Recently we were contacted by a customer who wanted to make sure that we had Viptela IPFIX support in our IPFIX collector. Viptela was recently acquired by Cisco and exports IPFIX as part of their Software Defined Wide Area Network (SD-WAN) strategy. If Cisco’s current SD-WAN technology called IWAN becomes end of life’d and replaced with the Viptela solution, customers should be aware that the Viptela IPFIX export is significantly different from the home grown Cisco IWAN (SD-WAN) export. By the way, IWAN is basically a rename of Cisco performance routing which we started supporting back in 2011. From our observation, the Viptela flow export is a step backwards from Cisco IWAN!Read more
In 2017, DDoS will be the largest cyber threat facing corporate security teams. The reason is largely due to two factors. First is the proliferation of the Mirai source code, which is still in its infancy. We are already seeing signs of its growing popularity. Second is the growth of the Internet of Things (IoT). With Gartner estimating that by 2020, 50 billion connected “things” will be on the internet, the potential of available bots for Mirai operators to infect could explode exponentially. Very little protection is standing in the way of this growth.
The Mirai code, which was used on the krebsonsecurity.com website, proved that eventually, DDoS attacks will likely outpace what service providers like Akamai can scrub. More recently, the Mirai Botnet was used to knock out 900,000 Deutsche Telekom customers. The infection was due to a vulnerability that was found on port 7547 when using the TR-069 or TR-064 protocols. These services are used in the remote management of the routers found in customer homes. One researcher discovered that there are over 40 million devices on the internet with port 7547 open, making them potentially vulnerable to Mirai infections. If you can imagine the potentially staggering amount of work required to continually update these devices, you can begin to understand why it simply isn’t done often enough or at all. This is why the mere threat of a DDoS attack is enough for some companies to open their wallets to ransom requests.
The growth of IoT devices that Gartner is estimating isn’t just coming from DVRs, routers, and handheld devices. There is potentially a much more widely deployed vulnerable computer on the horizon called Smartdust. These very small chips contain a system of tiny microelectromechanical systems (MEMS) such as sensors, robots, or other devices that, for example, can transmit temperature, vibration, GPS coordinates, and more. If these IoT devices support IPv6, they could use Low Power Wireless Personal Area Networks (6LoWPAN) to access the internet. With the onboard batteries receiving their recharge energy source from wireless networks or even heat from the landfill they are buried in, these little guys could be on the internet forever. Technologies like LORA/SIGFOX promise to provide devices with connectivity that costs little or nothing. If the cost of nanoscale sensors drops to a price point that essentially makes them disposable, IoT vendors will likely skimp on security measures, assuming that they will become garbage.
For example, projects that lean toward sensory information collected from trillions of devices such as Planetary Skin Institute’s project or HP’s Central Nervous System for the Earth (CeNSE) could introduce overwhelming numbers of bots if they are compromised. CeNSE is a project that proposes to collect, communicate, and analyze data from billions of nanoscale sensors. These sensors would be deployed in a Machine to Machine (M2M) network, but could also utilize 6LoWPAN to connect to the internet. This could become a huge problem for forgotten sensors with a long battery life and perpetual connectivity. After their primary use expires, if they don’t have a hardware shutdown function built in, they could be sitting in a landfill and still used for malicious activities for decades. We can look to Apple HomeKit for inspiration on how to minimize the risk of connected zombie devices. To be part of the ecosystem, 3rd party vendors have to support strong encryption and device identity in hardware, which would help to protect against many of the “low hanging fruit” attacks that plague devices involved in Mirai. Unfortunately, when scaling devices into the billions, cost to go to market becomes a major obstacle. The only way to convince vendors to do the right thing is to create standards that people want like electronic devices UL or CE. This may require government intervention at a world-wide scale. The problem with this is obvious.
Protection Against DDoS
Vendors such as A10, F5, and Radware manufacture scrubbing appliances that can be used to remove DDoS traffic from normal traffic streams. The question is, can they scale as the DDoS attacks grow every year in size by double digits? After speaking with one major United States service provider, we learned that their strategy against DDoS is to simply keep buying more bandwidth, which allows them to carry additional DDoS traffic loads and pushes the problem of stopping DDoS onto the shoulders of the companies being attacked. Victims of DDoS engage these companies like Akamai for mitigation services, but, as Brian Krebs found out, their scrubbing capabilities were pushed to capacity.
Unfortunately, expensive traffic scrubbers are the best way today to mitigate DDoS attacks. There is a lot of discussion on forums like NANOG.org about implementing best practices. For example, BCP38 could be used to perform ingress filtering on spoofed addresses, but the big service providers have no motivation to implement it and besides, source address validation only resolves part of the problem. Ultimately, we need a way to detect, pinpoint, and remove devices that are participating in malicious traffic patterns like DDoS.
NetFlow and IPFIX collection systems can detect and even pinpoint the device participating in a DDoS attack, but removal is a tough one. Imagine a typical home with lots of appliances and handheld devices sitting behind a firewall performing NAT. Since they all leave the house with the same IP address, how do you know which device(s) in the house are engaged in the malicious activity?
As a company reporting on just about all unique flow exports found in the world, we run into nearly every issue probably thought possible. From problems with active timeout to long lived flows, we work with different companies to try and make sure all the data can work together. To this end, we like to think that we promote the best practices that our team has collected over the years from being in this business.
01 October 2017: Click Click Phish is no longer available.
Last week we released a phishing attack training game called Click Click Phish after being inspired by Brian Krebs book “SPAM Nation“. The goal of the free game is to educate email users of all ages on the dangers of phishing attacks and the associated sneaky strategies used by malware developers try and get users to click on infected links in the emails they receive. Once the machine is infected, it can be used to host illegal content, participate in DDoS attacks against other web sites or fall victim to local data theft. These sophisticated infections can steal information locally from the device carrying the virus or from other machines it may target on the internal network.
After analyzing their impressive export, Ziften ZFlow reporting support or Ziften IPFIX support is now supported by our flow collection system. Per their announcement recently at the RSA conference, Ziften joins the ranks of dozens of other vendors who are supporting IPFIX with extensions. We worked with the engineers at Ziften to become the first vendor to report on their unique exports. Check out the example below.
Ransomware is a type of malicious software (malware) that infects a computer and restricts access to it until a ransom is paid to unlock it. It is typically spread through phishing emails that contain malicious attachments and drive-by downloading. If you think you are safe because you are very careful what you click on, be aware that drive-by downloading occurs when a user unknowingly visits an infected website and malware is downloaded and installed without their knowledge. In other words, you don’t have to click, you just need to visit or receive an instant message.
Unlike a rigid OpenFlow deployment, Cisco Software Defined Networking (SDN) takes a more scalable approach to this paradigm shift in network connectivity. Although both architectures seem to agree on the division between the control and data plans, Cisco’s position seems to blur this separation a bit and perhaps for good reasons. To learn more about the control and data plane concepts, watch this great short video on What is a Software Defined Network.
When looking for an easy meal, predators often go after the weakest animal in the herd. The same often holds true for cyber criminals. They talk amongst themselves, discuss failures and successes and share stories on what to do and not to do. Right now, the healthcare industry seems to be the easiest prey.
Now more than ever banking Internet security is at the forefront of nearly every CIO, CTO and Director of IT employed by a financial institution. Improving computer security against cyber threats such as advanced persistent threats and DDoS are of paramount concern. In January, the Washington Post Reported:
“The banks whose Web sites have been disrupted include Bank of America, PNC Bank, Wells Fargo, Citigroup, HSBC and SunTrust. In recent weeks, attackers have targeted up to seven banks a day, but only on Tuesdays, Wednesdays and Thursdays.”