Open in app

Sign in

Write

Sign in

Cyberdrone Round-Up Episode I

matt volante
arpcache
Published in
5 min readMar 12, 2018

I’ve been thinking about what my next post should be about. These days there’s so much happening every hour of every day in the world of security. In the networking world SD-Everything keeps on truckin’. I’d have to say that at this point in time, security is the big hot topic in IT. I attend a monthly security meetup group and before the talks start there are always people standing up and announcing a new security position available at their company or government agency. It’s quite eye-opening. If I were starting out in computers and technology today, I would go straight into security. The jobs are ripe for the picking. But I digress.

When there’s so much to write about, I figured I’d start a series of posts that act as more of a monthly round-up of interesting little things that I have come across recently. So let’s get into it.

OSINT — Abusing Certificate Transparency

I’m old enough to remember the early days before platforms ran everything on the web, when people created and hosted their own personal websites. Sometimes, folks would host their own nameservers too, or they would use nameservers provided by some early independent ISPs. In some cases you could find an “open” nameserver that would dutifully respond to a zone transfer request from anyone who would ask. This was called an DNS AXFR security exposure. Zone transfers should only be allowed from authorized nameservers, such as secondary (or “slave”) nameservers that want a fresh copy of all zone records in the primary. But unfortunately, due to a mixture of poorly defined defaults in BIND and inexperienced administrators juggling too much work (newsflash — times haven’t changed much), these secondary nameservers would often accept AXFR requests from *anywhere*. This was a great way to enumerate an attack surface by dumping all domains and subdomains from a hosting provider. As the internet matured, so did much of it’s underlying infrastructure so we saw less and less nameservers on the internet that are open to AXFR.

But guess what? Through a well-intentioned project sponsored by Google, it has become frighteningly trivial to enumerate subdomains once again.

A hacker in Buenos Aires released this great little python tool:

This only works for HTTPS sites, but thanks to Let’s Encrypt and others the number of sites with SSL certs is only growing.


Elon Musk is Working on a New Peer-to-Peer Network Protocol

SpaceX is hoping to provide internet to the masses under the brand Starlink. This is a very, very ambitious project. Low-orbit satellites literally beaming internet connectivity everywhere. But this isn’t breaking news…however for network geeks like myself I found the following statement Elon made on Twitter to be very newsworthy:

So…Starlink will provide a new _protocol_ for customers(?!). Stating that your protocol is simpler than ipv6 isn’t saying much. I have so many questions. Musk goes on to say all connectivity will be end-to-end encrypted. This is great news. But again, so many questions.

I wonder how this will be ingested by the users? Proprietary client software? Hardware? So you need special gear/software to connect to Starlink and Starlink will provide an internet gateway and necessary translation. I can’t wait to learn more about this.

Run Kali Linux on Windows

The Windows 10 subsystem for Linux has been getting more press lately now that folks have had a chance to use it and experiment. I currently dual-boot a laptop with Windows and Kali Linux, but looks like I may not have to do that anymore with this announcement:

Kali Linux for WSL now available in the Windows Store

While I’m mostly a Linux purist, if WSL can competently run my Linux hosts I think I’d have no problem switching alot of my Linux VMs to WSL.

DDOS Attacks and Mitigation

Around 2 years ago Brian Krebs krebsonsecurity.com site was taken down by a record DDOS attack. This attack peaked at 620 Gbps. That’s almost difficult to imagine. Akamai, who along with Arbor Networks are among the leaders in DDOS protection, eventually told Krebs that they could no longer host his website because mitigating these attacks was costing them too much money. Krebs eventually moved his site over to Google’s Project Shield.

The DDOS attack that took down Krebs wasn’t a udp amplification attack — which would have been a likely scenario given the sheer volume of data. But no, surprisingly it was a flood attack. SYN, POST and GET requests. 620 Gbps of SYNs, GETs and POSTs. Wow.

So how? The answer was IoT:

There is every indication that this attack was launched with the help of a botnet that has enslaved a large number of hacked so-called “Internet of Things,” (IoT) devices — mainly routers, IP cameras and digital video recorders (DVRs) that are exposed to the Internet and protected with weak or hard-coded passwords. Most of these devices are available for sale on retail store shelves for less than $100, or — in the case of routers — are shipped by ISPs to their customers.

Ugh.

That was 2 years ago. And now we have something new. Recently GitHub and a smattering of other sites were forced offline by volumetric traffic attacks. The culprit this time? We’re back to the good ol’ udp amplification attack, this time using a dynamic web-caching technology called memcached — and lazy sysadmins that expose their memcache servers to the internet (perhaps because of lazy documentation on the daemons part). But this time the memcached garners an amplification factor at a staggering 15,000. The previous highest was NTP with an amplification factor of about 500. We’ve now seen memcached attacks top out at 1.5 Tbps. This is getting scary. Roland Dobbins over at Arbor Networks put together what I consider the best write-up on memcached so far:

https://www.arbornetworks.com/blog/asert/memcached-reflection-amplification-description-ddos-attack-mitigation-recommendations/

I’ve always wondered how DDOS mitigation actually works. How do the vendors actually cope with that kind of traffic? I understand they re-route it to their “scrubbing centres”. I have a few ideas but I’d like to gain a solid understanding of it. I plan on trying to contact Mr. Dobbins and get his 2 cents on this. Another great resource for further learning about DDOS is his deep-dive with the Network Collective:

https://thenetworkcollective.com/2017/11/hon-ddos/

That’s it for this months round-up.

https://platform.twitter.com/widgets.js

Axfr
Ddos
Kali
Osint

--

--

matt volante
arpcache

Written by matt volante

3 Followers
Editor for

I write about networks, protocols, infosec and esoteric technology scraps that i’ve found useful in my 20 year technology career.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams