VoIP cameras, DVRs, and other devices running the Web Services Dynamic Discovery (WSDD) protocol are being used in a new type of DDoS attack. This isn’t the first time a zeroconf service has been hijacked as part of a DDoS, as UPnP has also been abused in similar ways.
Feel like alphabet soup yet? A Denial of Service attack is one where the target is simply made unavailable, rather than actually compromised. The classic example of this is the SYN flood, where an attacker would open hundreds of connections to a web server at once, exhausting the server’s resources and interrupting legitimate use of that server. As mitigations for these attacks were developed (SYN Cookies, for example), DoS attacks were replaced by Distributed Denial of Service (DDOS) attacks. Rather than attack a weakness on the target machine, like available RAM or CPU cycles, a DDoS generally targets available network bandwidth by hitting the target website from many, many locations at once. No clever software tricks can help when your Internet connection is fully saturated with junk traffic.
And one way to get many, many computers to send traffic to the same IP is to run a botnet. Your five megabit upload bandwidth might not seem like much, but if a thousand computers are each saturating their 5 megabits, the resulting 5 gigabit attack is nothing to sneeze at. DDoS amplification is when a third party service is used as a part of an attack. Imagine sending a DNS request with a spoofed source IP address. A UDP connection doesn’t have the initial handshake of a TCP packet, so detecting a spoof of this sort is much more difficult. You send a relatively small DNS request, and a DNS server responds by sending a larger reply — not to your IP, but to the target IP that you spoofed. This sort of amplification is usually done as part of a botnet DDoS attack, resulting in even more attack bandwidth. The largest confirmed DDoS attack on record is a staggering 1.3 Terabytes per second, was aimed at Github, and used Memcached as the amplification vector.
Now back to Zeroconf. Zero-configuration networking is the idea that things should “just work” when plugged into a network together. When you have the option to send video to your Chromecast, or Windows shows you the list of all the other devices on your network, you’re seeing zeroconf in action. Zeroconf protocols like UPnP and WSDD are intended to run only over the local network, but vendors are notorious for mis-implementing standards, and here is no exception. WSDD as defined should only respond to multicast requests on UDP port 3702. Many vendors have built their WSDD support in such a way that devices will respond to WSDD requests from any IP address, multicast or not. The last key to this amplification technique is the actual amplification. How small of a packet can an attacker send, vs how big of a packet can this trigger in response. Researchers at Akamai identified an eighteen byte message that triggers a much larger response. They managed a 153x amplification factor, which is terrifying. Thankfully, active attacks are running something more like 10x amplification factors.
Lastpass Reveals Your Last Pass
More Data Breaches
This week there were two separate stories about very large data breaches. Though technically, neither is a breach so much as passwordless databases carelessly exposed to the internet. First is the more than 100 medical databases being served on the internet without proper security. So far there seems to be plenty of finger-pointing, but with that many security fails, there is plenty of blame to go around. It’s worth noting that each of those exposed databases is a HIPAA violation, and each carries the potential for a sizable fine.
The second is the records of essentially every citizen of Ecuador. An Elasticsearch instance was misconfigured and publicly accessible. While at first glance, this seemed to be yet another government database exposed to the Internet, there was something strange about this database. There was data from multiple sources. About half of the database was consistent with the idea of a government database, but the rest seemed to come from private entities. The researchers working on this story determined an Ecuadorian company named Novaestrat was hosting the vulnerable database.
The database was secured, and Novaestrat’s website has disappeared. There are still more questions than answers concerning this story. Was this database the combined storage for other data breaches? Regardless, the personal data of millions of Ecuadorians was exposed. Interestingly, Julian Assange was among the people with entries in this Database, as a result of his Ecuadorian asylum.
Both of these databases contained personal information, which is of course unchangeable. Millions of people have been doxxed by carelessness, and short of witness-protection-plan level measures, there is no undo button.
Using Windows Defender? You might be in for a surprise next time you manually run a scan. Since the update this Tuesday, Windows Defender only scans a handful of files when manually running a quick or full scan. As is often the case, this bug was introduced when another problem was being fixed. If you use Windows Defender and want to run a manual scan, the custom scan does still work correctly.