Slashdot Mirror

Basically Wikileaks has nobody there who is competent enough to actually implement a security framework for the site.

So, as a result, it basically becomes a dumping ground for all this crap.

Thus, when examples are pointed out to them, all they can do is nix the examples.

Wikileaks has withstood countless efforts to get their site offline, sometime by dedicated groups and/or state sponsored actors. You may remember how all hell broke loose with cablegate, including DDOS and Senator Lieberman's call to Amazon. Calling Wikileaks incompetent at security is completely ridiculous.

I bet that the whole thing went down like this: author of this backchannel article wanted to rag on Wikileaks for their dissemination of personal details, and wanted to bring up email #117 as prime example (medical bill!!) and got infected herself for lack of security competence. Author then contacted some security outfit to perform a security evaluation, security outfit performed a simple virus scan. Author then cooked up a click bait article, how Wikileaks is out there to recklessly infect everyone with malware.

Let's face it: Wikileaks is plenty competent securitywise, as evidenced by their very presence for so many years. They expect their readers, especially professional journalists scouring their site to bring at least a moderate skill set to the table, and Mrs. Upson apparently failed miserably.

The linked "Uncovering the Seven Pointed Dagger" has some interesting information on what was of interest (Special Economic Zones (SEZs) in Myanmar) and what was discovered.
https://asert.arbornetworks.co...
The ability to evade detection is interesting, likes to stay in memory and is resistant to simple malware detection. Remote uninstall, upload, download and could move within target networks.

• We Live Security blog - Back in BlackEnergy: 2014 Targeted Attacks in Ukraine and Poland
• 2014 Virus Bulletin Conference - Last-minute paper: Back in BlackEnergy: 2014 targeted attacks in the Ukraine and Poland and YouTube video of the presentation
• We Live Security blog - CVE-2014-4114: Details on August BlackEnergy PowerPoint Campaigns
• Virus Radar - description of Win32/Rootkit.BlackEnergy.AA

Hope this is information is useful to anyone who might be concerned they have compromised hosts on their network.

Regards,

Aryeh Goretsky

...after all the cows got out.

Day late and a dollar short to worry about BlackPOS. Variants of "Dexter, first documented by Seculert in December 2012, is a Windows-based malware used to steal credit card data from PoS systems."

http://www.arbornetworks.com/a...

They have had 3 flavors so far:
1.] Stardust (looks to be an older version, perhaps version 1)
2.] Millenium (note spelling)
3.] Revelation (two observed malware samples; has the capability to use FTP to exfiltrate data)

I can buy any of these programs with a Tor browser, an ICQ client and some Bitcoin at any carder site on line.

A little late to be worried about snippets of code.

However, it will be difficult for Internet policymakers, engineers and the user community at large to tell how the upgrade to IPv6 is progressing because no one has accurate or comprehensive statistics about how much Internet traffic is IPv6 versus IPv4."

I'm sorry, but that's utterly wrong. There are people who are watching this stuff. One of them is Craig Labovitz, Chief Scientist at Arbor Networks. He authored a paper six months ago called Six Months, Six Providers, and IPv6. In it, he says that tunneled IPv6 accounts for between 0.01% and 0.05% of all Internet traffic while IPv6 on providers which support it natively accounts for about 0.1% of all traffic. I'm willing to bet that he and/or Arbor will have some news about IPv6 traffic levels on IPv6 day.

If you scroll down a bit, you'll also see that P2P amounts to the majority (61%) of v6 traffic. I also find it fascinating that SSH and Web traffic both account for 4.6% of v6 right now.

Since neither subby nor the self-serving linkfarm reblog site they submitted bothered to either link to the Arbor Networks article, or read it beyond the first few paragraphs, here it is.

A better summary might be that native IPv6 usage has "more than doubled" in the past six months, while tunneled IPv6 has declined. This is exactly what we'd hope to see, but maybe not as catchy a headline?

Increasingly sophisticated attacks expose IPS and firewall shortcomings
In an effort to achieve DDoS protection, many operators have deployed stateful firewalls and intrusion prevention system (IPS) devices to protect data center infrastructure. In actuality, these devices can render networks more susceptible to attacks as the state tables on even the most scalable versions available can be overwhelmed with a moderate size DDoS attack. Nearly 49 percent of IDC respondents reported a firewall or IPS outage due to DDoS.

So the key datum supporting the argument that firewalls make DDoS attacks worse is that half of the respondents said that their firewall failed during a DDoS.

The full report is available for free, but you have to enter in a bunch of information, which I didn't feel like doing. :-)

Increasingly sophisticated attacks expose IPS and firewall shortcomings
In an effort to achieve DDoS protection, many operators have deployed stateful firewalls and intrusion prevention system (IPS) devices to protect data center infrastructure. In actuality, these devices can render networks more susceptible to attacks as the state tables on even the most scalable versions available can be overwhelmed with a moderate size DDoS attack. Nearly 49 percent of IDC respondents reported a firewall or IPS outage due to DDoS.

So the key datum supporting the argument that firewalls make DDoS attacks worse is that half of the respondents said that their firewall failed during a DDoS.

The full report is available for free, but you have to enter in a bunch of information, which I didn't feel like doing. :-)

Increasingly sophisticated attacks expose IPS and firewall shortcomings
In an effort to achieve DDoS protection, many operators have deployed stateful firewalls and intrusion prevention system (IPS) devices to protect data center infrastructure. In actuality, these devices can render networks more susceptible to attacks as the state tables on even the most scalable versions available can be overwhelmed with a moderate size DDoS attack. Nearly 49 percent of IDC respondents reported a firewall or IPS outage due to DDoS.

So the key datum supporting the argument that firewalls make DDoS attacks worse is that half of the respondents said that their firewall failed during a DDoS.

The full report is available for free, but you have to enter in a bunch of information, which I didn't feel like doing. :-)

Increasingly sophisticated attacks expose IPS and firewall shortcomings
In an effort to achieve DDoS protection, many operators have deployed stateful firewalls and intrusion prevention system (IPS) devices to protect data center infrastructure. In actuality, these devices can render networks more susceptible to attacks as the state tables on even the most scalable versions available can be overwhelmed with a moderate size DDoS attack. Nearly 49 percent of IDC respondents reported a firewall or IPS outage due to DDoS.

So the key statistic backing up the claim that poorly-configured firewalls make a DDoS work is that half of the respondents said their firewall went down as a result of a DDoS.

Unfortunately to get the actual report you have to enter in a bunch of information, which I didn't feel like doing.

You're right that the article doesn't delve into the technical specifics - but the report the article is describing, available via this link provides more details.

The essence of the issue is that DDoS attacks are attacks against capacity and/or state. Even the largest firewalls commercially available or that one can build have limited state-table sizes.

Placing stateful firewalls in front of client access networks makes sense - when your Web browser requests the TCP/IP stack on your client device to set up a three-way TCP handshake with example.com, there's an outgoing SYN request which traverses the stateful firewall, and the stateful firewall makes a note of this in its state table. When the SYN-ACK response comes back from the example.com server, the stateful firewall checks to see if there's a corresponding outbound request and that the incoming response conforms with the firewall policies - if the answers to both questions is 'yes', then the firewall passes the server response packets. If the answer to either question is 'no', the stateful firewall drops the inappropriate server response.

When we're talking about Web servers, DNS servers, et. al., however, basically every incoming request is unsolicited - therefore, there is no state to inspect. This is why it makes zero sense to put a stateful firewall in front of servers.

Instead, the server OS and apps (Apache, BIND, sendmail, whatever) should be hardened, tcpwrappers should be deployed on the server to provide onboard stateless policy filtering, and stateless Access Control Lists (ACLs) should be implemented on your hardware-based routers and/or layer-3 switches in order to enforce network access policy - e.g., allow TCP/80 and TCP/443 for a standard SSL-enabled Web server, allow UDP/53 and TCP/53 for a DNS server, etc., and then disallow anything else from the outside.

Here's a .pdf presentation from a recent NANOG conference which makes the same point.

When stateful firewalls are used to enforce these polices which ought to be enforced by stateless ACLs per the above, the state-table limitations of even the largest firewalls form a significant DDoS chokepoint. Attackers can craft well-formed attack traffic which will conform to the firewall rules, but which will 'crowd out' legitimate requests from users, and which in many cases causes an error condition on the stateful firewall which causes it to stop forwarding packets altogether. This leads to a DoS of the firewall itself and all the servers behind it.

I've seen this over and over and over again, even with very large firewalls. It's far easier to DoS the largest firewall in existence than it is to DoS well-tuned, hardened server TCP/IP stacks.

Servers should be protected from DDoS attacks via source-based remotely-triggered blackholes (S/RTBH), flowspec, and/or intelligent DDoS mitigation systems (IDMS) specifically designed for this application.

Load-balancers are also a DDoS state vector, but in many environments are a necessary evil. When they must be used (note that there are many ways to achieve clustering/load-balancing without making use of single-point load-balancers), they must be protected by the same stateless ACLs in terms of enforcing network access policy, and must furthermore be protected from DDoS by S/RTBH, flowspec, and/or IDMS.

'Application-layer firewalls', with their 'protocol inspectors', and so-called 'IPSes' are even worse. They carry even more state, and the protocol inspectors offer a broadened attack surface for exploitation and device compromise (you can find numerous examples of publicly-acknowledge buffer overflows, etc. which comprise security vulnerabilities in the inspectors of both commercial and open-source firewalls and 'IPSes'). Consequently, they fall over during even a moderate DDoS attack even more qui

So, I found the source material, the article is poorly written - maybe plagiarized.

Start on page 7-9, mitigation
http://www.arbornetworks.com/dmdocuments/Arbor_Worldwide_ISP_Security_Report.pdf

They have a point considering that the goal of DDOS is to bring the network down, the article stinks, because it does not offer an alternative to ripping your firewall out.

The conclusion from the pdf says:

"Inter-domain traceback and attack mitigation mechanisms need to be deployed ubiquitously across the Internet, and primary option mitigation solutions must provide more capabilities than simply completing an attack for an attacker."

Which, is a great deal more sensible than "shut your firewalls off"

I wrote this back in 2001, and it's still relevant!
http://www.dnull.com/dos/DOS-Block.htm

Running through something like a Citrix Netscaler helps filter out much if your lines aren't overwhelmed.
http://www.citrix.com/English/ps2/products/product.asp?contentID=21679

There are a few other companies that seem to have a solution, but this really looks more like a CDN with enough capacity and some filters to ride out what ever attack could be launched at them.

http://www.prolexic.com/index.php/why-prolexic/ddos-mitigation-services/
http://www.arbornetworks.com/stop-ddos-attacks.html

also, no ddos attacks (supposedly over 10gbps) were ever confirmed by their upstreams (bahnhof/ovh).

The ddos attacks have been confirmed by Arbor Networks.

This image released by Arbor clearly shows a spike of over 10Gbps.

The Wired article is from last fall. Arbor's blog post this week by Labovitz has better information. The most interesting data is a chart showing how 60 percent of Google's traffic takes advantage of direct peering, up from 40 percent a year earlier. Given the volume of traffic, we're talking about, there's some meaningful economics in that change.

http://asert.arbornetworks.com/2009/09/who-put-the-ipv6-in-my-internet/

I am involved with an Internet streaming site (AmericaFree.TV) and our traffic patterns follow normal Television "Prime Time" - i.e., traffic peaks at roughly 6:00 PM to Midnight in the evening. This happens in the US, Europe and Asia, and the local time zone pattern looks a lot like the "Consumer-Internet traffic" graph (# 2 in the original article). (Note that all of these graphs do not start at zero traffic, but some higher value, like 50%). In our case (long format video), there appears to be relatively little streaming from at work.

If you look at Craig Labovitz's previous's post, What Europeans do at Night, it appears that European Internet usage drops quickly after dinner time, but I would interpret these graphs a little differently - European traffic starts dropping at 10;00 PM, while US traffic starts dropping at Midnight. This roughly matches what we see, and also European TV viewing patterns (see pages 22 and 23 of this presenation). Of course, American TV prime time is pretty similar to Europe's. Putting all of this together, I don't think that streaming video is driving the differences seen by Labovitz.

An interesting corollary of all of this is that there is still substantial bandwidth available for P2P in the hours after midnight. Off-hours P2P use could triple and still not be more than the current day-time use.

I am involved with an Internet streaming site (AmericaFree.TV) and our traffic patterns follow normal Television "Prime Time" - i.e., traffic peaks at roughly 6:00 PM to Midnight in the evening. This happens in the US, Europe and Asia, and the local time zone pattern looks a lot like the "Consumer-Internet traffic" graph (# 2 in the original article). (Note that all of these graphs do not start at zero traffic, but some higher value, like 50%). In our case (long format video), there appears to be relatively little streaming from at work.

If you look at Craig Labovitz's previous's post, What Europeans do at Night, it appears that European Internet usage drops quickly after dinner time, but I would interpret these graphs a little differently - European traffic starts dropping at 10;00 PM, while US traffic starts dropping at Midnight. This roughly matches what we see, and also European TV viewing patterns (see pages 22 and 23 of this presenation). Of course, American TV prime time is pretty similar to Europe's. Putting all of this together, I don't think that streaming video is driving the differences seen by Labovitz.

An interesting corollary of all of this is that there is still substantial bandwidth available for P2P in the hours after midnight. Off-hours P2P use could triple and still not be more than the current day-time use.

The answer: long after Exchange and Oracle business traffic slows to a crawl, Internet users turn to the web to surf, watch videos, send IM's and happily try to kill each other.

Maybe they bought some of Arbor's E-Series products.

The importance is in the subtelty, "Information will get from anywhere to anywhere" should really be "Information can get from anywhere to anywhere". The internet's sophistication is such that any geek will be able to find a hole, but would some Iranian whose friend has just been shot and wants to tell the world?

The widescale filtering may do little to deter the geeks but it has had a profound effect on the average Iranian. By blocking simple messaging protocols they have achieved their goal for the majority of the population and so by finding other simplistic ways (such as through the xbox) for people to communicate the damage can be undone.

There's a great analysis of the problem by the always knowledgeable Danny MacPherson up on his blog at Arbor Networks.

Right now most bandwidth is lost to spammers, crackers and scammers.

Really? How much bandwidth does it take to run a cracking script? I'd bet most bandwidth is "lost" to peer-to-peer downloads.

"According to expert estimations the amount of spam in the global Internet traffic is much more than a half. While optimists consider it to be around 60% pessimists insist it is not less than 80%."

"DDoS (i.e., brute-force flood-based attacks) have over the past 18 months consistently accounted for ~1-3% of all all inter-domain Internet traffic. ... We have seen peaks well above 5% of aggregate reported traffic, although not consistently."

Not quite - you're thinking of older versions. Modern versions of Peakflow are teamed with TMS (Threat Management System), which allow you to mitigate DDoS attacks.

From their website, "Surgical Mitigation Arbor Peakflow SP TMS enables you to automatically detect and surgically remove only the attack traffic while maintaining legitimate business traffic â" thereby ensuring the highest level of customer satisfaction."

http://www.arbornetworks.com/en/threat-management-system.html

Skip the spam and just download directly here... http://www.arbornetworks.com/en/docman/worldwide-infrastructure-security-report-volume-iv-2008-/download.html

No doesn't take as much as you think. http://www.arbornetworks.com/index.php?option=com_content&task=view&id=56&Itemid=33 If NAP's and NSP's created a policy to their downstreams vis-a-vis this would almost be a thing of the past. http://www.infiltrated.net/?p=23 (warning if you're a network engineer, this will likely piss you off love it or hate it)

Including a link to the presentation .ppt http://asert.arbornetworks.com/2006/04/jumping-thr ough-hoopshhhhhrings/

Doesn't use signatures, doesn't produce false positives. Combine anomaly-detection technology with an information source like NetFlow, and you have a scalable and flexible detection system.

http://www.allot.com/

http://www.p-cube.com/indexold.shtml

http://www.toplayer.com/

http://www.arbornetworks.com/

http://www.riverhead.com/

http://www.sonicwall.com/

http://www.fortigate.net/

Last I looked, Google was not an Internet provider. Even more damning to your case, none of the three companies you mentioned seem to be included in the alliance.

See these links for more info.

And then shut the ports on the access switches.

Arbor Networks has a great anomaly-detection system which can be used with NetFlow in order to identify machines on your network behaving oddly, then shut their ports or use VACLs to block the relevant MAC addresses across your network until they call the help-desk and go through the scrubbing/remediation process.

And charge them for thus - nothing's sure to get their attention (and that of their parents) like a $250/incident 'virus remediation charge' which must be paid, like any other student fees, if they expect to get their grades.

they have a pretty slick NetFlow-/capture-based anomaly-detection system (somewhat called their 'DoS' product) which does a good job of macro-analysis, helping you figure out how to steer IDS in order to keep it from getting overwhelmed by a torrent of information.

More info here.

The PDF link is over in the sidebar; I didn't even see it until you mentioned it.

If it is unreachable, is it really part of the Internet?

"The range of topology accessible from one provider, but unreachable via one or more competitor networks"

If it is unreachable, is it really part of the Internet?

"The range of topology accessible from one provider, but unreachable via one or more competitor networks"

Dark Address space

A Definition

• The range of topology accessible from one provider, but unreachable via one or more competitor networks
  
• In other words, the onesided differences in Internet provider topology.

Sorry 'bout the whoring..

The real benefit of this act is that it gives the researchers the ability to make some money off of their own ideas. Better them then some suit who has no clue whats going on, right? The professor I work for (I'm a graduate student) has made a fair hunk of cash off of a research project that he did as a graduate student. I've seen how much work he put into it, and along with how much it has helped out the research community, he more than deserves it.

There are several other professors in our department that have taken their ideas to the corporate world as well, most of them successfully. One of them (ArborNetworks) was recenty featured here.

The problem is not with the Bayh-Dole act, but with the ridiculous deals like the one at Berkeley mentioned in the article. They're seriously abusing the system. The goal of the act was to allow businesses to emerge out of the research community. The goal is not to have the researchers bought and directed by a company, when they don't even know what's going to come out the other end of the research!

If you want research lackeys to do what you want and to give up all their IP rights to you, hire your own.