What BCP38 Can and Cannot Do

September 28, 2016

We’re coming through what is seeming like a tipping point in the history of DDoS on the Internet. Rather than targeting a company or online gaming, one of the largest DDoS attacks ever targeted an individual, Brian Krebs, most likely for his work exposing a so-called “booter service”, a DDoS-for-hire outfit called vDOS, which ultimately led to the alleged proprietors being arrested. A brief history of DoS volumes Public information about DDoS attack volumes are generally sparse outside of news releases and blog posts of DDoS mitigation companies, but even as late as last year, attacks of around 400 Gbps were exceptional events and pretty much the biggest the Internet had seen. ... Read more

Clarifying DDoS-related terms

September 25, 2016

I’ll be writing a bit more about DDoS attacks and security, and so I thought it would be handy to jot down some commonly used terms in one place. I’ll also look at how some of those terms are interrelated. The terms Spoofing As relates to TCP/IP, “spoofing” really just refers to forging some part of IP communications. You could, for example, spoof a source port to have response data thrown at a listening application that wasn’t expecting it, but generally we’re talking about forging the source IP address in an IP packet. ... Read more

GRE Reflection?

September 22, 2016

Recently, we’re seeing an uptick in GRE traffic as part of a DDoS mix. Most prominently, GRE featured as the biggest volume contributor in the record 600+ Gbps attack on krebsonsecurity.com. (Note that the site is currently offline as it’s finding a new home, so any links to krebsonsecurity.com will reference The Internet Archive instead.) An initial tweet from @briankrebs listed GRE in the attack traffic mix: per the last tweet, they threw it all at my site; SYN Flood, GET Flood, ACK Flood, POST Flood, GRE Protocol Flood]; 665.00 Gbps;143.50 Mpps — briankrebs (@briankrebs) September 21, 2016 …and Krebs later confirmed more details in KrebsOnSecurity’s own article reporting on the attack: Preliminary analysis of the attack traffic suggests that perhaps the biggest chunk of the attack came in the form of traffic designed to look like it was generic routing encapsulation (GRE) data packets, a communication protocol used to establish a direct, point-to-point connection between network nodes. Now, volumetric DDoS attacks will generally use amplification vectors like open DNS resolvers, misconfigured or vulnerable NTP or SNMP servers, SSDP, etc. in order to boost the attack volume. Those amplifiers are also often vulnerable to reflection attacks, where the attacker spoofs the source address in the initial amplification trigger packets so that the amplified replies hit the target rather than the attacker. This can be pulled off because these exploited amplification vectors are stateless and UDP-based, and so a single spoofed packet from the attacker will trigger the amplified reply destined for the target. A TCP-based attack could yield a larger amplification factor (e.g. just think of pulling off an HTTP GET of a GB+ file!), but a TCP 3-way handshake would never complete successfully with a spoofed source address, and even if somehow it could, the attacker would have to keep ACK-ing somehow in order to keep the transfer going. GRE we are told, however, could not have a spoofed source address (also from the same Krebs article): McKeay explained that the source of GRE traffic can’t be spoofed or faked the same way DDoS attackers can spoof DNS traffic. GRE is not known to have an amplification vector, and I haven’t been able to think of one. But is it true that source IPs cannot be spoofed in GRE? *Note that this is an untested theory and still needs to be validated.* ... Read more

Ubuntu Xenial and systemd network online target

September 12, 2016

So, I’m bringing a little Chromebox back into use on our home network to do some basic network services: dhcp, dns, and probably actually using it as a router (long story; tl;dr TekSavvy says they’ll give you a /56 but then the VDSL modem they sell you can’t do DHCPv6-PD properly). Anyway… I slapped Ubuntu 16.04 Xenial server on it and started plugging away at a couple of things. I opted to use ISC’s newer Kea DHCP server rather than isc-dhcp-server. Little did I know that Ubuntu and systemd had other ideas… ... Read more

Windows Media Player 11 Breaks Internet Connectivity

August 13, 2008

Alright, so the title for this post seems pretty out there, but I can guarantee you that I have come across this on multiple machines. I’m not saying “If you install Windows Media Player 11 on your computer, networking will break,” I’m just saying that if you experience the symptoms outlined below and you’re stuck, trying uninstalling WM11 and the WM11 codec; you just might get lucky. So, one of the other techs in the office calls me over: He’s been beating his head against a wall with a remote user being unable to get internet connectivity on his Windows XP workstation. ... Read more

© 2017 Hugo Slabbert. Some rights reserved. Please attribute properly and link back.