Network Security Status 2016, Qrator Labs and Wallarm Detailed Report

"Habraeffect" on the contrary - attacks on Habrahabr for the year (above) and on Hiktatimes (below). In February 2017, an attack of 17.5 Gbit / s was neutralized on Giktatimes.





')

As a company whose main activity is the neutralization of DDoS, last year we observed several changes in the industry.



Incidents related to denial of service attacks are once again heard - but now competently executed attacks already threaten the availability of entire regions. The problem needs to be paid special attention again - as if we had returned 5-7 years ago to the past.



Until last year, it might have seemed that the DDoS problem was already solved quite well.



But the power of attacks and their complexity last year increased radically. In the past, even powerful attacks of 100–300 Gbit / s did not cause a special “headache.” Complicated types of attacks on application-level protocols were rare.



And in 2016, the world first saw attacks at 1 Tbit / s, and attacks on the L7 became much more common.

Simplify attacks

There are several reasons for these changes.



All these years, the evolution of information technology has been following a kind of "path of least resistance." Companies fought against time and competitors, and the winner was the one who successfully and on time saved. To write a competitive product, security often had to be neglected.



In the same way, the entire modern Internet was formed - the creation of its protocols and specifications gave rise to similar problems.



And last year, these problems reached a critical level. In fact, we have witnessed unprecedented changes in the security situation of the Network as a whole.





Dynamics of change in attack activity by industry for 2015 - 2016



A good illustration of this is the threat of Mirai that emerged in the autumn of 2016, a botnet of unprecedented power that was built on Internet of Things devices - from home routers and IP cameras to the ridiculous "exotic" level of teapots with Wi-Fi. The danger of Mirai turned out to be quite real: a completely tangible 620 Gbit / s volumetric-attacks came to the blog of the researcher Brian Krebs, and the French hoster OVH withstood 990 Gbit / s.



Last year we also met with Mirai - in the form of an attack at 120 Gbit / s.



The DNS provider Dyn suffered most of all from Mirai, and many Fortune 500 companies resorted to its services. The water torture attack on DNS servers, TCP and UDP traffic on port 53, 1.2 Tbit / s capacity from one hundred thousand nodes - and the world's largest websites went offline for several hours. Protecting DNS is especially difficult. Trash traffic usually comes from a dozen ports (53, 123, and so on). In the case of a DNS server, closing port 53 means stopping the normal operation of the service.



The Mirai botnet itself consisted of devices connected to the Internet with login-password pairs by default and fairly simple vulnerabilities. We believe that this is only the firstborn in a whole generation of Internet of Things botnets. Even solving one Mirai problem will not help.



The attackers at first simply went through the passwords, now they are looking for vulnerabilities and backdoors, it comes to exploring the code of the latest firmware of the device for possible holes and then using them for a few hours.



The boom of startups and the subsequent increase in the number of connected devices is a new field of rich opportunities, where you can create more than one even larger and dangerous botnet. In 2016, a terabit that was considered unreachable per second suddenly appeared.



What kind of attacks will have to face, say, in 2019?



At the same time, the level of necessary experience and knowledge for the organization of DDoS attacks dropped noticeably. Today, to implement a successful attack, even on large sites and applications, a video instruction on YouTube or a bit of cryptocurrency is enough to pay for a booter service. Therefore, in 2017, the most dangerous person in the field of cybersecurity may be, for example, an ordinary teenager with a couple of bitcoins in his wallet.

Amplification

To increase the power of attacks, attackers amplify attacks. The attacker increases the volume of sent "junk" traffic by exploiting vulnerabilities in third-party services, and also masks the addresses of a real botnet. A typical example of an attack with amplification is the traffic of DNS responses to the victim's IP address.







Another vector is Wordpress, a ubiquitous and functional blog engine. Among other features in this CMS is the Pingback feature, through which offline blogs exchange information about comments and mentions. Vulnerability in Pingback allows a special XML request to force the vulnerable server to request any web page from the Internet. The resulting malicious traffic is called Wordpress Pingback DDoS.



Attacking HTTPS is no more difficult than HTTP: you just need to specify a different protocol. To neutralize, you will need a channel with a width of 20 Gbit / s, the ability to process application-level traffic at the full capacity of the connection and decrypt all TLS connections in real time - significant technical requirements that not everyone can fulfill. A huge number of vulnerable Wordpress servers are added to this combination of factors - hundreds of thousands can be used in one attack. Each server has a good connection and performance, and participation in the attack for ordinary users is unnoticeable.



We saw the first use of the vector in 2015, but it still works. We expect that in the future this type of attack will increase in frequency and power. Amplification on Wordpress Pingback or DNS is already worked out examples. Probably, in the future we will see the exploitation of younger protocols, primarily gaming.

BGP and leakage

The founding fathers of the Internet could hardly have foreseen that it would grow to its current volume. The network they created was built on trust. This trust has been lost during periods of rapid growth of the Internet. The BGP protocol was created when the total number of autonomous systems (AS) was considered dozens. Now there are more than 50 thousand.



The BGP routing protocol appeared in the late eighties as a kind of sketch on a napkin of three engineers. It is not surprising that he answers the questions of a bygone era. Its logic is that packets should go for the best channel available. There were no financial relations between organizations and politics of huge structures.



But in the real world, money comes first. Money sends traffic from Russia somewhere to Europe, and then returns back to their homeland - it's cheaper than using the channel within the country. The policy does not allow the two quarreling providers to exchange traffic directly, it is easier for them to negotiate with a third party.



Another problem with the protocol is the lack of built-in routing data checking mechanisms. From here take the roots of the BGP hijacking vulnerabilities, route leaks and reserved AS numbers. Not all anomalies are malicious in nature, often technical experts do not fully understand the principles of the functioning of the protocol. “Driving license” for driving BGP is not given, there are no fines, but there is a large amount of space available for destruction.



A typical example of route leaks: the provider uses a list of client prefixes as the only filtering mechanism for outgoing announcements. Regardless of the source of announcements, client prefixes will always be announced in all available directions. While there are announcements directly, this problem remains difficult to detect. At one point, the provider's network is degrading, customers are trying to divert the announcements and disconnect the BGP session with the problem provider. But the operator continues to announce client prefixes in all directions, thereby creating route leaks and squeezing a significant portion of client traffic onto its problematic network. Of course, this is how you can organize Man in the Middle attacks, which some use.



In order to combat leaks in anycast networks, we developed a number of amendments and submitted them to the Internet Engineering Council (IETF). Initially, we wanted to understand when our prefixes get into such anomalies, and whose fault it is. As the cause of most of the leaks was incorrect tuning, we realized that the only way to solve the problem is to eliminate the conditions in which engineering errors can affect other telecom operators.





The IETF develops voluntary Internet standards and assists in their dissemination. The IETF is not a legal entity, but a community. This method of organization has many advantages: the IETF does not depend on the legal issues and requirements of any country; it cannot be sued, hacked or attacked. But the IETF does not pay salaries, all participation is voluntary. All activity hardly comes to priority higher than “non-profit”. Therefore, the development of new standards is slow.



Anyone can discuss or propose draft standards - the IETF has no membership requirements. In the working group is the main process. When agreement is reached on a common topic, the authors of the proposal begin discussions and finalization of the draft. The result goes to the director of the region, whose goal is to double-check the document. The document is then sent to IANA, since it is this organization that manages all protocol changes.



If our draft with a new BGP extension goes through all the “circles of hell”, then the flow of route leaks will run out. Malicious leaks will not go anywhere, but to solve this problem there is only one option - constant monitoring.

2017 year

We expect faster detection of enterprise vulnerabilities. According to statistics obtained by Wallarm with deployed honeypots, in 2016 there is an average of 3 hours between the public exploit and its mass exploitation. In 2013, this period was a week. Malefactors become more and more prepared and professional. Acceleration will continue, we expect to reduce this time period to 2 hours in the near future. Again, only proactive monitoring can prevent this threat and insure against horrendous consequences.



Hacking and network scanning has already reached an unprecedented scale. More and more attackers this year will acquire pre-scanned ranges of IP addresses segmented by the technologies and products used - for example, “all Wordpress servers”. The number of attacks on new technological stacks will increase: microcontainers, private and public clouds (AWS, Azure, OpenStack).



In the next one or two years, we expect to see a nuclear type of attack on providers and other infrastructure when related autonomous systems or entire regions suffer. The last few years of the battle of the sword and shield have led to more advanced methods of neutralization. But the industry often forgot about legacy, and technical debt brought the attacks to unprecedented simplicity. From this point forward, only geo-distributed cloud systems built with knowledge can withstand record-breaking attacks.

---

The data presented above are only excerpts from our report on network security . In it, these and other threats are described in detail.