Entries Tagged "denial of service"

Page 5 of 10

DDoSing a Cell Phone Network

Interesting research:

Abstract: The HLR/AuC is considered to be one of the most important network elements of a 3G network. It can serve up to five million subscribers and at least one transaction with HLR/AuC is required for every single phone call or data session. This paper presents experimental results and observations that can be exploited to perform a novel distributed denial of service attack in 3G networks that targets the availability of the HLR/AuC. More specifically, first we present an experiment in which we identified and proved some zero-day vulnerabilities of the 3G network that can be exploited by malicious actors to mount various attacks. For the purpose of our experiment, we have used off-the-shelf infrastructure and software, without any specialized modification. Based on the observations of the experiment, we reveal an Advanced Persistent Threat (APT) in 3G networks that aims to flood an HLR/AuC of a mobile operator. We also prove that the discovered APT can be performed in a trivial manner using commodity hardware and software, which is widely and affordably available.

The attack involves cloning SIM cards, then making multiple calls from different handsets in different locations with the same SIM card. This confuses the network into thinking that the same phone is in multiple places at once.

Note that this has not been tested in the field, but there seems no reason why it wouldn’t work.

There’s a lot of insecurity in the fact that cell phones and towers largely trust each other. The NSA and FBI use that fact for eavesdropping, and here it’s used for a denial-of-service attack.

Posted on February 26, 2014 at 6:55 AMView Comments

DDOS Attacks Using NTP

This is new:

The NTP method first began to appear late last year. To bring down a server such as one running “League of Legends,” the attackers trick NTP servers into thinking they’ve been queried by the “League of Legends” server.

The NTP servers, thinking they’re responding to a legitimate query, message the “League of Legends” server, overloading it with as many as 100 gigabits per second (Gbps). That’s large even for a DDoS attack.

In this way, one small request to an NTP server can generate an enormous response capable of taking down even high-capacity websites.

Posted on January 20, 2014 at 6:18 AMView Comments

DDOS as Civil Disobedience

For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter’s recent thesis, “Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet,” so interesting:

Abstract: This thesis examines the history, development, theory, and practice of distributed denial of service actions as a tactic of political activism. DDOS actions have been used in online political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback in December 2010. Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity. Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools—petitions, fundraisers, mass letter-writing, call-in campaigns and others—find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice. Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions.

One of the problems with the legal system is that it doesn’t make any differentiation between civil disobedience and “normal” criminal activity on the Internet, though it does in the real world.

Posted on May 22, 2013 at 6:24 AMView Comments

Security Externalities and DDOS Attacks

Ed Felten has a really good blog post about the externalities that the recent Spamhaus DDOS attack exploited:

The attackers’ goal was to flood Spamhaus or its network providers with Internet traffic, to overwhelm their capacity to handle incoming network packets. The main technical problem faced by a DoS attacker is how to amplify the attacker’s traffic-sending capacity, so that the amount of traffic arriving at the target is much greater than the attacker can send himself. To do this, the attacker typically tries to induce many computers around the Internet to send large amounts of traffic to the target.

The first stage of the attack involved the use of a botnet, consisting of a large number of software agents surreptitiously installed on the computers of ordinary users. These bots were commanded to send attack traffic. Notice how this amplifies the attacker’s traffic-sending capability: by sending a few commands to the botnet, the attacker can induce the botnet to send large amounts of attack traffic. This step exploits our first externality: the owners of the bot-infected computers might have done more to prevent the infection, but the harm from this kind of attack activity falls onto strangers, so the computer owners had a reduced incentive to prevent it.

Rather than having the bots send traffic directly to Spamhaus, the attackers used another step to further amplify the volume of traffic. They had the bots send queries to DNS proxies across the Internet (which answer questions about how machine names like www.freedom-to-tinker.com related to IP addresses like 209.20.73.44). This amplifies traffic because the bots can send a small query that elicits a large response message from the proxy.

Here is our second externality: the existence of open DNS proxies that will respond to requests from anywhere on the Internet. Many organizations run DNS proxies for use by their own people. A well-managed DNS proxy is supposed to check that requests are coming from within the same organization; but many proxies fail to check this—they’re “open” and will respond to requests from anywhere. This can lead to trouble, but the resulting harm falls mostly on people outside the organization (e.g. Spamhaus) so there isn’t much incentive to take even simple steps to prevent it.

To complete the attack, the DNS requests were sent with false return addresses, saying that the queries had come from Spamhaus—which causes the DNS proxies to direct their large response messages to Spamhaus.

Here is our third externality: the failure to detect packets with forged return addresses. When a packet with a false return address is injected, it’s fairly easy for the originating network to detect this: if a packet comes from inside your organization, but it has a return address that is outside your organization, then the return address must be forged and the packet should be discarded. But many networks fail to check this. This causes harm but—you guessed it—the harm falls outside the organization, so there isn’t much incentive to check. And indeed, this kind of packet filtering has long been considered a best practice but many networks still fail to do it.

I’ve been writing about security externalities for years. They’re often much harder to solve than technical problems.

By the way, a lot of the hype surrounding this attack was media manipulation.

Posted on April 10, 2013 at 12:46 PMView Comments

Dictators Shutting Down the Internet

Excellent article: “How to Shut Down Internets.”

First, he describes what just happened in Syria. Then:

Egypt turned off the internet by using the Border Gateway Protocol trick, and also by switching off DNS. This has a similar effect to throwing bleach over a map. The location of every street and house in the country is blotted out. All the Egyptian ISPs were, and probably still are, government licensees. It took nothing but a short series of phone calls to effect the shutdown.

There are two reasons why these shutdowns happen in this manner. The first is that these governments wish to black out activities like, say, indiscriminate slaughter. That much is obvious. The second is sometimes not so obvious. These governments intend to turn the internet back on. Deep down, they believe they will be in their seats the next month and have the power to turn it back on. They believe they will win. It is the arrogance of power: they take their future for granted, and need only hide from the world the corpses it will be built on.

Cory Doctorow asks: “Why would a basket-case dictator even allow his citizenry to access the Internet in the first place?” and “Why not shut down the Internet the instant trouble breaks out?” The reason is that the Internet is a valuable tool for social control. Dictators can use the Internet for surveillance and propaganda as well as censorship, and they only resort to extreme censorship when the value of that outweighs the value of doing all three in some sort of totalitarian balance.

Related: Two articles on the countries most vulnerable to an Internet shutdown, based on their connectivity architecture.

Posted on December 11, 2012 at 6:08 AMView Comments

1 3 4 5 6 7 10

Sidebar photo of Bruce Schneier by Joe MacInnis.