DDoS + Breach = End of Business

A distributed-denial-of-service attack and subsequent data breach that led to the shuttering of source code hosting firm Code Spaces offers an eye-opening reminder: Beware of DDoS attacks used as a diversionary tactic to draw attention away from devastating hacking.

“With a DDoS attack, it’s all hands on deck with security [staff] focused on it,” says Rodney Joffe, senior vice president and senior technologist at security vendor Neustar. “They don’t watch for other subtle things occurring in the background.”


In addition to taking steps to mitigate the impact of DDoS attacks, organizations need to monitor for subsequent intrusions and ensure they have multiple backups to store mission-critical data that could potentially be exposed or deleted.

Defense against DDoS attacks should be considered a routine cost of doing business on the Internet, says Dan Holden, a director at Arbor Networks, a security firm. “No one is immune and the possible motivations of attackers leveraging DDoS are vast,” he says. “This could range from cybercrime, geo-political disagreement or competitive takeout.”



Code Spaces Attack

Code Spaces, in a message posted to the homepage of its website, says the DDoS attack against its servers and unauthorized access into the company’s cloud control panel resulted in most of its data, backups, machine configurations and offsite backups being partially or completely deleted.

“Code Spaces will not be able to operate beyond this point,” the company says. “The cost of resolving this issue to date and the expected cost of refunding customers who have been without the service they paid for will put Code Spaces in an irreversible position both financially and in terms of ongoing credibility.”

During the June 17 DDoS attack against Code Spaces’ servers, an unauthorized individual gained access to the company’s Amazon cloud control panel, leaving a number of messages for the company to contact the intruder using a Hotmail address.

“Reaching out to the address started a chain of events that revolved around the person trying to extort a large fee in order to resolve the DDoS,” the company says.

As Code Spaces worked to regain control of the cloud panel by changing passwords, the intruder created multiple back-up logins. “Upon seeing us make the attempted recovery of the account, [the intruder] proceeded to randomly delete artifacts from the panel,” the company says.

The incident took place over a 12-hour period, Code Spaces says. The company is now working on supporting affected customers and exporting back to them any remaining data stored with Code Spaces. “All that we can say at this point is how sorry we are to both our customers and to the people who make a living at Code Spaces for the chain of events that led us here,” the company says.

Code Spaces did not immediately respond to a request for additional information.


Lessons Learned

The attack against Code Spaces points to the need for organizations to segment their core services and have multiple backups in place.

“You cannot depend on a sole service for your business continuity,” says Michael Smith, a director at Akamai Technologies, a DDoS mitigation provider. “You need to put backups and business-critical data and functions in redundant services, locations and technologies so that they are not all impacted together.”

What made the incident against Code Spaces particularly devastating was the combination of a DDoS attack and an intrusion into the company’s systems.

“DDoS is survivable,” Smith says. “For it to be a business-ending event it has to be combined with other attacks. The direct cause was the hacking attack against their administration panel and the unavailability of their service because the attackers deleted storage groups and backups which were located in the same place with the same administrative access.”

One key issue was the fact that the backups for Code Spaces were accessible via the admin account, Joffe of Neustar says. “From the admin, the [hacker] was able to delete the backups or the mechanisms to get to the backups,” he says. With the way backups work now, files are moved electronically to other locations online. “The problem is it’s only electronically reachable,” he says. “If you have all the credentials in your master account, whoever takes over has the ability to find those files.”

As a result, there should be secure isolation between the administration domains of these systems, says Ashley Stephenson, CEO of Corero Network Security, “so that an attacker cannot compromise the backup or alternate site from the primary sites.”

Organizations need to identify the types of attacks to which they’re most vulnerable and develop steps to mitigate those threats, says Carl Herberger, vice president of security solutions at Radware. “This will help an organization see how, and, more importantly, if, they are covering the cyber-attack threats facing their environment.

“Today’s cyber-attacks are not just a nuisance and they are not isolated simple events,” Herberger says. “All too many believe that a cyber-attack is just about volumetric attacks and [all] you need to do is buckle down to weather a storm that will eventually pass. However, this event demonstrates how technical actions must be taken.”


CREDIT: bankinfosecurity

New SNMP Reflection DDoS Attacks

The DDoS techniques have massively increased with the attackers becoming more skillful at working around the network security. A massive 300Gbps DDoS attack launched against Spamhaus website almost broke the Internet a year ago and also earlier this year, hackers have succeeded in reaching new heights of the massive DDoS attack targeting content-delivery and anti-DDoS protection firm CloudFlare, reaching more than 400Gbps at its peak of traffic.


Akamai’s Prolexic Security Engineering and Response Team (PLXsert) issued a threat advisory on Thursday reporting a significant surge in DDoS attacks last month abusing the Simple Network Management Protocol (SNMP) interface in network devices.
Simple Network Management Protocol (SNMP) is a UDP-based protocol which is commonly known and often used to manage network devices. SNMP is typically used in devices such as printers, routers and firewalls that can be found in the home and enterprise environments as well.


Just as DNS amplification attacks, SNMP could also be used in Amplification attacks because a cyber criminal can send a small request from a spoofed IP address in order to sent a much larger response in return.
Over the past month, researchers have spotted 14 Distributed Denial-of-Service (DDoS) attack campaigns that have made use of SNMP amplified reflection attacks. The attacks targeted a number of different industries including consumer products, gaming, hosting, non-profits and software-as-a-service, mainly in the United States (49%) and China (18.49%).


The Distributed Denial of Service (DDoS) attack is becoming more sophisticated and complex and so has become one of favorite weapon for the cyber criminals to temporarily suspend or crash the services of a host connected to the Internet.
The use of specific types of protocol reflection attacks such as SNMP surge from time to time,” said Stuart Scholly, the senior vice president and general manager of the Security Business Unit at Akamai. “Newly available SNMP reflection tools have fueled these attacks.


The attack only targets the devices that runs an older version of SNMP, i.e. version 2, which by default is open to the public Internet unless the feature is manually disabled. The latest version of SNMP, version 3 is more secure management protocol.
The cyber criminals made use of affective DDoS tools in an effort to automate the GetBulk requests against SNMP v2 that caused a large number of networked devices to send their entire stored data at once to a target in order to overwhelm its resources.
The attack is nothing but a distributed reflection and amplification (DrDoS) attack that allows an attacker to use a little skill and relatively small amount of resources in an attempt to create a larger data flood.


Network administrators are encouraged to search for and secure SNMP v.2 devices,” added Scholly. “The Internet community has been active in blacklisting the devices involved in recent DDoS attacks, but we also need network administrators to take the remediation steps described in the threat advisory. Network administrators can help prevent more devices from being found and used by malicious actors.”


Since 2013, Hackers have adopted new tactics to boost the sizes of Distributed Denial of Service (DDoS) attack which is also known as Amplification Attack’, leveraging the weakness in the UDP protocols. The most common is the (Domain Name System) DNS and (Network Time Protocol) NTP Reflection Denial of Service attack, but now cyber criminals have manage to use (Simple Network Management Protocol) SNMP to cause major damage.




NTP-based DDoS attacks

Over the last couple of weeks you may have been hearing about a new tool in the DDoS arsenal: NTP-based attacks. These have become popular recently and caused trouble for some gaming web sites and service providers. We’d long thought that NTP might become a vector for DDoS attacks because, like DNS, it is a simple UDP-based protocol that can be persuaded to return a large reply to a small request. Unfortunately, that prediction has come true.

The UK's Speaking Clock


DNS Reflection is so 2013

We’ve written in the past about DNS-based reflection and amplification attacks and NTP-based attacks use similar techniques, just a different protocol.

A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.

That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.

But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet “from” a forged source IP address and have the server (or servers) send large replies to the victim.

Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply.

For DNS the amplification factor (how much larger a reply is than a request) is 8x. So an attacker can generate an attack 8x larger than the bandwidth they themselves have access to. For example, an attacker controlling 10 machines with 1Gbps could generate an 80Gbps DNS amplification attack.

In the past, we’ve seen one attack that used SNMP for amplification: it has a factor of 650x! Luckily, there are few open SNMP servers on the Internet and SNMP usually requires authentication (although many are poorly secured). That makes SNMP attacks relatively rare.

The new kid on the block today is NTP.


Network Time Protocol attacks: as easy as (UDP port) 123

NTP is the Network Time Protocol that is used by machines connected to the Internet to set their clocks accurately. For example, the address time.euro.apple.com seen in the clock configuration on my Mac is actually the address of an NTP server run by Apple.

My Mac quietly synchronizes with that server to keep its clock accurate. And, of course, NTP is not just used by Macs: it is widely used across the Internet by desktops, servers and even phones to keep their clocks in sync.

Unfortunately, the simple UDP-based NTP protocol is prone to amplification attacks because it will reply to a packet with a spoofed source IP address and because at least one of its built in commands will send a long reply to a short request. That makes it ideal as a DDoS tool.

NTP contains a command called monlist (or sometimes MON_GETLIST) which can be sent to an NTP server for monitoring purposes. It returns the addresses of up to the last 600 machines that the NTP server has interacted with. This response is much bigger than the request sent making it ideal for an amplification attack.

To get an idea of how much larger, I used the ntpdc command to send a monlist command to a randomly chosen open NTP server on the Internet. Here are the request and response packets captured with Wireshark.

At the command line I typed

ntpdc –c monlist 1xx.xxx.xxx.xx9

to send the MON_GETLIST command to the server at 1xx.xxx.xxx.xx9. The request packet is 234 bytes long. The response is split across 10 packets totaling 4,460 bytes. That’s an amplification factor of 19x and because the response is sent in many packets an attack using this would consume a large amount of bandwidth and have a high packet rate.

This particular NTP server only had 55 addresses to tell me about. Each response packet contains 6 addresses (with one short packet at the end), so a busy server that responded with the maximum 600 addresses would send 100 packets for a total of over 48k in response to just 234 bytes. That’s an amplification factor of 206x!

An attacker, armed with a list of open NTP servers on the Internet, can easily pull off a DDoS attack using NTP. And NTP servers aren’t hard to find. Common tools like Metasploit and NMAP have had modules capable of identifying NTP servers that support monlist for a long time. There’s also the Open NTP Project which aims to highlight open NTP servers and get them patched.


Don’t be part of the problem

If you’re running a normal NTP program to set the time on your server and need to know how to configure it to protect your machine, I suggest Team Cymru’s excellent page on a Secure NTP Template. It shows how to secure an NTP client on Cisco IOS, Juniper JUNOS or using iptables on a Linux system.

If you’re running an ntpd server that needs to be on the public Internet then it’s vital that it’s upgraded to at least version 4.2.7p26 (more details in CVE-2013-5211). The vulnerability was classed as a bug in the ntpd bug database (issue 1532).

If you are running an ntpd server and still need something like monlist there’s the mrulist command (see issue 1531) which now requires a nonce (a proof that the command came from the IP address in the UDP packet).

Neither of these changes are recent, ntpd v4.2.7p26 was released in March 24, 2010, so upgrading doesn’t require using bleeding edge code.

If you’re running a network (or are a service provider) then it’s vital that you implement BCP-38. Implementation of it (and the related BCP-84) would eliminate source IP spoofed attacks of all kinds (DNS, NTP, SNMP, …).



The black and white photograph at the top of this blog post shows the UK’s original speaking clock and the original voice of the clock Jane Cain. A common way to synchronize clocks and watches was to telephone the speaking clock to get the precise time.

Geeks like me will be amused that the NTP UDP port for time synchronization is 123 and that the telephone number of the UK speaking clock is also 123. Even today dialing 123 in the UK gets you the time.


CREDIT: CloudFlare