Many times we have the doubt of whether a URL (Web Link) is a malware that can infect our browser. "Malware domain list" offers us this service, so you can search a URL in your database which you can see or download, this also gives us a lot of information about the country and some other things. It also gives us the possibility to scan or compare if a URL is malicious or not, interesting web for the days that run on the Internet NETWORK.
Denial of service attacks using NTP servers
Last December several distributed denial of service attacks took place over networks of game servers. Steam, Origin or Battle.com among them. Apparently the attacks were attributed to the DERP Trolling group. Regardless of the political causes, the interesting thing is what they used to generate the traffic that caused the temporary cut or degradation of the service.
As we know, there are different types or techniques of denial of service. From a simple modified package to generate an overflow in the stack and destabilize the process, until the generation of a large volume of traffic from multiple addresses that ends up exhausting the resources of the attacked servers. The attack has employed a known traffic generation technique, but on a different actor.
Long time ago, one of the most interesting denial-of-service attacks is the amplification of DNS responses. This technique takes advantage of several factors to generate an unsolicited traffic in a "lawful" way, that is, it does not take advantage of the infection of machines but of the lack or carelessness of the third-party DNS servers configuration.
With a simple random scan on port 53 to detect DNS servers and a small test to determine that those DNS servers respond or generate a recursive query on third-party domains. A query on a domain can generate a response up to 50 times greater than the request. That is, you invest 10 bytes in a request and the server could return up to 500 bytes. You already have the generation of traffic.
The DNS protocol works on the UDP transport protocol, which, as we know, is not connection-oriented and therefore dispenses with what is called "handshake". That is, you do not need confirmation from the other end to start a conversation with more details. With UDP you ask and they serve you. This is important because if we build a UDP request but change the source field to another IP other than ours, the server will respond to that other IP.
We already have two factors. We can generate traffic thanks to the 1:50 request/response ratio and we can also falsify the source address thanks to UDP. The next factor is finding open DNS servers or allowing recursive queries on third-party domains. With a good group of these servers and another group that generates the requests you have the perfect storm to direct that traffic to the target.
What has changed in this attack?
That DNS servers have not been used to amplify the answers. Instead, the attackers have used NTP (Network Time Protocol) servers.
NTP is a protocol used primarily to synchronize operating system clocks. We can read about it in the following RFC
NTP servers listen on UDP port 123 and for each request, for example, 8 bytes can generate a response up to almost 60 times higher. But this response is not the NTP server usual but it is a characteristic of the protocol that has now been patched to avoid this kind of attacks. Curiously enough, in the NTP development list the weakness already appeared in 2010. By the way, it even has an CVE associated, CVE-2013-5211 and is corrected in version 4.2.7 of the NTP server.
It is possible to make a request to the NTP server to obtain a list with request information as a record, a list called Monitor data. There is even a nmap script that finds NTP servers with this feature. Thanks to this it is possible to amplify the response.
Although it is not usual, it is possible to find organizations that use NTP servers over the Internet to synchronize networks in different locations. If this is not the case, it would be advisable to filter incoming traffic from UDP port 123 and of course if NTP servers are used, to update to the corrected version.
On open DNS servers the truth deserves a separate delivery. It is a constant in our security audits, to find a DNS (or several!) Of the organization published towards the Internet and that allows third-parties to use it over any domain recursively. It is even complicated to make the administrator understand how this can be used against the organization for which he works.
We must understand that when a victim receives DNS traffic, the UDP package has the IP of our organization as origin, so we can see ourselves in the position of having to respond to a situation where our DNS server has been used for a DDoS attack.
Attacks on the open networks with IPviKing
Every Second, Norse collect and analyzes the information about threats live from darknets in hundreds of locations in more than 40 countries. The attacks that are displayed are based on a small subset of the live streams against the Nordic honeypot infrastructure, which represent real world cyber attacks by bad actors. At first glance, one can see that countries are aggressors or targets at the moment, using the type of attacks (services-ports).
When passing over the attack origins, Attack the target, or attack types will highlight only the attacks coming from that country, or about that service ports respectively. By hovering over any bubble on the map, it will highlight only the attacks of that location and type. Press S to change table sizes.
Norse exposes its threat intelligence through high performance, machine readable APIs in a variety of ways. Nordic also offers products and solutions that help organizations in the protection and mitigation of cyber attacks.