DDos Attack Protection

In recent years, with the Trojans, the increasing spread of the virus, the Internet denial of service attack frequency and attack traffic also will be a rapid increase in attack, attack and attack resources, technology continues to mature at the same time, anti-denial of service related to hardware and software products also received considerable development. Today’s IDC market has basically to the lack of effective means of defense of denial of service attacks will not be able to conduct a stable IDC operations position.

However, denial of service a wide range of defense products, the price difference is very large, from several hundred dollars installed on the target server on a single server to tens of thousands of software firewall protection, and even more than a dozen million Fast, Gigabit hardware firewall, including the provision of new and emerging hardware firewall programs and DIY hardware firewall to help customers cost-effective alternative to programs, customers are often at a loss, especially for the DIY hardware firewall used by the relevant technical, defensive ability did not understand that it often at a loss in the choice.

The use of various denial of service attack prevention products and solutions, this paper I will present the mainstream of denial of service attack, the corresponding means of defense and the corresponding analysis of the current defense strategy to attack a variety of means of defense of the merits of the mainstream because of denial of service attack , IDC industry, the invisible barriers to entry been raised a lot. Understanding of the IDC market, investors in making investment in IDC room from time to time have to consider the corresponding denial of service attack defense strategy. The current choice of denial of service attack (DDoS) solutions, roughly divided into:

1, the software firewall solution

2, the hardware firewall solution

3, DIY hardware firewall solution

Section Cost Comparison

For the IDC operations in terms of cost and defensive characteristics of the sub-line, its advantages and disadvantages are as follows:

1, the software firewall solution because it is installed on the server being protected, their defense capabilities and defense area is limited, larger flow in the attack case, on the target server hardware resources to take up serious, and if the number of servers more room, the overall the cost is also high. But the software firewall easy installation, without moving the hardware device, the deployment of very flexible.

2, the hardware firewall is the extensive use of IDC and can play the actual effect of the defense program, the drawback is the cost of investment is too high, small and medium IDC difficult to accept the purchase cost is usually in the Fast products in the 2-4 million, Gigabit in the 6-8 million. If you need high-bandwidth defense, the cluster cost.

3, the emerging DIY hardware firewall program. And a different software firewall, DIY hardware firewall program is installed on the client by preparing their own hardware platform kernel software and hardware firewall in general the same defense capabilities and defense capabilities. As the hardware platform has user-ready, so it can use existing equipment, the total cost of ownership to a minimum. In general, Fast defense costs will be about 1,000 yuan per room per month, Gigabit defense as 1,500 yuan a month.

For the defense capability, the software firewall because of its mode of defects can not be right to establish protection of the entire cabinet or the room, filtering attack packets will also affect the system resources consumed by the normal application of the target system, so no rating here.

Hardware firewalls are all X86 architecture, popular for the hardware firewall is a computer, not specifically dedicated for the network processing chip, and DIY hardware firewall defense the same pattern all along the entire cabinet and the room for protection, and be able to cluster high-volume attack on defense, so we will be focusing our attention on the hardware firewall and DIY hardware firewall.

Defense capability and overall cost of ownership compared:

Cost of Ownership Form from the right point of view, the hardware firewall as a mainstream means of defense, its total cost of ownership is also high, as a compromise of the DIY hardware firewall, which provides a monthly charge for his services a good way to solve the IDC Daoshi facing financial pressures and investment risks and other issues.

II defense function contrast (attack articles)

On defense function, we can not fail to analyze the major domestic Internet denial of service attack tool, today the main use of the Internet means of attack are: SYN-FLOOD: Veteran DDOS attack, using TCP protocol weaknesses initiated three-way handshake attack, is characterized by attacks on the source address is a false address, is not easy to trace the attack source. Attacker in the unit time constructed TCP-SYN packet number of the more effective their attacks on the more remarkable.

A single site SYN attack: the use of three-tier defense against the current cluster switching equipment (such as the Cisco three-layer switch) for port aggregation and load balancing algorithms, when balancing the loopholes in the use of real or virtual into a single source address and the same source port attack. Such attacks in the majority of three-way switching device will be exchanged through a single line, thus weakening the effect of the cluster defense.

Real-situ SYN attack: for some of the software firewall and hardware firewall’s defense theory, specifically addressing the reverse firewall defense style of the attack was launched. The network the last two years the establishment of a puppet machine value chain, enabling real-SYN attack site on the Internet is now becoming more of a attack, an attacker by controlling the puppet of the many machines to send attack packets.

SYN big pack attacks: SYN attacks and general different, SYN packet attack is large by constructing a very large TCP data packets, causing network congestion have been targeted attacks on the way to achieve results, and general SYN is different from attacks initiated by the same flow rate, sending large data packet sender occupy less system resources.

UDP big pack attack: relative to the TCP protocol data packets, the attacking side less system resources need only be able to build a UDP packet, which also vigorously for an attacker to send a UDP packet to provide the conditions for the attack, UDP attacks generally through Large data packets clogging network bandwidth to achieve.

Agent CC attacks: the initial attack by the Chinese to attack the software off the Internet triggered a large number of agents CC attack. Appeared on the Internet through the collection of a large number of free and open proxy server, through the submission of a large number of targeted attacks on these servers destination address of the access request by the proxy server transit attacks. CC to launch attacks on their client agent requires only a common broadband lines, its attack is the real address of address (the proxy server address), once led a number of network operators suffer.

SYN-ACK, PSH-ACK, etc.: for TCP connections initiated by a variety of weaknesses in attack.

Legend DB Attack: Legend of the database-specific attack, but also by the Chinese to attack the first customer to write exploits, the attack is to simulate the legendary customer segment Create account movements, making the legendary server to its knees.

Legends Brush villain attacks: the last off the assembly line through the non-stop and simulated landing, making the legendary server crashes

Tags: attacks, DDoS, DDOS attack, Firewall, Internet, NAT
Posted in DDOS defense | No Comments »

About once a year, usually around Black Friday, and coinciding with the flu season, mobile security takes center stage. Maybe more so this year, given the ascendency of the smartphone coupled with browsers finally good enough to make the mobile Web a worthwhile experience.

A week or so ago, RIM’s security chief spoke about smartphone viruses and their potential usurpation of the phone as a platform for DDoS attacks. This coupled with a critical mass of open operating system devices now make the mobile phone a tempting target. We’ve been talking about mobile viruses for half a decade. This time, the threat is real.

In the same way, these virtual petri dishes are black holes into which corporate IT has no visibility. Sybase (News – Alert) recently commissioned a study of European IT executives to evaluate the magnitude of this potential exposure. The findings are downright scary, and make one wonder about the level of attention IT departments have devoted to addressing the security requirements of their mobile workers. 66 percent stated that they have no visibility into the sensitivity of data stored on mobile devices, 38 percent have no visibility into applications, and only 15 percent are confident in their ability to contain exposure if the phone is lost or stolen. In my book, considering the magnitude of exposure, this lack of security should have these IT managers camped out at the corner unemployment office (or in a more draconian mood, at the local lockup).

These metrics align with the percentage of employee-liable phones used in the enterprise, now approaching 50 percent as reported by Yankee Group (News – Alert). I won’t go into the not unexpected conclusion from the presentation about the iPhone’s readiness (or lack thereof) for enterprise use.

So what’s an operator, an enterprise, or a smartphone subscriber to do?

Needless to say, once the phone is lost or infected, it is too late. An effective over-the-air security solution, deployed as part of an overall care architecture by the operator, for employee liable devices, or by the enterprise for corporate liable devices, is the foundation. This solution will be responsible for pushing firmware or software updates to the phone, ensuring that discovered vulnerabilities are quickly patched. Extensions to widely deployed FOTA architectures meet this requirement. In some cases, the operator may mandate anti-virus software, pushed to the device (or pre-loaded at time of manufacture) by the same update conduit. If the phone is lost or stolen, the management client of the device should be capable of locking the phone and/or wiping all data.

In parallel to the operator’s care platform, user education is essential. Password protection is a given, as well as the need for backup. However, it is almost criminal that employees using their smartphone for work purposes ignore this first line of defense. And, if the user wants that which happened in Vegas to stay in Vegas, he or she can’t wait a week to report a lost phone, hoping that it will miraculously re-appear. A phone locked after compromising photos or a corporate roadmap have made it to the Internet is not nearly as good as a phone locked before. Unlocking is as easy as making a call, nothing is lost if/when the “lost” device is once again found, as an over-the-air unlock is just as fast and easy as a lock.

The real area for improvement is in the area of IT control over employee liable devices. At Interop (News – Alert) in NYC, I participated in a panel addressing just this concern. We exchanged best practices, painting a picture of what should be, though not what necessarily currently exists. Our joint observation was that IT departments need to understand that mobile devices fall into a continuum. On one extreme, there are corporate liable Blackberries or mission-specific platforms upon which you can enforce restrictive, but safe, policies (on device encryption, strong passwords etc.). There will always be a place for this. On the other are the unwashed masses with a variety of personal devices with no policy or control enforced or deployed.

But the middle? Devices with reasonable VPN or ActiveSync support with on device encryption like Windows Mobile or the iPhone (News – Alert) 3GS? Good call, it is reasonable to expect encryption on the device, something that is supported by ActiveSync policies. However, some handsets, like earlier iPhones, will report back to the server that they support on-device encryption, when they don’t.

Convenient, but dangerous because you think that you are more secure than you are. Then there are devices which will fetch your mail off the Exchange server (if the server is configured to allow low security devices), but make no claim of any sort of ActiveSync on device encryption, such as recent Android devices like the Motorola (News – Alert) Droid or the Palm Pre. Even this is not cut and dried. For example, Touchdown, an ActiveSync corporate email app, runs on Android devices but reports support of on device encryption (at least as of late November 2009) even if that capability does not yet exist. The situation is complex.

The level of visibility into these devices, and IT’s willingness (and/or ability) to lock down an employee owned device , will inform what corporate resources are made available. This in effect addresses the concerns raised by the Sybase study. No visibility. No access to ERP or Exchange.

And if the enterprise does deploy security along the lines of Credant or Good, they’ve got to make doubly sure that there is no leakage of content (i.e., contacts or photos) from the ‘public’ to the ‘enterprise’ side of the device, certifying conformance on each and every OS platform and hardware family introduced. Here, the onus is on the IT department.

As I got onto the plane in JFK, I looked around at a rather unhealthy cross-section of the traveling population (compared to SFO), wondering if it was just my phone that I needed to protect…

Tags: attacks, DDoS, DDOS attack, DDoS Attacks, Internet, Security, vulnerabilities
Posted in Mobile Security | No Comments »

If you have been trying to deliver many email messages or support your own email domain, you know how hard and costly it can become.

Sending emails in large quantities is not easy. In addition to managing your subscribers lists correctly, you need to make sure that most of your emails reach their destination.

If you are working with a shared email server, you can easily be banned for somebody else’s mistake, because an entire IP or an IP range is banned taking everybody who uses this IP with it.

If you have your own email server to send your email, it is private to you and nobody else. Our SMTP server has tons of built in features to deliver email and protect you from spammers.

We support multiple RBL servers to filter out those spammers and we can white list or black list entire IP ranges with sophisticated checking, so that only those who are authorized to relay messages will be able to do so.

Email Delivery Server is an easy-to-use yet pwoerful utility that integrates everything you need for mass miling. It featuresparametrized mailing lists, where you can import very large list of your subscribers, even with all their additional fields such as Name, address and so on and then write one email message with parameters.

Our server substitutes all parameters with correct values on the fly. That is not all, our server is a complete sending and receiving solution, so in addition to being able to relay messages, it is also able to receive them for any number of domains and any number of users that you manage.

We have built in POP3 protocol and allow all our users to get their email from our server directly. Each user’s settings are configurable and you can even set each user’s mailbox size and other parameters individually.

Here are some key features of “Email Delivery Server”:

independence from email service providers (ESP);
support of SMTP and POP3 protocols;
message queue and mailbox encryption;
incoming SPAM filtering and sender blocking;
SSL/TLS encryption for SMTP and POP3;
DDoS attack prevention and firewall features;
email message box limiting on a per-user basis;
e-campaign testing mode and final message preview;
large volume handling by using scalability features;
parametrized distribution and mailing list support.

What’s New in This Release: [ read full changelog ]

Activation bug is now fixed.

Tags: DDoS, DDOS attack, Firewall, NAT, Spam, spammer
Posted in Email Delivery | No Comments »

Network brings us a convenient, but also brings a series of problems. Viruses and malware attacks is very troublesome. Unless you pull string, otherwise will suffer from the aspects of the network, especially the threat of distributed denial of service attack, people can retreat DDos refund. We cannot prevent the attack, we can do is how to reduce losses, utmost ground protects the interests of individual and enterprise network.
A DDoS attack typically divided into three stages. First is the target confirmed: hackers will lock an IP address on the Internet. The IP address of the enterprise may represent a Web server, DNS server, Internet gateway, etc. Select the target of the attack, or for money purposes is pure pastime. Then is preparation: in this stage, the hacker intrusion Internet will have good protection system of the computer. In these computers after implantation target the necessary tools. Finally is launched actual attack stages: hackers will be sent to all orders against invasion by the computer, using the computer and ordered in advance of the implant to attack tool sends a packet that attack target unable to handle large amounts of data or bandwidth occupied. Serious word will affect the DNS, cause the whole network have paralyzed.
Of course not, facing DDoS unchecked. We can take corresponding measures to minimize the effects of such attacks.
Intrusion filter is a simple network should be implemented and all the security strategy. In your network, should establish a routing statement, all data to source IP address for this marked the packet. Although this way doesn’t prevent DDoS attack, but it can prevent DDoS attack reflex.
But many large ISP seem because all sorts of reasons refused to realize invasion of filter, so we need other ways to reduce the impact of DDoS. At present the most effective method is one of the track. By this way, the first should be determined by current is external DDoS attack, not from the connection or routing problem. Then all the edge router as soon as possible in the external interface configuration, reject all the data flow DDoS attack target. In addition, even in these edge router port configuration, will all invalid or unable to locate data source IP packets.
Such doing can decrease the impact DDos, early recovery network operation. DDoS attack, but we can prevent hard by the corresponding measures to reduce the attack in the network. We can’t predict how fierce flooding, all we can do is to build high dam, We couldn’t psych out hackers mood, so we must make full preparations.

Tags: DDoS, DDOS attack, DDoS Attacks, DNS, Internet, Security
Posted in DDoS Attacks | No Comments »

CYBERJAYA: The International Multilateral Partnership Against Cyber Threats (Impact) believes that what the world needs now is more cybersecurity experts.

Although it may sound less whimsical than the famous song, in reality, Impact said cyberspace is ever changing and the number of threats is growing everyday.

Threats are also getting more sophisticated and targeted compared to 10 years ago, said Philip Victor, Impact centre for policy and international cooperation, head of communications and outreach.

Aside from attackers being driven by financial gains from attacking global systems, Philip said that terrorists are also turning to the Internet to launch their attacks or execute their plans.

One of the more popular example of the realities of a cyberattack is the 2007 cyberwar in Estonia where attackers launched distributed denial of service (DDoS) attacks on Estonian websites including the Estonian parliament, banks, ministries and newspapers, he said.

Although the attacks may seem low-tech, a DDoS attack can disrupt everyday activities that require Internet connectivity.

“Unfortunately, there’s a lack of global cooperation to fight this due to the shortage of information security professionals,” Philip said.

In Malaysia, he said the information security professional to population ratio is 1:20,000.

“We believe the number of security professionals is growing but as the Internet population increases, we will need more,” he said.

Working towards this effort, Impact has alligned with information security certification company ISC2 to provide information security training to Impact partner countries.

“This is in line with our mandate of operationalising the Global Cybersecurity Agenda (GCA)in escalating cybersecurity capabilities to better defend againts cyberthreats,” said Datuk Mohd Noor Amin, chairman of the Impact management board.

The GCA is the United Nation’s International Telecommunication Union’s framework to enhance confidence and cybersecurity in the information society.

Through this agreement, ISC2’s certification courses such as the Certified Information Systems Security Professional, Systems Security Certified Practitioner and the Certified Secure Software Lifecycle professional will be offered in Impact’s partner countries to enhance the organisation’s position in providing a holistic approach to public sector cybersecurity.

Impact will kick off the first course, the Systems Security Certified course, in Africa in the first quarter of next year.

“Africa is a continent with growing Internet users so its logical to train security profesionals there to ensure its cyberspace is safe,” Philip said.

Impact and ISC2 are expecting 100,000 security professionals to be trained through this partnership.

“We will be working with governments to realise this goal in order to provide enough security professionals for the world,” Philip said.

W. Hord Tipton, executive director for ISC2 said the organisation is happy to work with Impact.

“We jointly believe that only by professional development can we enable the community to protect against cyberthreats and we look forward to educating more individuals,” he said.

Tags: attacks, DDoS, DDOS attack, Internet, NAT, Security
Posted in security experts | No Comments »

Park Dong-hoon, the president of the Korea Information Security Industry Association, made a keynote speech at the 2009 Korea Information Telecommunication Facilities Engineering fall seminar on Nov 19. The presentation covered the current status and problems of knowledge information security regarding to recent DDoS crisis.

With the development of IT technology, people are now living in a ubiquitous environment where everything is connected such as cellphones, computers, and mobile devices. However, more information through various networks created more demand for security. As the network became bigger and more complex, the trend in security is also changing from technical network protection to service security. Most people have some type of information stored in more than one network and many businesses have crucial information to protect. Due to the increase of cyber crimes, the knowledge information security industry has risen and it will continue to grow to be a convergence security industry. The information security industry is defined as the industry providing services to prevent crimes and disasters through security technology like passwords, encoding, surveillance, and recognition. The industry consists of information security, physical security and convergence security.

The potential for knowledge information security is tremendous. The estimated global market for 2013 is expected to be US$368 billion. Currently, the market is dominated by the US and EU at 88%. Korea has only 1.7% of global market share. The Korean knowledge information security market is estimated at W3.1 trillion in 2007, but it is expected to reach W18.4 trillion by 2013. For information security, most high-end security hardware is imported, but Korean software is exported to Japan, the US and other countries. For physical security, the market has expanded with 32% of annual growth. The 2009 market analysis showed that law enforcement has been strengthened due to several major information theft cases. Also, the public and finance sectors plan to establish the convergence security business against DDoS attacks and the industry will get bigger through M&A.

There have been several major security breaches since 2008 – the Blue House hacking, auction.com with over 10 million id thefts, Hanaro Telecom with 6 million id thefts, GS Caltex with 1.1 mil id thefts, and the 7/7 DDoS attack crisis. These types of cases show how vulnerable sites are with low security levels. The government does not have enough human resources in the security department. Many companies do not recognize security as investment but an expense. Also, most computer users do not use anti-virus programs, and their computers are exposed to hackers and are sometimes used as zombie PCs. The level of security systems does not meet the demand for increased internet use. The R&D investment is about 1,000 times less compared to the US, based on a 2007 survey. The solution for increasing cyber attacks is to establish a cyber crisis management system and produce more security professionals with more investment. The collaboration efforts between public and private sectors will help the security industry to grow.

Tags: attacks, DDOS attack, DDoS Attacks, Hackers, Internet, Security
Posted in DDoS Attacks | No Comments »

On previous post we shared the way to prepare our system to DDoS attack and the way to mitigate the risk. Now it is important to react in the good moment and make an effective action during the attack. Monitoring routers connection can help victim to detect the beginning of the attack.

First we should monitor the open Syn connections:

# Netstat-na | grep “: 80 \” | grep SYN_RCVD

At the normal situation the number should not pass the three connections. If there is more open connection than you are under attack and you should start by dropping these connections.
This is for the SYN-Flood case but for the HTTP-flood it is more complicated to detect, First you need to count number of Apache processes and number of port 80 connections:

# Ps aux | grep httpd | wc-l

# Netstat-na | grep “: 80 \” | wc-l

Next you need to check the IP-addresses list:

# Netstat-na | grep “: 80 \” | sort | uniq-c | sort-nr | less

To be sure that there is HTTP-flood attack is impossible but you can assume that you are under attack if one address in the list is repeated too many times. Additional evidence can be made using tcpdump:

# tcpdump -n -i < interface > -c 100

the Tcpdump will help you in tracking the source of the attack if a big number of packets targeting a single port / service (cgi-script or web directory).

Finally we have to start to work around the situation by dropping malicious IP-addresses. You can block IP’s directly from the router.

On the FreeBSD we can take some steps to avoid DDoS:

1 – Reduce the packet request time (protection against SYN-flood):

# Sysctl net.inet.tcp.msl = 7500

If an ACK is not received in this time, the segment can be considered “lost” and the network connection is freed.

Move your server in a blackhole when a TCP packet is received on a closed port. When set to ‘1′, SYN packets arriving on a closed port will be dropped without a RST packet being sent back

# Sysctl net.inet.tcp.blackhole = 2
# Sysctl net.inet.udp.blackhole = 1

Limits ICMP replies to 50 per second (protection against ICMP-flood):

# Sysctl net.inet.icmp.icmplim = 50

Increase the maximum number of sockets to the server that can be open (protection against all types of DDoS):

# Sysctl kern.ipc.somaxconn = 32768

Finally enable a kernel feature called DEVICE_POLLING (significantly reduces the load on the system during DDoS Attack):

1. Compiling the kernel with option “options DEVICE_POLLING”;
2. Activate the mechanism of polling: “sysctl kern.polling.enable = 1″;
3. Add the entry “kern.polling.enable = 1″ in / etc / sysctl.conf.

These are a well balanced steps to mitigate getting exposed for Distributed Denial of Service Attack

Tags: DDOS attack, freeBSD, Security
Posted in DDoS Attacks | No Comments »

Hackers could one day turn ordinary smartphones into “rogue” devices to attack major wireless networks, Research In Motion’s security chief warned.

Scott Totzke, RIM’s vice-president of BlackBerry security, said hackers could use smartphones to target wireless carriers using a technique similar to one used in assaults that slowed Internet traffic in the United States and South Korea in July.

In what’s known as a distributed denial of service, or a DDOS attack, criminals use phone signals to order tens of thousands computers to contact a targeted site repeatedly, slowing it or eventually crashing it.

”I think that’s an area of concern,” Totzke said in an interview this week at the company’s headquarters in Waterloo, Ontario.

Totzke said a technique involving data packets might be used to bring down a wireless network, though hackers might accomplish that using a relatively small number of smartphones.

Malicious software that could launch such attacks would likely come from applications that smartphone users install on their devices, said Kevin Mahaffey, chief technology officer at Flexilis, a mobile security software maker.

Flexilis researchers have already identified virus-tainted versions of popular smartphone applications such as Google Inc’s Google Maps software and computer games.

”These are not telephones anymore. These are computers. So people are going to have all the problems on their phones that they have on their computers,” Mahaffey said.

The best way to protect against such an attack is through regularly applying security patches, which smartphone makers such as RIM release as they identify potential security flaws in their devices, Totzke said.

Tags: attacks, DDOS attack, Hackers, horizon
Posted in Hackers | No Comments »