Although comparatively rare, one of the most disruptive security events that can occur to an organisation is a denial of service (DOS) attack where network or computer resources are deliberately consumed to deny their legitimate use.

Janet’s high capacity means that attacks are unlikely to cause disruption to the core network. Successful attacks have been identified at the edges of the network where the resources of a single customer become a limiting factor. Unfortunately due to the disruption they have caused to high profile companies, DOS attacks gain a lot of
press coverage. DOS attacks are a favourite tool of the hacker collective “anonymous”.

There is a trend towards labeling any situation where symptoms similar to a DOS are labeled as an ?attack? without a complete analysis of the situation. The assumption that the situation must be adversarial can lead to panic and mistakes. Before any corrective controls are used to contain the situation, it is critical that the nature of the problem is fully understood. Here we use some examples from actual incidents illustrate some troubleshooting techniques that we have
found useful.

A key capability when investigating DOS attacks is the ability to inspect network traffic. Only through traffic analysis can you determine the properties that will allow you to filter the attack from legitimate traffic. In one incident a customer was receiving huge volumes of traffic that suddenly overwhelmed a service they were offering, and asked for our help in filtering this traffic. Unfortunately our netflow data provided no coverage of the problem. By helping the customer to configure a mirror port on their switch they were able to capture a brief sample of the traffic to their service. Analysis revealed that the problem traffic was arriving from another Janet customer who was a legitimate user of the system. Their client software had suffered from a bug where it was failing to connect to the service but immediately and aggressively trying to interrogate the service, causing the flood of traffic. Isolating this one user from the service restored the service immediately.

A second site called us with similar symptoms of a DOS attack. They had lost all external connectivity and their border router was so overloaded that even the console was unresponsive. One of the first tools we use to investigate a DOS is Janet’s Netsight. At a glance we can view a customer’s current and historical bandwidth usage and get a high level view of the situation.

It was clear from the graphs that their connection was suffering problems. Pings were not being returned indicating that there was an issue somewhere, but use of their connection was almost nothing. This combination is not typical of an external DOS attack on a network where we would expect higher traffic levels. The customer was unable to configure a mirror port on their switch and needed to get their network up and running quickly as the problem was disrupting services across the entire campus.

The seemingly drastic but effective way to trace and isolate the traffic with no sophisticated monitoring tools available was simply to disconnect cables from the interfaces on the router until network performance returned to normal. The last cable to be disconnected indicates the origin of the problem. By following these steps on other devices where necessary until more subtle tools are available, the problem can be traced to it’s source. Disconnecting cables will
disrupt network traffic, but if your network is already down there’s little to lose.

These incidents illustrate why having visibility of network traffic before something goes wrong is critical in quickly resolving DOS attacks. When you can’t see the cause of a problem, conclusions are jumped to. Once you’ve found the cause of a security event it becomes a lot easier to defend against it.

(As published in JANET News #16, October 2011)

Every so often, after a ground- breaking discovery or an event that has a substantial impact on the security community, a new phrase/ term/acronym enters the lexicon of the security researcher. Over the last few years, several high profile compromises have hit the news headlines. Attacks on an unprecedented scale targeted a slew of companies in the technology, financial and defence sectors, and ‘Advanced Persistent Threats’ became a common topic for discussion.

Dawn of a new threat

In 2010 Google reported on its official blog that it had suffered a sustained attack from a source appearing to originate in China. Google said that some of its intellectual property had been stolen and that the attacks were highly sophisticated, utilising complex vectors and multiple levels of encryption to avoid detection and gain control of target systems. Essentially the compromise involved several layers of well hidden encrypted traffic that penetrated deeper and deeper into their network over a period of time. Google also suggested that the attack may have been carried out by the Chinese state to gain access to the email accounts of Chinese dissidents. However, the attack was not solely targeting Google. Other companies targeted in what became known as ‘Operation Aurora’ included Yahoo, Adobe Systems, Juniper Networks and Rackspace Hosting.

In March this year, RSA admitted it had been the target of a highly sophisticated attack that successfully penetrated its infrastructure. The compromised data was specifically related to RSA’s SecurID two-factor authentication products. In an open letter to its customers, RSA’s Executive Chairman states: ‘While at this time we are confident that the information extracted does not enable a successful direct attack on any of our RSA SecurID customers, this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack’. In other words, the two-part authentication mechanism generally utilised by many as the de facto standard for authentication had been compromised, undermining the integrity of the RSA SecurID system. At this stage there is no confirmation as to who was behind this attack.

It was only a matter of time before a possible motive behind the RSA compromise revealed itself. Soon after, defence contractors Lockheed Martin and L-3 were attacked by an unknown quantity. As America’s largest defence contractor, Lockheed Martin is responsible for some of America’s most advanced military technology, including the F-22 fighter aircraft and the Trident submarine-launched missile. Initial reports suggest that these security breaches were in part facilitated by compromised RSA SecurID token seeds. It is entirely possible that the RSA seeds will be used again before RSA are able to replace the 40 million RSA keys that are used by their customers.

Level of threat

In these high profile incidents, the attackers used advanced techniques and zero day exploits – software that uses a security hole to carry out an attack – to gain access to secure systems. Many would argue that this is what constitutes the definition of an advanced persistent threat: seemingly endless resources including teams of highly skilled security experts, programmers and a large budget, possibly backed up by operatives on the ground. Are these kinds of resources only available to a government? Or can we expect to see this level of sophistication emerging from high level industrial espionage? One thing is for certain: information is valuable, and a determined organisation will (with enough resources) eventually find a way into secure systems.

What to do?

These examples of advanced persistent threats illustrate scenarios that any organisation could face. If globally respected security companies can be compromised, is there any hope for the rest of us? With a little analysis, this can easily be put into perspective. If your organisation’s data or intellectual property is valuable to another organisation, there is a greater risk that your competitors will attempt to compromise it. Therefore more resources should be allocated to protecting that data or IP. The answer is not to increase the security budget for software that claims to protect you from ‘all known threats or your money back’, because we have seen time and time again that software alone is not enough.

We suggest that you make sure that staff are specially trained in securing and hardening systems and networks, access control is enforced, and IDS systems configured correctly. There is no magic software that does all of this out of the box that will meet your organisation’s requirements.

JANET supporting you

JANET CSIRT handles incidents that involve compromises on a daily basis. Whilst many of these compromises are relatively minor, occasionally they are potentially very damaging for the organisation and need to be dealt with in a swift and appropriate manner.

If you suspect that your organisation is the target of an attack or would like information about how we can assist you in the event of a suspected compromise, please get in touch.