Cyber Security | DDoS Attack and Solution

DDoS Attack and Solution

DDoS Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to interrupt the normal traffic of a targeted host, service or network by devastating the target or host or its surrounding infrastructure with a flood of Internet traffic. Generally, these attacks work by dying a system with requests for data by means of sending so many requests to web server for a page and in result it crashes due to a high volume of queries.  Typically, DDoS attackers rely on botnets. A botnet is a collection of a bunch of malware infected systems that are centrally controlled.

There are three primary classes of DDoS attacks:

Volume Based, Network based, Application based

Volume based attacks use massive amounts of fake traffic to overwhelm a resource such as a website or server which includes ICMP, UDP and spoofed-packet flood attacks. The size of a volume-based attack is generally measured in bits per second (bps).

In Network based DDoS attacks, the attacker sends large number of packets to target network infrastructures and infrastructure management tools. These protocol attacks include SYN floods and Smurf DDoS, among others, and their size is measured in packets per second (PPS).

Application layer attacks are conducted by flooding applications with maliciously crafted requests. It includes disrupting transactions and access to databases. It can disrupt services such as the retrieval of data or information on a website. The size of application-layer attacks is measured in requests per second (RPS).

How to Identify DDoS

While doing the network monitoring, everyone should check as below;

• If there are any unexpected amounts of traffic originating from a single IP address or IP range.
• Odd traffic patterns.
• A traffic flood from single geo location or source.

Several DDoS Solutions are there to mitigate the DDoS now a days. The solution should be bundled of features to tackle the present as well as upcoming threats. Below are some list of features that can be customized in the solution before deployment. 

• The solution should provide both inbound and outbound DDoS protection.
• Should be capable to mitigate and detect both inbound and outbound traffic.
• Should support Symmetric and Asymmetric Traffic flows.
• Must have IP reputation feed that describes that describes suspicious traffic blacklisted IPs, Botnet protection and Phishing.
• Solution should have a feature to blacklist and whitelist traffic.
• Real time signature to protect against zero-day attacks including ability to create real time signatures of DNS based attacks.
• Detect misuse of application protocols in the network like HTTP/POP3/STP/SIP/SMTP.
• Protection from Sophisticated DNS attacks including out of the box mitigation for NXdomain attacks.

Top Distributed Denial of Service (DDoS) Protection Vendors

Radware, Impereva, Arbor Networks, F5, Verisign, Akamai, etc. 

Cyber Security | Ransomware

Ransomware

Ransomware is a malware or malicious software that infects the system and that restricts or limits user access. In early 2005 to 2006 it was first seen at Russia and then it spread around the globe gradually. Ransomware typically encrypted specific file types such as .doc, .xls, .jpg, .zip, .pdf, and other commonly used file extensions.

• User screen lockdown
• User file encryption
• Remote access and control of victim system through a command & control Centre

In many cases Ransomware victims may have to pay a ‘Ransom’ or ‘bulk amount’ or ‘Crypto currency’ through a digital payment gateway in order to resume the access to their systems. A message is being displayed over the screen. However, there is no guarantee of accessing the system even after the ransom money is paid as you can not trust the unknown attacker.

In late 2013, a new type of ransomware that encrypted files apart from locking a system. The encrypted files ensured that victims were forced to still pay the ransom even if the malware itself was deleted. Due to its new type of behavior, it was called as “CryptoLocker.” The ransom note in CryptoLocker only specifies “RSA-2048” as the encryption method used, researchers tell that the malware uses AES + RSA encryption. Major corporates, big players, companies have fallen victim to it. 

Examples of Ransomware: 

WannaCry: A powerful Microsoft exploit was leveraged to create a worldwide ransomware worm that infected over 250,000 systems before a kill switch was tripped to stop its spread. 

NotPetya: It is one of the most destructive ransomware attacks, NotPetya leveraged tactics from its namesake, Petya, such as infecting and encrypting the master boot record of a Microsoft Windows-based system. NotPetya leveraged the same vulnerability from WannaCry to spread rapidly, demanding payment in Bitcoins.

Bad Rabbit: This is considered as a cousin to NotPetya and using similar code and exploits to spread, Bad Rabbit was a visible ransomware that appeared to target Russia and Ukraine, mostly impacting media companies there. Unlike NotPetya, Bad Rabbit did allow for decryption if the ransom was paid. 

CryptoLocker: Cryptolocker was one of the first of the current generation of ransomware that required cryptocurrency for payment of Bitcoin and encrypted a user’s hard drive and attached network drives. 

LockBit: Recently on 2021 it was identified which blocks user access to computer and infects connected devices without human intervention.

Image source: Google

(Image source: bankinfosecurity.com)

(Image source: proofpoint.com)

How to protect yourself and your business:

• Regularly update your Operating System/Software for security patches.
• Take periodic backup and encrypt your data using encryption tools. Store the backup copy offline, as it helps in preventing the backup copy getting infected by the malware.
• Regularly update your anti-virus/anti-spam-ware/anti-ransomware definitions.
• Do not open email attachments from unknown sources.
• Verify email id against your contacts. If in doubt, perform a virus scan before downloading and opening the attachment.
• Enable system restore point, which is an in-built feature of Microsoft Windows operating system, to assist in restoring files.
• Use network protection and end point protection to prevent network encryption which could also happen with some crypto Ransomware threats.
• Use Software Restriction Policies to prevent or restrict the primary attack vectors, i.e. deny execution of user that can write/create privileges on business-critical systems.
• Delete unused accounts from network and monitor network activities. 

-DR

RADIUS, TACAS+ and DIAMETER

RADIUS, TACAS+ and DIAMETER

The ideal technique for keeping administrative users access to a network is through the Cisco Authentication, Authorization, and Accounting system and is known as AAA. Authentication determines who the user is, authorization determines what the user has access to. And accounting keeps track of what they did on the equipment, AAA acts as a centralized systems. 

The access control system and AAA system generally works with two protocols known as RADIUS and TACAS+. Both RADIUS and TACAS+ are known as access control protocols.

RADIUS

Remote Access Dial In User Service (RADIUS) is an open standard, AAA protocol created by IETF (Internet Engineering Task Force) and is used for the communication between any AAA client and ACS server. In case one of the client or servers belongs to any other vendor/OEM (other than Cisco) then RADIUS is being used. Many of the RADIUS server are available for every key operating system from both freeware and commercial sources, and the RADIUS client comes standard on NAS products from every major vendor. RADIUS has eight standard transaction methods such as, access-request, access-accept, access-reject, accounting-request, accounting-response, access-challenge, status-server, and status-client. by decrypting a NAS access-request packet, authenticating the NAS

• It uses UDP for transmission protocol.
• It works on port number 1812 for authentication and authorization and port no 1813 for accounting.
• It does not come with multi-protocol support.
• RADIUS is used for network access. 
• RADIOUS is limited to privileged mode.

TACACS

Terminal Access Controller Access Control System (TACACS+) is the proprietary protocol of Cisco which is used for the authorization, authentication and accounting services on the Cisco client and Cisco ACS server. 

• It uses TCP protocol and port number 49 for transmission.
• All the authorization packets were encrypted in ACS.
• It offers multi-protocol support such as x.25, NASI, NeBios, Appletalk remote access, etc.
• TACAS+ supports up to 15 privilege levels.

TACAS+ attributes are used for authentication and authorization. Some of the examples as provided below;

ACL (EXEC Authorization): In this it comprises an access-class number which is applied to a line.

ADDR (SLIP, PPP/IP Authorization): The IP address of the remote host is specified in this authorization type. It is the address that should be assigned when using a SLIP or PPP/IP connection.

CMD (EXEC): For this type of authorization, the AV pair is used. It is used for starting an authorization request for an EXEC command.

What is Privilege Level?

In Privileged mode or Privileged level, it allows users to view the system configuration, restart the system, and enter router configuration mode. Privileged level permits all commands that are available in user mode. Privileged level can be identified by the hash (#) prompt after the router name in the command line.  A user can also change user mode to Privileged mode, by running the "enable" command. 

DIAMETER protocol

DIAMETER is a highly extensible AAA framework capable of supporting number of authentications, authorization, or accounting process and multiple connections. The protocol is divided into two distinct parts: The Base Protocol and the Extensions. The DIAMETER Base Protocol defines the message format, transport, error reporting, and security services used by all DIAMETER extensions. DIAMETER Extensions are modules designed to conduct detailed types of authentication, authorization, or accounting transactions (i.e., NAS, Mobile-IP, ROAMOPS, and EAP). ROAMOPS is known as Roaming operations. DIAMETER is built upon the RADIUS protocol.  

-DR

User access Management

User Access Management

Access Control

Access Control is known as is certain restrictions on the access or use to data, information, configuration, resources or it can be any location. Providing access means authorizing someone to use. Access Control are used in place of physical security and information security. Authorization is the function of mentioning access rights or user access privileges to resources, which is related to information security.

Organizations must governor the appropriate access control model to adopt based on the type and sensitivity of data they are processing. The access control were divided as discretionary access control (DAC) and mandatory access control (MAC), Role based access control (RBAC) is the most common model today, and the most recent model is used at some places known as attribute based access control (ABAC).

A user access management system is used to manage and monitor user access permissions and access rights to files, systems, and services to help in protecting organization from data loss and security breaches. It is all about controlling the user access and right.

Many organizations who are working with proper process and adherence to ISO standards, they document a mandatory requirement known as User access policy. The User access policy defines all the users with their access level. The policy shall be reviewed in timely manner for effective control on place.

The user access management tool or solution can be implemented and should be capable of doing following activities;

• It should have capability to integrate with other security solutions including Firewall, IPS/IDS, etc.
• It can integrate with the proposed enterprise authentication methods – Active Directory, LDAP, RADIUS, TACACS etc.
• The solution should be able to authenticate, authorize and provide access control to all network devices such as switches, routers, firewalls, load balancers etc.
• It should have the latest technology such as inbuilt with 2-factor authentication or MFA (Multi factor authentication) mechanism in the form of Mobile OTP/ Email OTP.
• It should be designed to track privileged identities or privileged account activities distinctively.
• The solution should be able to perform auto discovery of privileged accounts on target systems and able to perform two-way reconciliation.
• The solution should contain a password vault, which should enable an administrator to define different password formation rules for target accounts on different target systems and supports the full character set including special characters that can be used for passwords on each target system. 
• The solution should set unique random value anytime a password is changed.
• The solution must support parallel execution of password resets for multiple concurrent requests.
• The solution should archive session recording data to external storage/ media based on time and available space.
• The solution should have features, which enables to track the creation, rename, modification and deletion of files or folders in the specified directory on critical servers. In addition, it should send email alerts for these activities.

Just to be noted here that Identity Management and access management are two different concepts. 

User access can be managed through regulatory compliances. ISO/IEC 27001 suggests the regulatory at section A.9 Access Control. The sub clauses are as;

• Access Control Policy
• Access to networks and network services
• User registration and de-registration
• User access provisioning
• Management of privileged access rights
• Management of Secret authentication information of users
• Review of user access rights
• Removal of access rights
• Use of secret authentication information
• Information access restriction
• Secure log in procedure
• Password management system
• Use of privileged utility programs
• Access control to program source code

-DR