Re: Spitballing IoT Security

2016-10-31 Thread Pierre Lamy 
On 30/10/2016 12:43 AM, Eric S. Raymond wrote:
> Ronald F. Guilmette :
>> Two kids with a modest amount of knowledge
>> and a lot of time on their hands can do it from their mom's basement.
> 
> I in turn have to call BS on this.  If it were really that easy, we'd
> be inundated by Mirais -- we'd have several attacks a *day*.
> 

It's not easy, Mirai was closed source until the actor released it. We
see a pattern again and again, where the bad guys find a private
monetization strategy, milk it, and get out before too much attention is
focused on just them. By dumping the code, the Mirai actors obfuscate
attribution.

Now that the code is public, we see a huge surge in dumb & pointless
attacks against gaming/mod sites, Dyn, public schools and so on. We also
see bad code "improvements" which were recently referenced.

http://motherboard.vice.com/read/wannabe-hackers-are-adding-terrible-and-stupid-features-to-mirai

The long term problem isn't any manufacturer or Mirai, it's going to be
the long tail of IoT devices that never see a patch, deployed by people
who don't know anything about security (nor should they need to... flame
suit on). When millions of any type of device are put online, times
thousands of products, it only takes one bad guy's "a-ha" moment for
this to happen again. They'll milk it for a while, the attack
vector/method will get pushed down to the skid level, and we'll see a
massive increase in un-targeted attacks by those script kiddies until
the cycle repeats. There's an endless fresh supply of script kiddies.

While I agree with BCP38 etc, it wouldn't have prevented Mirai.
Self-update functions at some point for these devices are going to get
borked as well, such as a company going bust or forgetting to renew
their auto-update target domain. If you can't get (thousands?) of major
operators to deploy common sense security configurations, how will
similar best practices be implemented by tens of thousands of
manufacturers? Putting device regulations in one country won't impact
the rest of the internet's connected devices either.

Solutions...? Someone's going to have to take out a hammer, not a
scalpel, for these issues.

Re: BGP FlowSpec

2016-04-30 Thread Pierre Lamy 
I was looking into using this mechanism for blocking DDoS on Juniper
devices, but at the time, they only supported 8k flowspec entries/routes
and this was not sufficient to deal with the problem. My fallback was to
poison the routing table with null routes, but the problem with this was
that it didn't address inbound traffic, only the replies.

We ended up ditching all of this in favor of a third party external
scubbing vendor. They tend to prefer big honking boxes running
signatures whereever possible to drop identified malicious traffic.

When you get right down to it, the vendors have a lot of experience
day-to-day performing mitigations, and flowspec (or other BGP
mitigations) are more useful to carriers and ISPs to null out the
destination rather than the source.

Pierre

On 29/04/2016 9:08 AM, dennis wrote:
> 
> 
> Hi
> Amplification attacks and syn floods are just touching the surface of ddos 
> attack vectors.  You should look into some industry reports:
> Here are a couple examples to get you started.
> https://www.radware.com/ert-report-2015/
> http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/
> 
> Sent via the Samsung GALAXY S® 5, an AT 4G LTE smartphone
> 
>  Original message 
> From: Martin Bacher  
> Date: 4/29/2016  2:02 AM  (GMT-08:00) 
> To: Tyler Haske  
> Cc: NANOG list  
> Subject: Re: BGP FlowSpec 
> 
> Hello Tyler,
> 
> thanks for your reply.
> 
>> Am 28.04.2016 um 17:37 schrieb Tyler Haske :
>>
>> Martin,
>>
>>
>>> Last but not least: I am also looking for anonymized statistical data about 
>>> DDoS attacks which I could use in the thesis. I am mainly interested in 
>>> data about the
>>> type of attacks, attack time, sources, source and destination ports, and so 
>>> on. I know this something which is generally not shared, so I would really 
>>> appreciate it if
>>> someone would be able to share such data.
>>
>> Many companies are extremely reluctant to share their attack data. But 
>> that's OK, because there are other ways to get it.
>>
>> Have you investigated backscatter analysis? It's used to see ongoing and 
>> current Internet scope DDoS attacks.
> I just had a look on that and thought that its only be able to detect some of 
> the attacks. You might not detect large state of the art reflection and 
> amplification attacks with that method. But i think it is useful for some 
> sort of attacks like SYN flood. Do you agree?
> 
>>
>> Inferring Internet Denial of Service Activity
>> https://cseweb.ucsd.edu/~savage/papers/UsenixSec01.pdf
>>
>> Analyzing Large DDoS Attacks Using Multiple Data Sources
>> https://www.cs.utah.edu/~kobus/docs/ddos.lsad.pdf
>>
>> ISP Security - Real World Techniques
>> https://www.nanog.org/meetings/nanog23/presentations/greene.ppt
>>
>> A Summary of DoS/DDoS Prevention, Monitoring and Mitigation Techniques in a 
>> Service Provider Environment
>> https://www.sans.org/reading-room/whitepapers/intrusion/summary-dos-ddos-prevention-monitoring-mitigation-techniques-service-provider-enviro-1212
>>
>> Maybe you have access to some public IPs, then you can do this data 
>> collection yourself.
> Sure, I will definitely think about hat.
> 
> Thanks again for your reply and for providing the links.
> 
> Greetings,
> Martin
> 
>>
>> Regards,
>>
>> Tyler
>>
> 
>

Re: OpenNTPProject.org

2014-01-16 Thread Pierre Lamy 
BCP38 will only ever get implemented if governments and ruling 'net 
bodies force deployment. There's otherwise very little benefit seen by 
the access network providers, since the targets are other orgs and the 
attacks are happening in a different backyard.


On 14/01/2014 10:36 AM, Paul Ferguson wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

On 1/13/2014 11:18 PM, Saku Ytti wrote:


On (2014-01-13 21:33 +), Bjoern A. Zeeb wrote:


BCP38!  I am always surprised when people need crypto if they
fail the simple things.

Saying that BCP38 is solution to the reflection attacks is not
unlike 5 year old wishing nothing but world peace for christmas,
endearing, but it's not going to change anything. BCP38 is
completely unrealistic, many access networks are on autopilot,
many don't have HW support for BCP38, one port configured has
low-benefit, only that machine can stop attacking (but whole
world).

That does *not* make it an unworthy goal, nor should it stop people
from encouraging it's implementation.

- - ferg (co-author of BCP38)


- -- 
Paul Ferguson

PGP Public Key ID: 0x54DC85B2

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.22 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iF4EAREIAAYFAlLVWXoACgkQKJasdVTchbIrtAD/T2bNNAgZOnnlniBPd6sEquxJ
v01mmrhJxFTIDFq7EIkA/3vQbiwtEwBeVyCtc3coEkz50zSDh3j9QQjT+TQWCNVs
=Al3Y
-END PGP SIGNATURE-

Re: Ddos mitigation service

2013-02-01 Thread Pierre Lamy 

The 3 major scrubbing vendors:

Prolexic
Verisign
Akamai

Prolexic has the ability to announce a /24 for you, and scrub the whole 
thing, then pipe it back to you via a GRE tunnel or dedicated circuit. 
All of the companies mentioned do this for a living, and are pretty good 
at what they do. There are other vendors as well that do FQDN scrubbing 
for you (which is the normal way to do it). You swing the DNS A record 
to point to their provisioned VIP, and they proxy back the traffic to 
you. This doesn't do anything to prevent attacks against IP addresses 
rather than resolved FQDNs.


It's important to note that all mitigation techniques can have a 
negative impact and should be tested first. The scrubbing centers are 
only one solution and you should equip yourself with multiple layers of 
defense, separated by where they live:


Beyond the carrier perimeter
- Scrubbing farms in IP-routed mode
- Scrubbing farms in DNS-routed mode
- CDNs to deliver high value target pages, like main corporate pages and 
login windows

- Globally Anycast DNS auth slaves through a CDN

Beyond your perimeter (carriers)
- Geoblocks
- Zombie detection and rate limits
- Flowspec routes via monitoring tools like Arbor's
- Various other carrier-specific security offerings
- Provision a secondary circuit to carry non-public IP space, for 
corporate web/out, phones, VPN etc. If the main pipe comes under attack, 
you can still carry out some critical business and B2B functions


Within the perimeter
- Load balancers
- Firewalls
- IPS
- WAF
- Reverse proxies
- Blackhole routes
- Flowspec routes (ie Arbor)
- A span tap on the internet feed(s) connected to a tcpdump box (silly 
and cheap, but highly useful to generate sigs and collect intel)


Not all DDoS are created equal, and there can always be some leakage by 
protections further out; the protections closer in allow for a faster 
and more granular response, but you're really limited to the circuit 
sizes, session limits etc. I would highly recommend that you also join 
industry specific cyberintelligence organizations, like any of the 
-ISACs, and/or a cyberintel provider if you don't have access to an 
-ISAC. The 3 major areas of infosec business focus in 2013 that I see 
will be insourcing malware analysis + automation of IOC generation, 
cyberintelligence, and DDoS mitigations. Businesses have realized that 
relying solely in external vendors to provide these services in a 
generic way results in good service but slower turnaround times; the 
insourced components become both a first tier of defense, and also a 
specialized set of incident responders that understand the business.


Pierre

On 31/01/2013 1:13 PM, matt kelly wrote:

Can anyone recommended ddos mitigation companies with US east coast
presence that provide the services via bgp?  We are not interested in an
appliance but rather offloading the traffic.

Thanks.

Re: Ddos mitigation service

2013-02-01 Thread Pierre Lamy 
I'm aware that they exist but don't have any knowledge or experience 
with CloudFlare.


if you're considering using them, I would ask them for a list (under 
NDA) of what large enterprises use them, what their POPs are - global is 
good - and for any analytical product they have relating to DDoS that 
they have mitigated and investigated. Also a procedure guide on how you 
would engage them in event of a DDoS. You should really be asking a lot 
of questions before signing anything with anyone, and once you select 
one - TEST IT!!! A lot of orgs do not test their mitigation processes. 
The total time to mitigation if you're not already swung to a provider, 
should be down to 30 mins to an hour, this is reasonable for detection 
to full mitigation in large companies. Without running through an 
exercise, companies will find that mitigation takes 1-4 hours. It's also 
highly recommended that you have incident handlers who are able to make 
big decisions.


-Pierre

On 01/02/2013 10:48 AM, James Thomas wrote:

Hi Pierre,

Thank you for your interesting note.

On 01/02/2013 09:57, Pierre Lamy wrote:

The 3 major scrubbing vendors:

Prolexic
Verisign
Akamai

IIRC, CloudFlare claims to the same capcity of DDOS mitigation as
Prolexic (500gb) and also has a free option with fewer scrubbing
features.  Do you have experience with it, or is there some other reason
to have excluded it from your list?  I apologize for my noobish question.

Cheers,

James