why it’s so important to make sure your organization is adequately prepared.

How To Prepare Your Organization For a DDoS Attack?

The playbook lays out a four-step DDoS preparation process:

  • Create a response team – Establish who will respond to an attack so as to minimize confusion.
  • Develop a response plan – Determine who does what post-attack to maximize efficiency and minimize your response time.
  • Perform a risk assessment – Knowing where the risk is greatest is the first step toward addressing that risk.
  • Identify single points of entry – Find vulnerable spots in your network in order to protect them.

Potential DDoS Targets

How Can Your ISP Help Prepare For DDoS Attacks?

Partnering with your ISP is an integral step in proper DDoS preparedness. Incapsula’s playbook tells you how to create an effective partnership to help you more effectively test and maintain your network.

You’ll also learn the steps to take and questions to ask in order to make your ISP partnership a reality.

What Technological Capabilities Should You Consider?

Creating an effective DDoS response plan requires an understanding of potential solutions as they pertain to:

  • Detection – You must know an attack is underway in order to quickly respond to it.
  • Time to mitigation – An effective DDoS solution must offer a time to mitigation that best meets your organization’s needs.
  • User classification – Your plan must include an effective way of differentiating between bad bots and legitimate users.
  • Web application firewall – You may require a WAF to protect you from application-level threats.

How Should You Respond During A DDoS Attack?

You’ll find useful details in Incapsula’s playbook regarding all steps you should take during a DDoS attack, including:

  • How to organize your war room
  • How to maintain clear, open communication
  • How to respond to ransom notes and other threats
  • How to address the attack with customers, employees, and the media

What Should You Do After an Attack?

Once an attack has passed, it’s important to conduct a post-mortem analysis to assess damage and learn what you can do to mitigate future assaults.

Incapsula’s playbook includes details as to what to do after an attack—including how to handle possible legal disclosures.

Summary

Preparing for a DDoS attack and creating a response plan is a necessary part of protecting your organization from criminals, activists, and even competitors who might benefit from bringing down your web presence.

If you’re in need of an excellent resource to help you get started with your DDoS response plan, download the Incapsula DDoS Response Playbook here.

http://www.incapsula.com/blog/start-making-ddos-response-plan.html

0

Network security assessment: Internal testing relies on various tools

Security breaches — where a company’s or governmental agency’s network security is compromised or penetrated — seem to make the news on a regular basis. If you are a security professional now’s the time to get proactive about security. Over the years, there have been many lists that specify the best penetration testing and network security assessment tools, but I’m going to take a different approach and discuss the best testing tools by categories. Without further ado, then, what are the top 10 tools no penetration tester should be without?

1. A bootable Linux distribution:Backtrack is among the most popular bootable Linux distros, and it’s loaded with all of the most current security tools and applications. Backtrack allows you to load a purely native hacking environment that is dedicated to penetration testing. If you are wondering what a live CD/DVD or bootable distribution is, it’s simply a fully configured OS that allows a user to experience and evaluate an operating system without installing it to a hard drive. You can run it from a Live DVD, thumb drive or virtual machine.

2. A malware analysis toolkit: Virustotal and Jotti are two websites that you will want to have at your disposal. If you’re a pen tester, you are going to encounter lots of potential malware. While it’s true that you can rely on one antivirus, wouldn’t 10 to 20 be better? Sometimes, what one AV may not detect another may flag as malicious. Websites like virustotal.com and jotti.org allow you to scan a malicious file or URL against several different AV products. This provides a quick and easy way to determine if several different AV vendors have defined the software as malicious.

3. An exploit framework: Metasploit is one exploit framework that every pen tester will want to have at their disposal. An exploit framework is simply an environment from which to create or execute exploit code against an identified vulnerable target. Metasploit offers a 1-2-3 approach where you choose an exploit, configure a payload and execute the attack.

4. A world-class port scanner: Nmap is one of the very best port scanning applications. It’s available on both Linux and Windows platforms and can be run from both the command line and from a GUI. It provides a variety of features for probing computer networks such as TCP scanning, user datagram protocol (UDP) scanning and OS fingerprinting. It’s one tool that every pen tester should have at their disposal.

5. A network traffic analysis tool: Wireshark is a network protocol analyzer for Windows and Unix. It’s a well-known packet analyzer. As a pen tester, you will be examining network traffic, and there is no better tool than Wireshark. Not only has the tool won several awards over the years, it’s one of the best ways to investigate TCP/IP traffic anomalies. It’s also useful for analyzing the activity of other security tools.

6. A tool to test for SQL injection: Acunetix can be used to test websites and Web applications for cross-site scripting, SQL injection and other acknowledged Web vulnerabilities. Just consider how many applications are Web-based and you’ll understand why this is one tool no pen tester wants to be without.

7. A Web application testing tool: Burp Suite is a complete package of tools designed to test the security of Web applications. It has the ability to act as a proxy server, a Web spider, an intruder and a repeater, and requests can be automated.

8. A Swiss Army knife hacking tool: Cain and Abel is a password-cracking, enumeration, sniffing, address resolution protocol/DNS poisoning tool and more. What really makes Cain and Abel so useful is that it can serve so many different roles.

9. A world-class encryption tool: TrueCrypt is an open source encryption software package for Windows, Linux and OS X. While you may not consider it a hacking tool, I would describe it as something most pen testers cannot live without. After all, you are going to have notes, records and maybe even reports on your computer that list discovered vulnerabilities. Are you really going to want to leave this information in an unencrypted state?

10. A tool to load multiple operating systems: VMware. As a pen tester, you are going run multiple OSes, and VMware is one application that will allow you to do so easily. You will be able to use these virtual systems for testing, to load bootable OSes such as BackTrack and to support applications that only run on certain versions of operating systems. VMware offers both paid and free versions of its products.

http://searchnetworking.techtarget.com/tip/Network-security-assessment-10-tools-you-cant-live-without

0

A Closer Look at CloudFlare and Incapsula: Next Generation CDN Services

Content delivery networks (CDNs) are online services that were traditionally used to help accelerate the distribution of web content and ensure business continuity.

Today a new generation of CDNs built to harness advancements in hardware, networking and cloud computing. These next gen CDNs are radically different in architecture from their predecessors, and are designed to consolidate multiple technologies for website acceleration and security into a full-blown application delivery solution.

The popularity of these next-gen platforms is now rejuvenating the traditionally consolidated and somewhat stale CDN market. According to a recent study, the CDN market is estimated to grow from $3.71 billion in 2014 to $12.16 billion by 2019.

Among the trendsetters leading this transformation are CloudFlare and Incapsula. CloudFlare was among the first to offer a free CDN service, in essence sparking this revolution. Incapsula, spun off from security giant Imperva, upped the ante by imbuing the CDN platform with security-oriented technologies.

Motivated in part by their own competition, the relentless innovation of these companies is advancing the CDN space forward in leaps and bounds. Today, this innovation is also ushering in a new trend of using cloud-based services to replace security and availability enterprise-grade appliance.

Let’s take a closer look at how CloudFlare and Incapsula address enterprises’ application delivery requirements.

Acceleration & Caching

CDN Overview

In 2014 CloudFlare shook up the CDN market when it launched a free CDN for websites of all sizes, making content delivery easy and affordable for a wide variety of website owners – previously excluded from this market due to the cost of legacy CDNs. With 28 data centers around the world, CloudFlare offers customers a global presence on an affordable budget.

Incapsula was founded in 2009 as a spin-off of data security leader Imperva. Compared to CloudFlare, Incapsula’s product offers a business-oriented solution that emphasizes website security and high availability. Incapsula service is equally affordable and is highly acclaimed for its award-winning access control DDoS protection features. Incapsula’s worldwide network currently numbers 20 data centers.

Content Caching

Both companies use proprietary caching technologies to deliver content quickly and optimize the user experience.

In terms of acceleration, each CDN does an excellent job of caching static content.

Incapsula, however, may have an advantage when it comes to dynamic content caching. The reason is Incapsula’s patent-pending machine learning algorithms that are able to identify cacheable dynamic content by the way it’s being accessed by users.

Incapsula’s dynamic content caching in action.

Rather than caching dynamic web pages, CloudFlare uses its Railgun™ technology to further compress web content. While unable to actually cache dynamically generated objects, Railgun contributes to overall delivery speed, offering an effective solution for static HTML sites.

CloudFlare’s compression technology in action.

DDoS Protection

Protecting Against Volumetric DDoS Attacks

Today’s network DDoS attacks, often exceeding 100-200 Gbps, can only be countered by a strong infrastructure capacity. This is one reason why cloud-based platforms like CloudFlare and Incapsula, which provide large resource pools, are rapidly becoming the industry standard for DDoS mitigation.

DDoS That “Almost Broke the Internet” – CloudFlare protects Spamhaus from DDoS.

Both solutions offer on-demand bandwidth overprovisioning that scale capacity to absorb and filter DDoS traffic. This means you can protect your website or application against even the largest DDoS attacks, without having to pay up front for bandwidth you don’t need on a regular basis. Since both of these cloud-based services are built on top of large global networks, they are well-equipped to handle any sized DDoS attack.

Recently, Incapsula has gone a step further with “Behemoth” scrubbing servers. Each of these massive beasts is able to filter 170Gbps worth of traffic at an inline rate. Incapsula currently has five “Behemoths” deployed. Together these provide an 800+Gbps boost to Incapsula’s already massive 700+Gbps network.

Incapsula’s Behemoths mitigate massive DDoS attack on a video game website.

DNS DDoS Protection

In addition, both Incapsula and CloudFlare offer DDoS protection services for web applications and DNS servers. Service activation is based on a simple change of DNS settings to re-route all website traffic (HTTP/HTTPS) through the vendors’ respective networks. Both solutions do a good job of mitigating volumetric network DDoS attacks using their high-capacity networks of servers.

Application Layer DDoS Protection

Where these services differ is in their approach to Layer 7 DDoS attacks which are executed by DDoS bots. These types of stealthy attacks are difficult to detect, since they are often designed to mimic “human” behavior.

Here Incapsula’s solution relies on classification algorithms that inspect signatures and behavior patterns to distinguish between legitimate and malicious traffic. The company’s claim to fame is its client classification technology with a less than a 1% false positive rate.

CloudFlare, on the other hand, offers an equally effective but significantly less user-friendly solution that relies on challenge screens and CAPTCHA pages, which are presented to visitors during the attack.

CloudFlare’s challenge screen.

Time to Mitigation

Time-to-mitigation is the duration required to start blocking a DDoS attack once it has been identified. This is critical, since on-demand solutions based on human intervention are fallible. This is why many perpetrators attack during major holidays, the middle of the night, or weekends when IT staff may not be available.

Incapsula response to this problem is an always-on solution that automatically detects and triggers mitigation of all types of DDoS attacks.

With CloudFlare, customers must identify the Layer 7 attack and then manually click the “I’m under attack” button. This approach is obviously less reliable and can result in some performance degradation and even potential downtime.

Protecting Non-Web Assets

Today’s DDoS attackers do not stop at web/application and DNS servers. Any component of your network infrastructure with an IP address is, in effect, a target. This includes servers used for gaming, FTP, email, VoIP, etc.

To combat this threat, Incapsula has added a third layer to its DDoS Protection service, designed to safeguard critical network infrastructure across entire subnet ranges.

Enabled by Border Gateway Protocol (BGP) routing and GRE tunneling, this protection is versatile enough to protect all types of resources, including the commonly targeted gaming platforms and FTP and email servers.

Application Security

Web Application Firewall

It is clear that Incapsula’s security focus, and its use of Imperva’s best-in-class Web Application Firewall (WAF) technology, gives it a leg up in this area – allowing it to offer an enterprise grade self-developed technology.

CloudFlare also offers a very dependable WAF option, which uses a variation of the open source ModSecurity platform and is effective against most common web threats.

However, in a comparative pentest conducted in February 2013 by the Zero Science Lab, CloudFlare’s WAF often failed to stop certain types of application attacks (e.g., SQL injection, Remote File Inclusion).

Since then, CloudFlare has revamped its solution, adding a new rule-based engine to the ModSecurity core. In a second round of pen-tests, CloudFlare still came up short, but showed a significant improvement to its original 0/123 score.

PCI Compliance

Online merchants who handle consumer credit card information are required to deploy a web application firewall in front of their website. Both CloudFlare and Incapsula offer PCI-certified WAFs that fully comply with PCI 6.6 type 1 reporting requirements.

Custom Security Rules

In addition to its default rule sets, CloudFlare offers an option of turning on/off pre-defined rules in accordance with security policies.

Incapsula, on the other hand, offers a flexible custom rule engine (a.k.a. IncapRules) for fast creation of security rules tailored to your enterprise’s security policy and use cases.

Availability

Availability is a critical requirement for today’s business-critical applications. With the cost of network downtime estimated by Gartner to be hundreds of thousands of dollars per hour, the importance of maintaining business continuity is a given.

Load balancers remove single points of failure and ensure application availability by monitoring the “health” of application servers, and only sending requests to servers and applications that can respond in a timely manner.

Load Balancing

CloudFlare and Incapsula both perform load balancing in the cloud and do not rely on hardware appliances, which can be a single point of failure. Using the Anycast routing scheme, CloudFlare’s network picks the most preferential route (i.e., the shortest path from the sender to the recipient). At the data center, if a server is down or overloaded, traffic is sent randomly to the next available server.

Rather than using proximity-based routing like CloudFlare, Incapsula uses Layer 7 load balancing solution to distribute incoming requests based on the actual load of traffic on each server. This approach allows for efficient resource utilization, offering the Incapsula user a choice of several smart load balancing algorithms (e.g., load distribution based on number of actual pending requests).

Incapsula supports both local and global server load balancing (GSLB) with the option to set different policies for in-data center and cross-data center load distribution. This provides an additional degree of control and efficiency to its users.

Data Center Failover

Incapsula’s service supports automatic failover between primary and secondary sites to enable high availability. To this end Incapsula performs periodic health checks of all servers on service.
As soon as the platform detects that the primary server has gone down, Incaspsula automatically kick-starts your pre-configured standby server to help keep your website and web apps available.

Currently, CloudFlare doesn’t provide a similar failover option. However, Anycast routing can be used to redirect traffic to a standby server, pending its manual activation by the network’s operator.

Real-Time Monitoring

Incapsula’s high availability solutions are complemented by a live monitoring option that allows you to keep track of your web server and data center activity in real-time. This is a very nice feature that lets you detect issues ahead of time and re-route traffic to a viable server to eliminate lags or outages.

Incapsula’s real time monitoring and failover in action.

Pricing

Both companies offer a premium Enterprise CDN, with 24×7 support and enterprise-grade uptime SLAs. Both Incapsula and CloudFlare also offer the option to purchase WAF, DDoS protection and load balancing features separately or to bundle them all together into a complete application delivery solution.

With prices starting at around $300/month and scaling up to few thousand dollars a month for a complete application delivery bundle. CloudFlare and Incapsula are now expanding their market share at the expense of CDN veterans like Akamai who often cannot compete with the new integrated technologies and the low-cost pricing model.

http://smartdatacollective.com/anandsmartdata/277511/closer-look-cloudflare-and-incapsula-next-generation-cdn-services

0

POODLE: Turning off SSLv3 for various servers and client.

Before you start: While adjusting your SSL configuration, you should also check for various other SSL related configuration options. A good outline can be found at http://bettercrypto.org as well as at http://ssllabs.com (for web servers in particular)

Here are some configuration directives to turn off SSLv3 support on servers:

Apache: Add -SSLv3 to the “SSLProtocol” line. It should already contain -SSLv2 unless you list specific protocols.

nginx: list specific allowed protocols in the “ssl_protocols” line. Make sure SSLv2 and SSLv3 is not listed. For example: ssl_protocols TLSv2 TLSv1.1 TLSv1.2;

Postfix: Disable SSLv3 support in the smtpd_tls_manadatory_protocols configuration line. For example: smtpd_tls_mandatory_protocols=!SSLv2,!SSLv3

Dovecot: similar, disable SSLv2 and SSLv3 in the ssl_protocols line. For example: ssl_protocols = !SSLv2 !SSLv3

HAProxy Server: the bind configuration line should include no-sslv3 (this line also lists allowed ciphers)

puppet: see https://github.com/stephenrjohnson/puppetmodule/commit/1adb73f9a400cb5e91c4ece1c6166fd63004f448 for instructions

For clients, turning off SSLv3 can be a bit more tricky, or just impossible.

Google Chrome: you need to start Google Chrome with the “–ssl-version-min=tls1” option.

Internet Explorer: You can turn off SSLv3 support in the advanced internet option dialog.

Firefox: check the “security.tls.version.min” setting in about:config and set it to 1. Oddly enough, in our testing, the default setting of 0 will allow SSLv3 connections, but refuses to connect to our SSLv3 only server.

For Microsoft Windows, you can use group policies. For details see Microsoft’s advisory: https://technet.microsoft.com/en-us/library/security/3009008.aspx

To test, continue to use our “POODLE Test” page at https://poodletest.com or the Qualys SSLLabs page athttps://ssllabs.com

To detect the use of SSLv3, you can try the following filters:

tshark/wireshark display filters: ssl.handshake.version==0x0300

​tcpdump filter: (1) accounting for variable TCP header length: ‘tcp[((tcp[12]>>4)*4)+9:2]=0x0300’
(2) assuming TCP header length is 20: ‘tcp[29:2]=0x0300’

We will also have a special webcast at 3pm ET. For details see

https://www.sans.org/webcasts/about-poodle-99032

the webcast will probably last 20-30 minutes and summarize the highlights of what we know so far.

http://dshield.org/forums/diary/POODLE+Turning+off+SSLv3+for+various+servers+and+client/18837

0

masscan – The Fastest TCP Port Scanner

masscan is the fastest TCP port scanner. It can scan the entire Internet in under 6 minutes, transmitting 10 million packets per second.

It produces results similar to nmap, the most famous port scanner. Internally, it operates more like scanrand, unicornscan, and ZMap, using asynchronous transmission. The major difference is that it’s faster than these other scanners. In addition, it’s more flexible, allowing arbitrary address ranges and port ranges.

masscan - The Fastest TCP Port Scanner

NOTE: masscan uses a custom TCP/IP stack. Anything other than simple port scans will cause conflict with the local TCP/IP stack. This means you need to either use the -S option to use a separate IP address, or configure your operating system to firewall the ports that masscan uses.

PF_RING – Beyond 2 million packets/second

To get beyond 2 million packets/second, you need an Intel 10-gbps Ethernet adapter and a special driver known as “PF_RING DNA” from http://www.ntop.org/products/pf_ring/. Masscan doesn’t need to be rebuilt in order to use PF_RING. To use PF_RING, you need to build the following components:

  • libpfring.so (installed in /usr/lib/libpfring.so)
  • pf_ring.ko (their kernel driver)
  • ixgbe.ko (their version of the Intel 10-gbps Ethernet driver)

You don’t need to build their version of libpcap.so.

When masscan detects that an adapter is named something like dna0 instead of something like eth0, it’ll automatically switch to PF_RING mode.

Usage

Usage is similar to nmap. To scan a network segment for some ports:

This will:

  • scan the 10.x.x.x subnet, all 16 million addresses
  • scans port 80 and the range 8000 to 8100, or 102 addresses total
  • print output to that can be redirected to a file

To see the complete list of options, use the –echo feature. This dumps the current configuration and exits. This output can be used as input back into the program:

Banner checking

Masscan can do more than just detect whether ports are open. It can also complete the TCP connection and interaction with the application at that port in order to grab simple “banner” information.

The problem with this is that masscan contains its own TCP/IP stack separate from the system you run it on. When the local system receives a SYN-ACK from the probed target, it responds with a RST packet that kills the connection before masscan can grab the banner.

The easiest way to prevent this is to assign masscan a separate IP address. This would look like the following:

The address you choose has to be on the local subnet and not otherwise be used by another system.

In some cases, such as WiFi, this isn’t possible. In those cases, you can firewall the port that masscan uses. This prevents the local TCP/IP stack from seeing the packet, but masscan still sees it since it bypasses the local stack. For Linux, this would look like:

On Mac OS X and BSD, it might look like this:

Windows doesn’t respond with RST packets, so neither of these techniques are necessary. However, masscan is still desigend to work best using its own IP address, so you should run that way when possible, even when its not strictly necessary.

The same thing is needed for other checks, such as the –heartbleed check, which is just a form of banner checking.

You can download masscan here:

1.0.3.zip

Or read more here.

http://www.darknet.org.uk/2014/09/masscan-fastest-tcp-port-scanner/

0

Tsunami SYN-Flood DDoS Attack, a dangerous trend

Experts at Radware DDoS protection solution provider recently have discovered a new form of DDoS attack they dubbed “Tsunami SYN Flood Attack.”

Radware DDoS protection solution provider recently discovered a new category of distributed denial-of-service (DDoS) attack, according the experts of the company it is a type of SYN flood dubbed “Tsunami SYN Flood Attack.”

In just 48-hour period the experts of the Radware’s Emergency Response Team (ERT) observed two high-volume attacks targeting in two different continents.

The Tsunami SYN-Flood Attack hit an ISP provider and a data center for a gaming company and as explained by the researchers the attacks experienced peeks 4-5 Gbps in attack traffic.

The name Tsunami SYN Flood Attack is not casual, experts sustain that it uses about 1,000 bytes per packet, it is an amazing number respect a typical SYN flood attack which uses nearly 40 to 60 bytes per packet.

Radware Tsunami SYN-Flood attack

This kind of DDoS attack exploits TCP protocol instead the UDP, making ineffective the classic methods of defense, as explained Radware in a blog post:

“Normally the SYN package is a simple handshake mechanism with a very low data footprint,” Adrian Crawley, Radware regional director for the UK, said. “It appears that hackers have found a way to add content to it – up to 1,000 bytes, or 25 times more data per handshake. This is allowed based on TCP RFC, but it is not common practice simply to avoid latency during the initial handshake. But because it is allowed by RFC, hackers can add data – this could be any random data – to the application which requested the initial SYN handshake.”

It is likely that threat actors behind the Tsunami SYN Flood attack have used abotnet and Crawley explained how the attack reached the pulses of traffic observed with the following statement:

“An attacker does not have 100 [percent] control over each machine that generates traffic, so as more “bots” were being accessed in the attack, [it] could account for the pulses of attack traffic, rather than a constant stream.”

Such kind of attacks could be identified and mitigated using behavioral algorithms:

“Behavioral algorithms are key in both detecting and mitigating these threats, along with implementing a hybrid model of cloud and on-premise mitigation.”

Radware experts suspect that in the next months a growing number of DDoS attacks will be Tsunami SYN Flood attack.

http://securityaffairs.co/wordpress/29141/cyber-crime/tsunami-syn-flood-ddos.html

0

Up ↑