Tag Archives: DDOS

Awesome DDoS Lookup tool

In my day to day Job, I have been responsible for mitigating DDoS attacks and making sure that they are detected in a timely manner.

The company I work for has an awesome platform to mitigate DDoS attacks which have an alert system and analytics but I came across a public tool that you can enter an IP or domain into and check if there has been a DDoS against that target.

Check out https://ddosmon.net/

ddosmon front page

 

DDoS Mon gets data from telecoms and other sources around the world to compile a list of DDoS attacks. I have personally used this tool and compared it to known real attacks and let me tell you this tool is very accurate. It’s great to be able to quickly search for attacks also it’s easy to use the URL to search for an attack

For example, you can use https://ddosmon.net/explore/4.2.2.2 to search for attacks against 4.2.2.2(level 3 DNS servers)

There is also an API that requests some JSON data so you can parse the data and you need to create an account to get API access.

When searching for attacks against this IP we see the below result

ddos mon attack view

 

 

The latest attack was a UDP style attack against this IP

The site also provides valuable insights into DDoS traffic on a global scale check out https://ddosmon.net/insight/

Here is a snippet of some interesting data there is much more on the site

                                                                             ddos insights

 

In conclusion this tool is very useful and can be incorporated as another tool in a SOC environment or for any business who suspects they may have experienced attacks but don’t have the resources to check.

This tool is also great for research purposes.

I would like to know what you think about this tool !  send me a email with you thoughts or leave a comment !

Have a good day !

Sean

 

Why is IOT a threat to internet security ?

IOT

 

The new wave of the internet is among us we are now in the era of IOT “Internet of things”  sensors and devices that connect to the internet from home IP camera to your fridge. This wonderful new era comes with a new challenge for security  professionals

Some of the questions you need to ask yourself as a security professional

How do we protect these devices?

How to check for vulnerabilities in the software?Where are these devices located i.e publically reachable or in your corporate network ?.

Where are these devices located i.e publically reachable or in your corporate network ?.

The growing concern is facing the home user why you ask?

Take the example of the home user the user wants a home security system because they want to monitor what happens at their home they purchase a DVR with IP Cameras. the user setups up the cameras attached to their wifi connection then allows access over the internet for the DVR. Here is where the problem starts and this is what we have seen time and time again  some users if not a majority of them don’t think to change the passwords on the cameras or put an ACL to prevent  connection;s to the camera now that home user has just contributed to the IOT issue just look at what Mirai has done  by scanning the internet for devices such as cameras with weak or default passwords to exploit them to be used as a node on a botnet.

Now comes another issue with the average home network its self-most home users and some small business use consumer grade off the shelf routers  well most home routers from manufactured like Dlink, Belkin etc have been found to have major security holes check out this link  http://www.wsj.com/articles/rarely-patched-software-bugs-in-home-routers-cripple-security-1453136285 which offers insight into this big problem
.

Now unlike your operating system that automatically updates router firmware is usually a manual process. This is not always an easy task especially for a home user then comes the problem of the manufacturers not patching the holes in the first place.

So add poor security practices with vulnerable equipment and a lack of awareness. This is a recipe for disaster and we are starting to see the effects of it now that last massive DDoS attack against DYN  was found to be traffic from many IOT devices.   Check this link for a good article on the details of  the findings.

 

At the end IOT is here to stay so we need to adjust our ways in thinking about security.  Many of these issues were here before IOT like the poor use of passwords and default settings. Poorly written software causing security risks have been around for a long time but the difference now is that there are a huge amount of devices. Now you usually have more Ip cameras and gadgets for example than computers.The vast amount of devices is making attacks such as DDoS exponentially more powerful.

 

How do we fix this?

  • Better security awareness for the home user
  • Better written software that is regularly checked and patched for holes
  • Devices that have a randomized default password such as the MAC  or serial that forces the user to change the password before the device works

The above is a starting point but is not the full solution every case if different.

 

Let me know what you think !.

 

 

 

 

How can ISP’s help with DDoS mitigation ?

 

ddos-attack-with-matrix-is-shown-by-businessman-grk4gf

We have seen it time and time again DDoS attacks against organizations causing network interruptions and downtime .

These Organizations at times are hopeless at the hands of the attackers sometimes even for ransom. Think of a small or medium business with a 50Mbps internet connection that is getting attacked what options does that organization have ?

 

Sure if they pay extra for a subnet with BGP peering and have the technical know how to can black hole the traffic. But this is costly and often times the  smaller business don’t have the technical staff to have at security team keeping watch  .

The other option is to increase bandwidth when the attack happens but how reasonable is that ?  what is the guarantee that the attack won’t grow larger attacks are reaching the Gbps an SMB simply can’t afford that costs.

 

The best option is getting a DDoS protection service offered via the ISP or Interconnect  anti-DDoS  services are normally offered at the ISP level or carrier level also there are CDN’s (Content Delivery Networks).

Part of the reason why you would want to go with an ISP or a Carrier for DDoS protection is they have much more network infrastructure than you have.  They have all the expertise at the ready and often for much less that it would cost for you to run a solution yourself.

 

Anti DDoS solutions range from free to several thousands of dollars depending on the protection level but remember you get what you pay for.

The Anti DDoS providers usually offer tiers or actions they offer such as Null route the traffic where the traffic for the IP address that is under attack is re-directed into the carriers core.

The issue with the above solution is that a null route will take down all of the traffic destined to that IP address. So if you are hosting a website or an email server  then you have completed te job for the attacker… and don’t even think about changing the DNS entries the attacks can target the domain;s .

The other option is traffic scrubbing this technique is optimal its is more costly but optimal with this technique the ISP will drop  the bad traffic using algorithms  that detect bad traffic such as SYN floods or UDP flood .

the CDN approach like that used at  https://www.cloudflare.com/   this service  acts a buffer between your web server and the internet all web requests are filtered through the CDN and then scrubbed and delivered to the server . this has some limitation if the server its self is being attacked via the IP address then the CDN will not help.

At the end of it all DDoS attacks cost money sometimes a lot of money, especially for e-commerce websites. Imagine not being able to sell your product’s on your websites due to a DDoS.

the  protection is a lot  cheaper than the cost of a successful attack  business need to adopt service to protect themselves from these ever growing powerful attacks .