chargen is the new DDoS tool?

[Bernhard Schmidt]

Heya everyone,

we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources

http://en.wikipedia.org/wiki/Character_Generator_Protocol

| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.

We are seeing up to 1500 bytes of response though.

This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.

Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.

Regards,
Bernhard

Re: chargen is the new DDoS tool?

[Brielle Bruns]

On 6/11/13 9:39 AM, Bernhard Schmidt wrote:

Heya everyone,

we have been getting reports lately about unsecured UDP chargen servers
in our network being abused for reflection attacks with spoofed sources

http://en.wikipedia.org/wiki/Character_Generator_Protocol

| In the UDP implementation of the protocol, the server sends a UDP
| datagram containing a random number (between 0 and 512) of characters
| every time it receives a datagram from the connecting host. Any data
| received by the server is discarded.

We are seeing up to 1500 bytes of response though.

This seems to be something new. There aren't a lot of systems in our
network responding to chargen, but those that do have a 15x
amplification factor and generate more traffic than we have seen with
abused open resolvers.

Anyone else seeing that? Anyone who can think of a legitimate use of
chargen/udp these days? Fortunately I can't, so we're going to drop
19/udp at the border within the next hours.




*checks her calendar*  I for a second worried I might have woken up from 
a 20 year long dream



Are these like machines time forgot or just really bag configuration 
choices?



--
Brielle Bruns
The Summit Open Source Development Group
http://www.sosdg.org/ http://www.ahbl.org

Re: chargen is the new DDoS tool?

[Bernhard Schmidt]

Brielle Bruns  wrote:

Hey,

>> we have been getting reports lately about unsecured UDP chargen servers
>> in our network being abused for reflection attacks with spoofed sources
>>
>> http://en.wikipedia.org/wiki/Character_Generator_Protocol
>>
>> | In the UDP implementation of the protocol, the server sends a UDP
>> | datagram containing a random number (between 0 and 512) of characters
>> | every time it receives a datagram from the connecting host. Any data
>> | received by the server is discarded.
>>
>> We are seeing up to 1500 bytes of response though.
>>
>> This seems to be something new. There aren't a lot of systems in our
>> network responding to chargen, but those that do have a 15x
>> amplification factor and generate more traffic than we have seen with
>> abused open resolvers.
>>
>> Anyone else seeing that? Anyone who can think of a legitimate use of
>> chargen/udp these days? Fortunately I can't, so we're going to drop
>> 19/udp at the border within the next hours.
>>
>
> *checks her calendar*  I for a second worried I might have woken up from 
> a 20 year long dream
>
> Are these like machines time forgot or just really bag configuration 
> choices?

Not sure. The affected IPs are strongly clustered around the Faculty of
Medicine, so from experience I would assume stone-old boxes. But not
sure yet.

Bernhard

Re: chargen is the new DDoS tool?

[Vlad Grigorescu]

We got hit with this in September. UDP/19 became our most busiest port 
overnight. Most of the systems participating were printers. We dropped it at 
the border, and had no complaints or ill effects.

—-Vlad Grigorescu
  Carnegie Mellon University


On Jun 11, 2013, at 11:39 AM, Bernhard Schmidt  wrote:

> Heya everyone,
> 
> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
> 
> http://en.wikipedia.org/wiki/Character_Generator_Protocol
> 
> | In the UDP implementation of the protocol, the server sends a UDP
> | datagram containing a random number (between 0 and 512) of characters
> | every time it receives a datagram from the connecting host. Any data
> | received by the server is discarded.
> 
> We are seeing up to 1500 bytes of response though.
> 
> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.
> 
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
> 
> Regards,
> Bernhard

Re: chargen is the new DDoS tool?

[Charles Wyble]

Hmmm. Do you not run a default deny at your border, which would catch this sort 
of thing? Granted thats not always possible I suppose. Maybe block all UDP you 
dont specifically need? Do you have an ids/ips? If not, look at SecurityOnion 
on a SPAN port, it will provide great insight into whats happening. 

Generally these sort of legacy services are only used for malicious activity 
and will light up an ids/ips like a Christmas tree. 

They must be old boxes. I cant think of any recent os distributions which would 
even have these services listening, let alone installed. 

Bernhard Schmidt  wrote:

>Heya everyone,
>
>we have been getting reports lately about unsecured UDP chargen servers
>in our network being abused for reflection attacks with spoofed sources
>
>http://en.wikipedia.org/wiki/Character_Generator_Protocol
>
>| In the UDP implementation of the protocol, the server sends a UDP
>| datagram containing a random number (between 0 and 512) of characters
>| every time it receives a datagram from the connecting host. Any data
>| received by the server is discarded.
>
>We are seeing up to 1500 bytes of response though.
>
>This seems to be something new. There aren't a lot of systems in our
>network responding to chargen, but those that do have a 15x
>amplification factor and generate more traffic than we have seen with
>abused open resolvers.
>
>Anyone else seeing that? Anyone who can think of a legitimate use of
>chargen/udp these days? Fortunately I can't, so we're going to drop
>19/udp at the border within the next hours.
>
>Regards,
>Bernhard

--
Charles Wyble 
char...@knownelement.com / 818 280 7059 
CTO Free Network Foundation (www.thefnf.org)

Re: chargen is the new DDoS tool?

[Justin M. Streiner]

On Tue, 11 Jun 2013, Vlad Grigorescu wrote:

We got hit with this in September. UDP/19 became our most busiest port 
overnight. Most of the systems participating were printers. We dropped 
it at the border, and had no complaints or ill effects.


Dropping the TCP and UDP "small services" like echo (not ICMP echo), 
chargen and discard as part of default firewall / filter policies probably 
isn't a bad idea.  Those services used to be enabled by default on Cisco 
routers, but that hasn't been since probably around 11.3 (mid-late 90s).


Other than providing another DDoS vector, I'm not aware of any legitimate 
reason to keep these services running and accessible.  As always, YMMV.


jms

Re: chargen is the new DDoS tool?

[Leo Bicknell]

On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt  wrote:

> This seems to be something new. There aren't a lot of systems in our
> network responding to chargen, but those that do have a 15x
> amplification factor and generate more traffic than we have seen with
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the 
problem, I would recommend doing an internal nmap scan for such things, finding 
the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the owners 
were still using SunOS 4.x boxes for some reason, had accidentally enabled 
chargen, or if some malware had set up the servers.  Inquiring minds would like 
to know!

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/







signature.asc
Description: Message signed with OpenPGP using GPGMail

RE: chargen is the new DDoS tool?

[David Edelman]

I can just see someone spoofing a packet from victimA port 7/UDP to victimB
port 19/UDP.  

--Dave


-Original Message-
From: Leo Bicknell [mailto:bickn...@ufp.org] 
Sent: Tuesday, June 11, 2013 3:13 PM
To: Bernhard Schmidt
Cc: nanog@nanog.org
Subject: Re: chargen is the new DDoS tool?


On Jun 11, 2013, at 10:39 AM, Bernhard Schmidt  wrote:

> This seems to be something new. There aren't a lot of systems in our 
> network responding to chargen, but those that do have a 15x 
> amplification factor and generate more traffic than we have seen with 
> abused open resolvers.

The number is non-zero?  In 2013?

While blocking it at your border is probably a fine way of mitigating the
problem, I would recommend doing an internal nmap scan for such things,
finding the systems that respond, and talking with their owners.

Please report back to NANOG after talking to them letting us know if the
owners were still using SunOS 4.x boxes for some reason, had accidentally
enabled chargen, or if some malware had set up the servers.  Inquiring minds
would like to know!

-- 
   Leo Bicknell - bickn...@ufp.org - CCIE 3440
PGP keys at http://www.ufp.org/~bicknell/

Re: chargen is the new DDoS tool?

[Valdis . Kletnieks]

On Tue, 11 Jun 2013 15:38:45 -0400, "David Edelman" said:
> I can just see someone spoofing a packet from victimA port 7/UDP to victimB
> port 19/UDP.

For a while, it was possible to spoof packets to create a TCP connection from a
machine's chargen port to its own discard port and walk away while it burned to
the ground.  Fun times.



pgpDMylGGUUiq.pgp
Description: PGP signature

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/11/13, Justin M. Streiner  wrote:
> Other than providing another DDoS vector, I'm not aware of any legitimate
> reason to keep these services running and accessible.  As always, YMMV.

They are useful for troubleshooting and diagnostic purposes.   Just be
sure to limit the maximum possible response rate and bandwidth for any
source network,   and be sure to truncate the length of the response
to the length of the original query,  so they cannot be used for
amplification.   If you can't do that, then shut them off :)


The risk that they be used to DoS the server that runs those services remains.


> jms
--
-JH

Re: chargen is the new DDoS tool?

[Dobbins, Roland]

On Jun 12, 2013, at 2:13 AM, Leo Bicknell wrote:

> The number is non-zero?  In 2013?

These are largely modern printers and other 'embedded' devices which are 
running OS configurations apparently cribbed out of 20-year-old gopher docs.

;>

---
Roland Dobbins  // 

  Luck is the residue of opportunity and design.

   -- John Milton

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 12:06:36 -0400, Brielle Bruns  wrote:
Are these like machines time forgot or just really bag configuration  
choices?


All of the above plus very poorly managed network / network security.  
(sadly a Given(tm) for anything ending dot-e-d-u.)  a) why are *printers*  
given public IPs? and b) why are internet hosts allowed to talk to them?   
I actually *very* surprised your printers are still functional if the  
whole internet can reach them.


Being an edu, even if they aren't globally reachable, there is *plenty*  
mischievousness already inside the borders!  Securing a campus from the  
world... easy; securing a campus from it's own users... good luck with  
that.


--Ricky

Re: chargen is the new DDoS tool?

[Majdi S. Abbas]

On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
> All of the above plus very poorly managed network / network
> security. (sadly a Given(tm) for anything ending dot-e-d-u.)  a) why
> are *printers* given public IPs? and b) why are internet hosts
> allowed to talk to them?  I actually *very* surprised your printers
> are still functional if the whole internet can reach them.

You've never worked for one, have you?

Guess what, they have /16s, they use them, and they like
the ability to print from one side of campus to the other.  Are you
suggesting gigantic NATs with 120,000 students and faculty behind them?

I have a hard time blaming a school for this.  I have an easy
time wondering why printer manufacturers are including chargen support
in firmware.

--msa

Re: chargen is the new DDoS tool?

[Joe Hamelin]

On Tue, Jun 11, 2013 at 4:57 PM, Majdi S. Abbas  wrote:

>
> I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.


Isn't that what printer do?  Generate characters?  It was in the design
spec.

/me thinks of PHB going down port list, "yep, need that one!"

--
Joe Hamelin, W7COM, Tulalip, WA, 360-474-7474

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 19:57:17 -0400, Majdi S. Abbas  wrote:

You've never worked for one, have you?


Indeed I have. Which is why I haven't for a great many years.  Academics  
tend to be, well, academic. That is, rather far out of touch with the  
realities of running / securing a network.  I've used the work  
"incompotent" in previous conversations, but that's mostly a factor of  
overwork in an environment where few people are ever fired for such.



Guess what, they have /16s, they use them, and they like
the ability to print from one side of campus to the other.  Are you
suggesting gigantic NATs with 120,000 students and faculty behind them?


Guess what, there are companies that have /8's, and they manage to keep  
their network(s) reasonably secured.  I'm not talking about uber-large  
NAT; I'm talking about proper boundry security.  If you cannot figure out  
how to keep the internet away from your printers, you should look into  
other lines of employment.  Limiting access of the residential network  
into the departmental networks, is one of the first things in the design  
of a res-net. Otherwise, there's 25k potential script kiddies (or infected  
home computers now on your network) waiting to attack everything on  
campus. But we're headed into the weeds here...



I have a hard time blaming a school for this.  I have an easy
time wondering why printer manufacturers are including chargen support
in firmware.


I have the same bewilderment about people allowing such unsolicited  
traffic into their network(s) in the first place.  Even with IPv6 (where  
there's no NAT forcing the issue), I run a default deny policy... if  
nothing asked for it, it doesn't get in.


Also, why the hell aren't providers not doing anything to limit  
spoofing?!? I'll staring right at you AT&T (former Bellsouth.)


--Ricky

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/11/13, Majdi S. Abbas  wrote:
> On Tue, Jun 11, 2013 at 07:52:02PM -0400, Ricky Beam wrote:
>> All of the above plus very poorly managed network / network
>> security. (sadly a Given(tm) for anything ending dot-e-d-u.)  a) why
>> are *printers* given public IPs? and b) why are internet hosts
>> allowed to talk to them?  I actually *very* surprised your printers
>> are still functional if the whole internet can reach them.

Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?


>   Guess what, they have /16s, they use them, and they like
> the ability to print from one side of campus to the other.  Are you
> suggesting gigantic NATs with 120,000 students and faculty behind them?

A per-building NAT would work,  with static translations for printers
in that building, and an ACL with an allow list including IPsec
traffic to the printer from the campus'  IP range.

They don't have to use NAT though to avoid unnecessary exposure of
services on internal equipment to the larger world.


>   I have a hard time blaming a school for this.  I have an easy
> time wondering why printer manufacturers are including chargen support
> in firmware.
>

They probably built their printer on top of a general purpose or
embedded OS they purchased from someone else, or reused,  that
included an IP stack -- as well as other features that were
unnecessary for their use case.

Or the chargen tool may have been used during stress tests to verify
proper networking, and that the IP stack processed bits without
corrupting them;  with the manufacturer forgetting/neglecting to turn
off the unnecessary feature, forgetting to remove/disable that bit of
software, or seeing no need to,  before mass producing.


>   --msa
-- 
-JH

Re: chargen is the new DDoS tool?

[Valdis . Kletnieks]

On Tue, 11 Jun 2013 21:37:04 -0400, "Ricky Beam" said:

> Indeed I have. Which is why I haven't for a great many years.  Academics
> tend to be, well, academic. That is, rather far out of touch with the
> realities of running / securing a network.

Do you have any actual evidence that a .edu of (say) 2K employees
is statistically *measurably* less secure than a .com of 2K employees?

We keep hearing that meme - and yet, looking at the archives of this list,
I see a lot more stories of network providers who should know better doing
stupid stuff than I see of .edu's doing stupid stuff.

The Verizon report says small business is actually the biggest cesspit of abuse:

http://money.cnn.com/2013/04/22/smallbusiness/small-business-cybercrime/index.html
http://www.verizonenterprise.com/DBIR/2013/

~100 employee firms in health care appear to be a particular lost cause.



pgptXyM0kZMAP.pgp
Description: PGP signature

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess  wrote:

Who really has a solid motive to make them stop working (other than a
printer manufacturer who wants to sell them more) ?


Duh, so people cannot print to them. (amungst various other creative  
pranks)


From a cybercriminal pov, to swipe the things you're printing... like that  
CC authorization form you just printed, or a confidential contract, etc.  
(also, in many offices, the printer is also the scanner and fax)


--Ricky

Re: chargen is the new DDoS tool?

[Ricky Beam]

On Tue, 11 Jun 2013 22:55:12 -0400,  wrote:

Do you have any actual evidence that a .edu of (say) 2K employees
is statistically *measurably* less secure than a .com of 2K employees?


We're sorta lookin' at one now. :-)

But seriously, how do you measure one's security?  The scope is constantly  
changing.  While there are companies one can pay to do this, those reports  
are *very* rarely published.  And I've not heard of a single edu  
performing such an audit.  The only statistics we have to run with are of  
*known* breaches. And that's a very bad metric as a company with no  
security at all that's had no (reported) intrusions appears to have very  
good security, while a company with extensive security looks very bad  
after a few breaches.  One has noone sniffing around at all, while the  
other has teams going at it with pick-axes. One likely has noone in charge  
of security, while the other has an entire security department.

Re: chargen is the new DDoS tool?

[Damian Menscher]

On Tue, Jun 11, 2013 at 8:39 AM, Bernhard Schmidt wrote:

> we have been getting reports lately about unsecured UDP chargen servers
> in our network being abused for reflection attacks with spoofed sources
>
> Anyone else seeing that? Anyone who can think of a legitimate use of
> chargen/udp these days? Fortunately I can't, so we're going to drop
> 19/udp at the border within the next hours.
>

FWIW, last August we noticed 2.5Gbps of chargen being reflected off ~160
IPs (with large responses in violation of the RFC).  As I recall, some
quick investigation indicated it was mostly printers.  I notified several
of the worst offenders (rated by bandwidth).

While I think it's silly to be exposing chargen to the world (especially as
a default service in a printer!), the real problem here is networks that
allow spoofed traffic onto the public internet.  In the rare cases we see
spoofed traffic I put special effort into tracing them to their source, and
then following up to educate those providers about egress filtering.  I'd
appreciate it if others did the same.

Damian

Re: chargen is the new DDoS tool?

[shawn wilson]

This is basically untrue. I can deal with a good rant as long as there's
some value in it. As it is (I'm sorta sorry) I picked this apart.

On Jun 12, 2013 12:04 AM, "Ricky Beam"  wrote:
>
> On Tue, 11 Jun 2013 22:55:12 -0400,  wrote:
>>
>

> But seriously, how do you measure one's security?

Banks and insurance companies supposedly have some interesting actuarial
data on this.

> The scope is constantly changing.

Not really. The old tricks are the best tricks. And when a default install
of Windows still allows you to request old NTLM authentication and most
people don't think twice about this, there's a problem.

> While there are companies one can pay to do this, those reports are
*very* rarely published.

It seems you are referring to two things - exploit writing vs pen testing.
While I hate saying this, there are automated tools that could clean up
most networks for a few K (they can also take down things if you aren't
careful so I'm not saying spend 2k and forget about it). Basically, not
everyone needs to pay for a professional test out of the gate - fix the
easily found stuff and then consider next steps.

As for exploit writing, you can pay for this and have an 0day for between
$10 and $50k (AFAIK - not what I do with my time / money) but while you've
got stuff with known issues on the net that any scanner can find, thinking
someone is going to think about using an 0day to break into your stuff is a
comical wet dream.

> And I've not heard of a single edu performing such an audit.

And you won't. I'm not going to tell you about past problems with my stuff
because even after I think I've fixed everything, maybe I missed something
that you can now easily find with the information I've disclosed. There are
information sharing agreements between entities generally in the same
industry (maybe even some group like this for edu?). But this will help
with source and signatures, if your network is like a sieve, fix that first
:)

> The only statistics we have to run with are of *known* breaches.

As I indicated above, 0days are expensive and no one is going to waste one
on you. Put another way, if someone does, go home proud - you're in with
the big boys (military, power plants, spy agencies) someone paid top dollar
for your stuff because you had everything else closed.

> And that's a very bad metric as a company with no security at all that's
had no (reported) intrusions appears to have very good security, while a
company with extensive security looks very bad after a few breaches.

I'll take that metric any day :) Most companies only release a break in if
they leak customer data. The only recent example I can think of where this
wasn't true was the Canadian company that develops SCATA software
disclosing that China stole their stuff. Second, if you look at the stocks
of public companies that were hacked a year later, they're always up. The
exception to this is HBGary who pissed of anonymous and are no longer in
business (they had shady practices that were disclosed by the hack - don't
do this).

> One has noone sniffing around at all, while the other has teams going at
it with pick-axes.

If you have no one sniffing around, you've got issues.

> One likely has noone in charge of security, while the other has an entire
security department.

Whether you have a CSO in name or not might not matter. Depending on the
size of the organization (and politics), a CTO that understands security
can do just as much.

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/12/13, shawn wilson  wrote:
> This is basically untrue. I can deal with a good rant as long as there's
> some value in it. As it is (I'm sorta sorry) I picked this apart.
> On Jun 12, 2013 12:04 AM, "Ricky Beam"  wrote:
>> On Tue, 11 Jun 2013 22:55:12 -0400,  wrote:
>>>>>  >
>> But seriously, how do you measure one's security?
> Banks and insurance companies supposedly have some interesting actuarial
> data on this.

>> The scope is constantly changing.
> Not really. The old tricks are the best tricks. And when a default install
By best, you must mean effective against the greatest number of targets.

> of Windows still allows you to request old NTLM authentication and most
> people don't think twice about this, there's a problem.

Backwards compatibility and protocol downgrade-ability is a PITA.

> It seems you are referring to two things - exploit writing vs pen testing.
> While I hate saying this, there are automated tools that could clean up
> most networks for a few K (they can also take down things if you aren't
> careful so I'm not saying spend 2k and forget about it). Basically, not

For the orgs that the 2K tool is likely to be most useful for,  $2k is
a lot of cash.
The scan tools that are really worth the trouble start around 5K,  and
people don't like making much investment in security products,  until
they know they have a known breach on their hands.Many are likely
to forego both,  purchase the cheapest firewall appliance they can
find, that claims to have antivirus functionality,  maybe some
stateful TCP filtering, and Web policy enforcement to restrict surfing
activity;and feel safe,  "the firewall protects us", no other
security planning or products or services  req'd.

> As I indicated above, 0days are expensive and no one is going to waste one
> on you. Put another way, if someone does, go home proud - you're in with
[snip]

I would call this wishful thinking;  0days are expensive,  so the
people who want to use them, will want to get the most value they can
get out of the 0day, before the bug gets fixed.

That means both small numbers of high value targets, and,  then...
large numbers of lesser value targets. If you have a computer
connected to the internet, some bandwidth, and a web browser or e-mail
address, you are a probable target.

If a 0day is used against you,  it's most likely to be used against
your web browser  visiting a "trusted"  site you normally visit.

The baddies can help protect their investment in 0day exploit code,
by making sure that by the time you detect it,  the exploit code is
long gone,  so  the infection vector will be unknown.

--
-JH

Re: chargen is the new DDoS tool?

[shawn wilson]

On Wed, Jun 12, 2013 at 4:51 AM, Jimmy Hess  wrote:
> On 6/12/13, shawn wilson  wrote:

>>> The scope is constantly changing.
>> Not really. The old tricks are the best tricks. And when a default install
> By best, you must mean effective against the greatest number of targets.
>

By best, I mean effective - end of story.

>> of Windows still allows you to request old NTLM authentication and most
>> people don't think twice about this, there's a problem.
>
> Backwards compatibility and protocol downgrade-ability is a PITA.
>

Yes, telling people that NT/2k can't be on your network might be a
PITA, but not using software or hardware that has gone EOL is
sometimes just a sensible business practice.

>> It seems you are referring to two things - exploit writing vs pen testing.
>> While I hate saying this, there are automated tools that could clean up
>> most networks for a few K (they can also take down things if you aren't
>> careful so I'm not saying spend 2k and forget about it). Basically, not
>
> For the orgs that the 2K tool is likely to be most useful for,  $2k is
> a lot of cash.
> The scan tools that are really worth the trouble start around 5K,  and
> people don't like making much investment in security products,  until
> they know they have a known breach on their hands.Many are likely
> to forego both,  purchase the cheapest firewall appliance they can
> find, that claims to have antivirus functionality,  maybe some
> stateful TCP filtering, and Web policy enforcement to restrict surfing
> activity;and feel safe,  "the firewall protects us", no other
> security planning or products or services  req'd.
>

I don't really care to price stuff so I might be a little off here
(most of this stuff has free components). Nessus starts at around $1k,
Armitage is about the same (but no auto-pown, darn), Metasploit Pro is
a few grand. My point being, you can have a decent scanner (Nessus)
catching the really bad stuff for not much money (I dislike this line
of thought, but if you aren't knowledgeable to use tools and just want
a report for a grand, there you go).

>> As I indicated above, 0days are expensive and no one is going to waste one
>> on you. Put another way, if someone does, go home proud - you're in with
> [snip]
>
> I would call this wishful thinking;  0days are expensive,  so the
> people who want to use them, will want to get the most value they can
> get out of the 0day, before the bug gets fixed.
>

Odays are expensive, so when you see them, someone (Google, Firefox,
Adobe, etc) have generally paid for them. Once you see them, they are
not odays (dispite what people like to call recently disclosed public
vulns - it ain't an 0day).

> That means both small numbers of high value targets, and,  then...
> large numbers of lesser value targets. If you have a computer
> connected to the internet, some bandwidth, and a web browser or e-mail
> address, you are a probable target.
>

No, this means Stuxnet, Doqu, Flame. This means, I spent a million on
people pounding on stuff for a year, I'm going to take out a nuclear
facility or go after Google or RSA. I want things more valuable than
your student's social security numbers.

> If a 0day is used against you,  it's most likely to be used against
> your web browser  visiting a "trusted"  site you normally visit.
>

I don't have anything to back this up off hand, but my gut tells me
that most drive by web site malware isn't that well thought out.

> The baddies can help protect their investment in 0day exploit code,
> by making sure that by the time you detect it,  the exploit code is
> long gone,  so  the infection vector will be unknown.
>

If the US government can't prevent companies from analyzing their
work, do you really think random "baddies" can? Seriously?... No
really, seriously?

Here's the point, once you use an Oday, it is not an 0day. It's burnt.
It might still work on some people, but chances are all your high
value targets know about it and it won't work on them.

Re: chargen is the new DDoS tool?

[Joel M Snyder]

>> Do you have any actual evidence that a .edu of (say) 2K employees
>> is statistically *measurably* less secure than a .com of 2K employees?

>We're sorta lookin' at one now.

>But seriously, how do you measure one's security?

In ounces, unless it's a European university, in which case you use 
liters.  Older systems of measuring security involving mass (pounds and 
kilos) have been deprecated, and you should not be using them anymore in 
serious evaluations, although some older CSOs will insist.


jms

--
Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
Senior Partner, Opus One   Phone: +1 520 324 0494
j...@opus1.comhttp://www.opus1.com/jms

Re: chargen is the new DDoS tool?

[Jimmy Hess]

On 6/12/13, Joel M Snyder  wrote:
>  >But seriously, how do you measure one's security?
> In ounces, unless it's a European university, in which case you use
> liters.  Older systems of measuring security involving mass (pounds and
> kilos) have been deprecated, and you should not be using them anymore in

You need to count the number of  employees/users, information assets,
applications,  systems, IP addresses on your network, and network
ports on your switch,  processes running on all your machines,  files
stored on your servers;   and place them in the disjoint
non-overlapping categories.

Then decide a 'weight'  for each object, 'impact';  for example,  the
cost of formatting and reinstalling a server,  buying new hardware if
a device has been bricked;   or the cost of  re-creating work from
scratch,   or  settling the lawsuit  if your environment's security
failure allows this particular file's content to be  disclosed, lost,
corrupted, or made temporarily unavailable due to a DoS.

The weight should be the greatest possible cost of breach, or
misbehavior of that object, be that an application, OS,  user,
switchport, or MAC address,  but   Users, Applications, Servers,
Workstations, Network Devices, and "Documents directories"   are some
useful categories to use.

Then assign a probability of each object,  based on the expectation of
a breach,  given the series of expected attacks over a period of time.


Then for each category,  take a ratio of the sums  of all objects  for
each category

Sum of  ( ( 1  minus  Probability that an attack succeeds )  X  (
Weight )   )   Divided by  (Sum of the Weights)


Example,   I  have   5  Windows XP servers on my network,  which
cost me $100 to recover and replace from attack,  for the period of
time of 1 year,  no firewall,  RDP open to the world;  so  there is a
90%  chance estimated that   an attacker will eventually find the
vulnerability  on average over the series of attacks I expect to find
in one year,  except on one system I patched, so there is a 40%
chance.


(0.6 * $100 + 0.1 * $100 + 0.1 * $100 +  )   divided by $500

Then  when faced with the complete series of attacks, I expect to lose
$400 out of  $500;  so  my OS  category  is 10% secure  for the year,
in that case.


Your percentage security is the  _lowest_,  _least desirable_,  or
_worst_   metric   over all the distinct categories  you cared about.


> jms
--
-JH

Re: chargen is the new DDoS tool?

[Rich Kulawiec]

I'm going to bypass the academic vs. non-academic security argument
because I've worked everywhere, and from a security viewpoint, there
is plenty of fail to go around.

On Tue, Jun 11, 2013 at 09:37:04PM -0400, Ricky Beam wrote:
> I run a default deny
> policy... if nothing asked for it, it doesn't get in.

This is a fine thing and good thing.  But as you've expressed it here,
it's incomplete, because of that last clause: "it doesn't get in".
For default-deny to be effective, it has to be bidirectional.

Please don't tell me it can't be done.  I've done it.  Repeatedly.
It's a LOT of work. (Although progess in toolsets keeps making it easier.)
But it's also essential, since your responsibility is not just to defend
your operation from the Internet, but to defend the Internet from your
operation.

---rsk

Re: chargen is the new DDoS tool?

[Aaron Glenn]

On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson  wrote:
>
>
> Banks and insurance companies supposedly have some interesting actuarial
> data on this.
>

Do you know of any publicly available sources?

thanks,
aaron

Re: chargen is the new DDoS tool?

[Nick B]

I thought the modern measure was hours and dollars wasted... Err I mean
spent.
Nick
On Jun 12, 2013 5:21 AM, "Joel M Snyder"  wrote:

>
> >> Do you have any actual evidence that a .edu of (say) 2K employees
> >> is statistically *measurably* less secure than a .com of 2K employees?
>
> >We're sorta lookin' at one now.
>
> >But seriously, how do you measure one's security?
>
> In ounces, unless it's a European university, in which case you use
> liters.  Older systems of measuring security involving mass (pounds and
> kilos) have been deprecated, and you should not be using them anymore in
> serious evaluations, although some older CSOs will insist.
>
> jms
>
> --
> Joel M Snyder, 1404 East Lind Road, Tucson, AZ, 85719
> Senior Partner, Opus One   Phone: +1 520 324 0494
> j...@opus1.comhttp://www.opus1.com/jms
>
>

Re: chargen is the new DDoS tool?

[shawn wilson]

On Wed, Jun 12, 2013 at 7:14 AM, Aaron Glenn  wrote:
> On Wed, Jun 12, 2013 at 11:17 AM, shawn wilson  wrote:
>>
>>
>> Banks and insurance companies supposedly have some interesting actuarial
>> data on this.
>>
>
> Do you know of any publicly available sources?
>

I don't. There's a US entity that represents credit card companies
that has their own type of "Verizon Data Breach Investigations Report"
where you might find some iinfo of this type. You might also look at
how/if AlienVault and others rank threats which should give you the
"how hard is this hack" and "how hard is this to fix" figure.

The theory behind generating this type of actuarial data should be
more available than it is. I have a feeling that companies who have
this information look at entities in the same type of business and
make educated guesses on how breaches affected their bottom line based
on stock vaule and the like. There is probably some private data
sharing here as well.

Re: chargen is the new DDoS tool?

[shawn wilson]

Getting back to the topic. I just saw quite a few of our hosts scanned
for this by 192.111.155.106 which doesn't say much on its own as
http://dacentec.com/ is a hosting company.

On Tue, Jun 11, 2013 at 11:27 PM, Ricky Beam  wrote:
> On Tue, 11 Jun 2013 22:52:52 -0400, Jimmy Hess  wrote:
>>
>> Who really has a solid motive to make them stop working (other than a
>> printer manufacturer who wants to sell them more) ?
>
>
> Duh, so people cannot print to them. (amungst various other creative pranks)
>
> From a cybercriminal pov, to swipe the things you're printing... like that
> CC authorization form you just printed, or a confidential contract, etc.
> (also, in many offices, the printer is also the scanner and fax)
>
> --Ricky
>

Re: chargen is the new DDoS tool?

[John Kristoff]

On Tue, 11 Jun 2013 19:52:02 -0400
"Ricky Beam"  wrote:

> All of the above plus very poorly managed network / network
> security. (sadly a Given(tm) for anything ending dot-e-d-u.)

That broad sweeping characterization, without any evidence, can be
as casually dismissed without evidence.  However, I will go on record,
as I'm sure many others will as well, but in my experience the .edu
community, particularly the medium to larger schools who have dedicated
IT staff, are often amongst the best managed networks, with regards
to security or otherwise.

If there is any issue with that sector, you should contact the
REN-ISAC, one of the most well executed security constituent groups I've
ever seen.  They tirelessly reach out and assist on most any
educational related incident.

John