technology:udp

UDP hole punching – p2p communication across NAT (2005) (►http://www...
▻https://diasp.eu/p/5919677

UDP hole punching – p2p communication across NAT (2005)

Hacker News Comments: ▻https://news.ycombinator.com/item?id=15037058

Source: ▻http://www.brynosaurus.com/pub/net/p2pnat

#hackernews

Necurs += DDoS
World’s largest spam botnet (5 million bots) adds proxy module with DDoS features, but will it really be used that way?

▻http://blog.anubisnetworks.com/blog/necurs-proxy-module-with-ddos-features

Necurs is a malware that is mainly known for sending large spam campaigns, most notably the Locky ransomware. However, Recurs is not only a spambot, it is a modular piece of malware that is composed of a main bot module, a userland rootkit and it can dynamically load additional modules.

[...]

At first look, it seemed to be a simple SOCKS/HTTP proxy module, but as we looked at the commands the bot would accept from the C2 [port 5222] we realised that there was an additional command, that would cause the bot to start making HTTP or UDP requests to an arbitrary target in an endless loop, in a way that could only be explained as a DDOS attack.

[...]

Please notice that we have not seen Recurs being used for DDOS attacks, we simply saw that it has that capability in one of the modules that it has been loading

The rest of their post contains the results of a technical analysis of this module, detailing its C2 protocol, the SOCKS/HTTP proxy features, and the DDOS attack features.

#DDoS #Necurs botnet

Les serveurs mail de Microsoft n’acceptent pas d’emails envoyés par de nouveaux serveurs.
►https://mail.live.com/mail/troubleshooting.aspx#errors
Il ne suffit plus de configurer correctement son serveur mail, il faut en plus l’inscrire chez MS.

Senden Sie E-Mails über eine neue IP-Adresse?
IP-Adressen, die bisher noch nicht für das Senden von E-Mails verwendet wurden, verfügen in unserem System noch über keinerlei Eintragungen zur Zuverlässigkeit. Daher können bei E-Mails, die von neuen IP-Adressen gesendet werden, mit höherer Wahrscheinlichkeit Zustellbarkeitsprobleme auftreten. Nachdem sich die IP-Adresse durch das Nichtversenden von Spam als zuverlässig erwiesen hat, wird in Outlook.com in der Regel eine bessere Zustellbarkeit für E-Mails erreicht.
Neue IP-Adressen, die für Domänen hinzugefügt werden, die über vorhandene SPF-Einträge authentifiziert wurden, übernehmen in der Regel einen Teil der Sendezuverlässigkeit der Domäne. Wenn die Domäne über eine gute Sendezuverlässigkeit verfügt, ist für neue IP-Adressen möglicherweise eine schnellere Anlaufzeit festzustellen. Eine neue IP-Adresse wird spätestens nach einigen Wochen vollständig akzeptiert. Ausschlaggebend sind hierbei jeweils das Volumen und die Listengenauigkeit – vorausgesetzt, es liegen möglichst wenig Junk-E-Mail-Beschwerden vor.
Hinweis: Denken Sie daran, Ihr JMRP-Konto (Junk E-Mail Reporting Program, Junk-E-Mail-Meldeprogramm) mit den neuen IP-Adressen zu aktualisieren. Wenn Sie ein JMRP-Konto aktualisieren oder einrichten möchten, klicken Sie auf hier

Dienste für Absender und Internetdienstanbieter
▻https://mail.live.com/mail/services.aspx
Comme tout est payant chez MS ils conseillent de souscrire un abonnemenet chez un service de maintien de réputation. Pourtant on peut effectivement s’en passer sauf si on est en train de monter un service de mailings commerciaux.

Return Path-Zertifizierung
Ein Akkreditierungs-/Reputationsdienst eines Drittanbieters mit dem Zweck, Absendern den Status eines sicheren Absenders zu verleihen
Weitere Informationen finden Sie unter ▻http://g.live.com/9wc9en-us/senderscore

Wenn Hotmail Deine Mailserver abweist
▻https://www.hagen-bauer.de/2015/10/hotmail-block.html
Comment j’ai appris cette « nouvelle » ? Notre fournisseur de serveurs héberge des serveurs piratés et MS a mis sur ses blocklists de réseaux IP entiers.

In unsere “Nachbarschaft” bei Hetzner gab es wohl einige SPAM Schleudern so das Hotmail ganze Netzsegmente auf eine “schwarze Liste” gestellt hat. Unsere Server selbst ist sauber.

Nach etwas Suchen bin ich auf diese Seite gestoßen. Hier kann man beantragen das eine IP Adresse wieder freigeschaltet wird.

La solution
▻https://support.microsoft.com/en-us/getsupport?oaspworkflow=start_1.0.0.0&wfname=capsub&productkey=ed
Il faut demander gentiment qu’ils vérifient un peu, et hop, quelques heures plus tard ca roule. MS réagit nettement plus vite et mieux que Google.

Après (enfin, de préférance préalablement) il faut toujours installer les protocoles de vérification qui améliorent la fiabilité de la communication avec les grands fournisseurs de services email.

RFC 7208 - Sender Policy Framework (SPF) for Authorizing Use of Domains in Email, Version 1
▻https://tools.ietf.org/html/rfc7208#page-23

SPF : FAQ/Examples
▻http://www.openspf.org/FAQ/Examples

Ubuntu+ISPConfig+DKIM | Howtoforge - Linux Howtos and Tutorials
►https://www.howtoforge.com/community/threads/ubuntu-ispconfig-dkim.72473

DKIM-Patch 1.1.9
▻https://blog.schaal-24.de/ispconfig/dkim-patch-1-1-9

How Senders Deploy DMARC in 5-Easy Steps
▻https://dmarc.org/overview
Cette liste décrit les étapes essentielles pour transformer un serveur mail traditionnel en machine acceptée par la majorité de ses interlocutrices. Il ne faut jamais oublier que ce sont des conventions qui évoluent et ne sont pas parfaites du tout.

DMARC has been designed based on real-world experience by some of the world’s largest email senders and receivers deploying SPF and DKIM. The specification takes into account the fact that it is nearly impossible for an organization to flip a switch to production. There are a number of built-in methods for “throttling” the DMARC processing so that all parties can ease into full deployment over time.

1. Deploy DKIM & SPF. You have to cover the basics, first.
2. Ensure that your mailers are correctly aligning the appropriate identifiers.
3. Publish a DMARC record with the “none” flag set for the policies, which requests data reports.
4. Analyze the data and modify your mail streams as appropriate.
5. Modify your DMARC policy flags from “none” to “quarantine” to “reject” as you gain experience.

dmarcian - SPF Surveyor
►https://dmarcian.com/spf-survey/rezo.net
Pour finir on peut vérifier si on a tout fait dans les normes.

rezo.net
Warning present!
A DMARC record was detected while looking for an SPF record. DMARC records must be located at “_dmarc.rezo.net”, and not directly at “rezo.net”.

Record analysis:
DNS-querying mechanisms/modifiers:

The SPF record authorizes 8 individual netblocks using 3 DNS-querying mechanisms/modifiers. The maximum number of DNS-querying mechanisms/modifiers is 10.

This record utilizes a small number of DNS-querying mechanisms/modifiers. No fixing is required. If this record is meant to be included by other records, consider reducing the number of DNS-querying mechanisms/modifiers (if possible) to keep total resource consumption low.

Duplicate netblock authorization:

The following netblocks have been authorized more than once. Duplicates usually indicate inefficient records or redundant “include:” mechanisms, and should be removed:
netblock # of occurrences
193.56.58.14/32 2

Record flattening (experimental!):

The dmarcian SPF Record Flattener (experimental!) rewrites this record by removing duplicate netblocks, collapsing any overlapping netblocks, and using 0 DNS-querying mechanisms/modifiers. Each SPF record is kept to less than 512 bytes to fit into a single UDP packet (assuming no other TXT records are sharing the DNS label).

NOTE: this approach does not take into account administrative or domain boundaries, and is meant to show that “minified” SPF records are possible. The presence of unusual qualifiers, macros, and creative semantics will likely yield less than optimal results.
domain record
rezo.net v=spf1 ip4:91.194.60.0/23 ip4:185.34.32.0/22 ip4:193.56.58.0/24 ip6:2001:67c:288::/48 ip6:2a00:99a0::/128 ~all

#internet #email #SPAM #authentification

NewWorldHackers & Anonymous are behind the massive DDoS attack against Dyn DNS service, using the Mirai bonnet and other booters

▻http://securityaffairs.co/wordpress/52583/hacking/dyn-dns-service-ddos-3.html

When I asked which Anon groups were involved they replied me that many crews targeted the Dyn DNS service.
“Anonymous, Pretty much all of Anonymous” sais NewWorldHackers.
They confirmed me that they are testing the capability of their botnet, highlighting that the DDoS attack against the Dyn DNS Service was carried with the Mirai botnet alongside with other booters.

#DDoS #botnet #Mirai
#NewWorldHackers #Anonymous
#Dyn #DNS
#IoT

More on Mirai, and more than Mirai

▻http://www.securityweek.com/mirai-iot-botnet-not-only-contributor-massive-ddos-attack-akamai

Akamai says Mirai was not alone:

While Akamai confirmed that the Mirai botnet was part the attack, the company also said that Mirai was only “a major participant in the attack” and that at least one other botnet might have been involved, though they couldn’t confirm that the attacks were coordinated.

Akamai refers to Mirai as Kaiten and has it documented here:
▻https://www.akamai.com/us/en/multimedia/documents/state-of-the-internet/kaiten-std-router-ddos-malware-threat-advisory.pdf

More on the released source code of Mirai which confirms the use of GRE flooding, one of the techniques used on top of DNS Water Torture:

▻http://www.securityweek.com/hacker-releases-source-code-iot-malware-mirai

A copy of the source code files provided to SecurityWeek includes a “read” where the author of Mirai explains his reasons for leaking the code and provides detailed instructions on how to set up a botnet.

[...]

Mirai, believed to have made rounds since May 2016, infects IoT devices protected by weak or default credentials. Once it hijacks a device, the threat abuses it to launch various types of DDoS attacks, including less common UDP floods via Generic Routing Encapsulation (GRE) traffic.

This was proven through reverse-engineering by
▻http://cyberx-labs.com/en/blog/cyberx-reveals-gre-evidence-krebs-iot-based-attack-largest-ddos-interne

It is still GRE is still an uncommon attack vector, but it was already used during the 2016 Rio games
▻http://www.tripwire.com/state-of-security/security-data-protection/cyber-security/how-a-massive-540-gbsec-ddos-attack-failed-to-spoil-the-rio-olympics

For some French, see also here:
▻https://seenthis.net/messages/530903

#Mirai #Kaiten
#Akamai
#DDoS
#Brian_Krebs
#OVH
#GRE
#DNS_Water_Torture

New ransomware variant integrates DDoS attack capabilities
▻https://www.invincea.com/2016/05/two-attacks-for-the-price-of-one-weaponized-document-delivers-ransomware-a

We recently found a ransomware variant that not only holds the victim’s machine and data hostage [by file encryption and screen locking] until a ransom is paid, but also exploits the compromised machine as part of a potential DDOS attack. This means that while the victim is unable to access their endpoint, that same endpoint is being used to deny service to another victim.

The observed network traffic looks to be flooding the subnet with UDP packets over port 6892. By spoofing the source address, the host could direct all response traffic from the subnet to a targeted host, causing the host to be unresponsive.

The ransomware is based on a modified version of the Cerber strain, which executes malicious MS Office VBScript.

#ransomware
#DDoS

On a beaucoup parlé des attaques #DoS par réflexion + amplification en les présentant souvent comme spécifiques à #UDP. Mais un article récent (mais passé curieusement inaperçu) montre qu’on peut en faire également avec #TCP.

▻https://www.bortzmeyer.org/amplification-tcp.html

#attaque_par_déni_de_service #sécurité_Internet

A New DDoS Reflection Attack: Portmapper (TCP/UDP 111)

Portmapper is a mechanism to which Remote Procedure Call (RPC) services register in order to allow for calls to be made to the Internet.
When a client is looking to find the appropriate service, the Portmapper is queried to assist. The response size varies wildly depending on which RPC services are operating on the host.

▻http://blog.level3.com/security/a-new-ddos-reflection-attack-portmapper-an-early-warning-to-the-industr

It already has been used in a number of attacks, with the largest impact to organizations taking place August 10 through 12. These attacks targeted only a subset of verticals, primarily focused on gaming, hosting and Internet infrastructure

[...]

On the high end of the spectrum, we have seen responses as large as 1930 bytes for an amplification of 28.4x.

[...]

We recommend disabling Portmapper along with NFS, NIS and all other RPC services across the open Internet as a primary option. In situations where the services must remain live, firewalling which IP addresses can reach said services and, subsequently, switching to TCP-only are mitigations to avoid becoming an unknowing participant in DDoS attacks in the future.

#DDoS #DRDoS

Torrent clients and BitTorrent Sync can be leveraged for DrDoS attacks

http://cdn.arstechnica.net/wp-content/uploads/2015/08/bittorrent-drdos-attack.png

▻https://www.usenix.org/conference/woot15/workshop-program/presentation/p2p-file-sharing-hell-exploiting-bittorrent

In this paper, we demonstrate that the BitTorrent protocol family is vulnerable to distributed reflective denial-of-service (DRDoS) attacks. Specifically, we show that an attacker can exploit BitTorrent protocols (Micro Transport Protocol (uTP), Distributed Hash Table (DHT), Message Stream Encryption (MSE))and BitTorrent Sync (BTSync) to reflect and amplify traffic from peers.

We validate the efficiency, robustness and evadability of the exposed BitTorrent vulnerabilities in a P2P lab testbed. We further substantiate the lab results by crawling more than 2.1 million IP addresses over Mainline DHT (MLDHT) and analyzing more than 10,000 BitTorrent handshakes. Our experiments reveal that an attacker is able to exploit BitTorrent peers to amplify the traffic up to a factor of 50 times and in case of BTSync up to 120 times.

Additionally, we observe that the most popular BitTorrent clients are the most vulnerable ones. (uTorrent, Mainline Vuze)

[...]

We showed that anattack is quite difficult to circumvent, as the found vulnerabilities can only be defended with a DPI firewall. In case of a MSE handshake, it is even harder to detect the attack, since the packet contains a high entropy payload with a public key and random data.

The paper:

▻https://www.usenix.org/system/files/conference/woot15/woot15-paper-adamsky.pdf

▻https://torrentfreak.com/bittorrent-can-be-exploited-for-dos-attacks-research-warns

BitTorrent Inc has been notified about the vulnerabilities and patched some in a recent beta release. For now, however, uTorrent is still vulnerable to a DHT attack. Vuze was contacted as well but has yet to release an update according to the researcher.

Arstechnica also wrote about it:

▻http://arstechnica.com/security/2015/08/how-bittorrent-could-let-lone-ddos-attackers-bring-down-big-sites

En Français :

▻http://actualite.housseniawriting.com/technologie/2015/08/16/les-attaques-drdos-peuvent-se-propager-via-les-clients-bittorrent/7227

#DDoS #DrDoS

New DRDoS (Distributed Reflection Denial-of-Service) based on NTP, similar to the previous DNS open resolver based DDoS in 2013

The mechanism is to spoof UDP port 123 packets with a REQ_MON_GETLIST request, which will return the last 600 clients with NTP requests and hence the significant BAF - Bandwidth Amplification Factor. NTP is reflection-vulnerable as it does not validate the source IP of the sender.

Affected are all versions of ntpd prior to 4.2.7p26;
this last version has disabled support for MON_GETLIST

How to test if you are vunerable ?
ntpq -c rv
ntpdc -c sysinfo
ntpdc -n -c monlist

If the last command returns nothing then you’re OK.
If it returns a whole list of hostnames and IP addresses, then you know what time it is…

Solutions :
(1)
Download version 4.2.7p26 or later: ▻http://www.ntp.org/downloads.html
(2)
Disable queries: if update is not possible in your environment then a workaround is to disable status queries by adding to /etc/ntp.conf:
For IPv4 : restrict default kod nomodify notrap nopeer noquery
For IPv6: restrict -6 default kod nomodify notrap nopeer noquery
(restart ntpd after the change)
(3)
Allow status queries but disable “ntpdc –c monlist” via “disable monitor”

Either approach is a good idea because
(a) you protect your network from unwanted reconnaissance, as monlist is included in network tools such as NMAP or metasploit
(b) you avoid participating in DRDoS attacks and probably also suffering from it.

Official Security Reports :
NIST reference of the vulnerability
▻http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-5211
CERT vulnerability notice
▻http://www.kb.cert.org/vuls/id/348126

Other reports on this NTP DRDoS :
very good : "Understanding and mitigating NTP-based DDoS attacks" - ▻http://blog.cloudflare.com/understanding-and-mitigating-ntp-based-ddos-attacks

"New DoS attacks taking down game sites deliver crippling 100Gbps floods" ▻http://arstechnica.com/security/2014/01/new-dos-attacks-taking-down-game-sites-deliver-crippling-100-gbps-flood

"Les attaques DDoS sur l’industrie du jeu mettent en lumière les faiblesses de sécurité du NTP" ▻http://www.pcworld.fr/jeux-video/actualites,attaques-ddos-steam-origin-league-leagends-planetside-guild-wars-

▻http://www.theregister.co.uk/2014/01/21/open_ntp_patching_project

Documentation :
"Hardening Cisco Routers - Chapter 10: NTP" - ▻http://oreilly.com/catalog/hardcisco/chapter/ch10.html

"Network Time Protocol (NTP): Overview and Configuration" - ▻http://e2epi.internet2.edu/npw/a2/ntp.pdf

▻http://www.team-cymru.org/ReadingRoom/Templates/secure-ntp-template.html

How NTP works :
▻http://www.eecis.udel.edu/~mills/ntp/html/warp.html
▻http://www.ntp.org

NTP RFCs :
– "RFC 5905: Network Time Protocol Version 4: Protocol and Algorithms Specification" ▻http://www.ietf.org/rfc/rfc5905.txt

– Ou la version Bortzmeyer, excellente dans son ample élaboration comme d’habitude : ►http://www.bortzmeyer.org/5905.html

– "RFC 5906: Network Time Protocol Version 4: Autokey Specification" ▻http://www.ietf.org/rfc/rfc5906.txt

– "RFC 5907: Definitions of Managed Objects for Network Time Protocol Version 4 (NTPv4)" ▻http://www.ietf.org/rfc/rfc5907.txt

– "RFC 5908: Network Time Protocol (NTP) Server Option for DHCPv6" ▻http://www.ietf.org/rfc/rfc5908.txt

#DRDoS
#DDoS
#BAF
#denial-of-service
#NTP
#reflection
#NMAP
#metasploit
#security
#vulnerability

Lest anyone think that #D-Link is the only vendor who puts #backdoors in their products, here’s one that can be exploited with a single #UDP packet, courtesy of #Tenda :
▻http://www.devttys0.com/2013/10/from-china-with-love #router #CPE

http://www.devttys0.com/wp-content/uploads/2013/10/exploited.png

TCP traceroute is better than ICMP or UDP for finding the path to a TCP server: ’traceroute -T -p 80 youtube.com’ #CDN

Downloads of LOIC DoS Attack Tool Spike as Anonymous Inspires Online Protests | SecurityWeek.Com

As Anonymous initiated what it said will be the “largest attack ever on government and music industry sites” in response to actions taken by the Justice Department against operators of file sharing site Megaupload.com, downloads of a popular DoS attack tool have spiked.

Anonymous DDoS AttacksWhile the Denial of Service tool known as the “Low Orbit Ion Cannon” (LOIC) was developed by the “good guys” to stress test websites, it has been a favorite tool of Anonymous to take its targets offline by sending a flood of TCP/UDP packets in an attempt to overwhelm a system and make it inaccessible.

►http://www.securityweek.com/downloads-loic-dos-attack-tool-spike-anonymous-inspires-online-protest