Populer Misconception: IPS can block DDoS attacks!

Posted by:

IPS products provide virtually perfect protection in application segment. Even though it has many capabilities, we cannot ignore the weaknesses of this system. Nowadays, DDOS attacks are composed of packets that are called valid packets. IPS systems filter out these valid packets in signature database and they might let them to pass through because these IPS systems only process packet titles and contents to control them. In this respect, advanced DDOS attacks made with valid packets would succeed.
Despite having some abnormality-based capabilities, IPS system needs comprehensive manual set up from specialists. Signatures in system get optimized by a team of experts. Also, it is evident that existing signatures in IPS systems are inadequate in determining today’s advanced DDOS attacks. When all these characteristics are taken into consideration, an attack that should have been prevented in seconds would not be able to prevented. At the same time, when attack records are analyzed by a team experts, they might be identified much more late or not identified at all.
Another weakness is that these devices physically fall behind against volumetric attacks. Today’s smart hackers know that IPS devices do not have high enough values for volumetric requests in regards to hardware and software architecture or in session tables after low packet requests. When a smart hacker identifies an IPS product, he aims to bring CPU levels of the IPS device to 85-95% by starting a volumetric attack on your other accessible service or sending session requests with low packet requests and make the IPS devices switch into bypass mode in these levels. After these activities, the hacker gets all the information, service or device by disabling the IPS system.

0

NTP Reflection Attacks

Posted by:

NTP Reflection attacks which began at the end of 2013 have reached 400 Gbps that the highest size of attack has been detected in the world in 2014. After DNS attacks recorded as 300 Gbps in March 2013 and targeting spamhaus, attacks have seen as 400Gbps of traffic size in 2014.

These attacks can reach these high levels by using mirror method. As happened in DNS Reflection flood attack type, mediator innocent public server systems are used as a point of attack in this type of attack.

The attacker is querying NTP servers in an intensive way but gives the IP address of the target system by changing its IP address deliberately while querying. This is because of that the NTP protocol running over port 123 is based on UDP. In this case, NTP servers are responding the queries made to them, but the answer of this query is returning to the target system appears as IP address asking the query. As seen in this type of attack, public NTP servers are used as a mirror.

The key factor in achieving this size of attacks is query type known as “monlist” in NTP protocol. In this query type, NTP server lists the last 600 server connected to it or set in pieces.

Labris Networks Answers to monlist query

Getting an answer to a query containing a large number of IP is possible by making monlist query with a very small package size. At this point, NTP server is making an “upgrade”.  “Amplification” as the English term is taken place. Thus, this type of attack is called as NTP Reflection and is also called as NTP Amplification attacks. Of course, the answering the question with larger packages than query is a golden blessing for attackers. In this way, the attacker takes enough answer to the queries to target IP address by imitating the IP address wanted to attack.

The following points should be noted to protect from this attack or not to be a part of it.

1. If you operate an NTP server, you should do your updates in which the versions of this command are turned off. In addition, as well as “loopinfo” and “iostats”, you should turn off NTP server configuration to “monlist” commands. For the test, you can use the control screen on “http://openntpproject.org/”.

2. You should follow monlist connections to public NTP servers out of your network. You can do this by means of an IPS signature. This may show you a possible zombie on your network.

3. You should try to prevent L3 packet speed with firewall of response packets coming from NTP server or “monlist” answers by checking content with the IPS via your security gateway.

We want to indicate that all of these can be made by Harpp DDOS Mitigator that performs DDOS special examination in L7 level. Thanks to Harrp DDoS product, various measures can be taken against related attacks in systems under L7 specific protection. Protocol Review and Defining Private Rules come at the beginning of these measures. You can determine the number of packages and regions you can get at certain times and in certain proportions in your Special Rules for NTP queries or answers or you can directly prevent this specific queries and answers with L7 review.

0

Did Facebook and Instagram get hit by DDoS attack?

Posted by:

After the outage of some popular web services including Facebook and Instagram, possibility of a cyber attack is being considered. Labris Networks, which provides cyber security for over 3,500 middle and high level corporations and organizations including military organizations, ministries and privately held companies in more than 20 countries with its product family consisting of HARPP DDoS Mitigator Cyber Warfare Tool, made a statement about the reasons of this latest case and the extent of DDoS threat via company’s CTO Oğuz Yılmaz.

After the outage of some popular web services including Facebook and Instagram, possibility of cyber attack is being considered. Labris Networks, which developed Turkey’s first national firewall in 2003, Turkey’s first native UTM product in 2005 and is capable of instant monitoring and control in its Security Operations Center, made a statement about the latest event. “In our research, we found out that this could be due to a DDoS attack. The hacker group Lizard Squad and DEAS also claimed responsibility for the attack. However, before Facebook issues an official statement, we cannot know for sure that the first source of this situation is related with these DDoS attacks. The outage due to a technical problem could be exploited with a DDoS attack to make Facebook experience more problems,” said Labris Networks CTO Oğuz Yılmaz in his statement.

Pointing out that Lizard Squad that claimed the responsibility for the attack made similar attacks in the past, Labris Networks CTO Oğuz Yılmaz said, “We see that Lizard Squad is involved in Playstation Network attacks throughout the year, as well as PSN and Microsoft Xbox gaming network attacks in Christmas. This group gets paid for making DDoS attacks to third parties via its website. We have been monitoring them and in 2014 they started to create an important attack network (botnet) through some major security flaws. This attack network has been created in the last months of year by exploiting certain vulnerabilities in server systems that have high bandwidth and powerful hardware. And this botnet could have been used for the first time in this attack. Even though their website was hacked and subsequently some of their clients were unveiled and some people were arrested on charges of being their member, the cellular structure of these groups make it hard to wipe out all organization at once.”
Labris Networks – which provides cyber security for over 3,500 middle and high level corporations and organizations including military organizations, ministries and privately held companies in more than 20 countries with its product family consisting of HARPP DDoS Mitigator Cyber Warfare Tool – warns organizations that DDoS attacks (which became well known with 2013 Anonymous and 2013 RedHack attacks) can be repeated in 2015 in great capacities with miscellaneous botnets created by Lizard Squad and similar groups. Stating that the attacks will become more intricate, Labris Networks CTO Oğuz Yılmaz said it was only possible to get protection with smarter systems and skilled professionals.

0