This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued

March 11, 2022 by 26 Comments

Denial-of-Service (DoS) amplification. Relatively early in the history of the Internet — it was only 14 years old at the time — the first DoS amplification attack was discovered. [TFreak] put together smurf.c, likely in 1997, though it’s difficult to nail the date down precisely.

The first real DoS attack had only happened a year before, in 1996. Smurf worked by crafting ICMP packets with spoofed source addresses, and sending those packets to a network’s broadcast address. A host that received the request would send the packet to the target, and if multiple hosts responded, you got a bigger DoS attack for free. Fast forward to 1999, and the first botnet pulled off a Distributed DoS, DDoS, attack. Ever since then, there’s been an ongoing escalation of DDoS traffic size and the capability of mitigations.

DNS and NTP quickly became the popular choice for amplification, with NTP requests managing an amplification factor of 556, meaning that for every byte an attacker sent, the amplifying intermediary would send 556 bytes on to the victim. You may notice that so far, none of the vulnerable services use TCP. The three-way handshake of TCP generally prevents the sort of misdirection needed for an amplified attack. Put simply, you can’t effectively spoof your source address with TCP.

There are a pair of new games in town, with the first being a clever use of “middleboxes”, devices like firewalls, Intrusion Prevention Systems, and content filters. These devices watch traffic and filter content or potential attacks. The key here is that many such devices aren’t actually tracking TCP handshakes, it would be prohibitively memory and CPU intensive. Instead, most such devices just inspect as many packets as they can. This has the unexpected effect of defeating the built-in anti-spoofing of TCP.

An attacker can send a spoofed TCP packet, no handshake required, and a vulnerable middlebox will miss the fact that it’s spoofed. While that’s interesting in itself, what’s really notable is what happens when the packet appears to be a request for a vulnerable or blocked resource. The appliance tries to interrupt the stream, and inject an error message back to the requester. Since the requestor can be spoofed, this allows using these devices as DDoS amplifiers. As some of these services respond to a single packet with what is essentially an entire web page to convey the error, the amplification factor is literally off the charts. This research was published August 2021, and late February of this year, researchers at Akamai have seen DDoS attacks actually using this technique in the wild.

The second new technique is even more alien. Certain Mitel PBXs have a stress-test capability, essentially a speed test on steroids. It’s intended to only be used on an internal network, not an external target, but until a recent firmware update that wasn’t enforced. For nearly 3,000 of these devices, an attacker could send a single packet, and trigger the test against an arbitrary host. This attack, too, has recently been seen in the wild, though in what appears to be test runs. The stress test can last up to 14 hours at worst, leading to a maximum amplification factor if over four billion, measured in packets. The biggest problem is that phone systems like these a generally never touched unless there’s a problem, and there’s a decent chance that no one on site has the login credentials. That is to say, expect these to be vulnerable for a long time to come. Continue reading “This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued”

Is Your Tape Dispenser Radioactive?

March 11, 2022 by 26 Comments

Do you have anything radioactive in your house? Most people will say no, but they are probably wrong. A host of things ranging from glow-in-the dark timepieces to smoke detectors have some amount of radioactivity. But as [Wheeler Scientific] points out, so do some old Scotch tape dispensers. You can watch the video, below.

The dispenser in question is the C-15 which was very common around offices, military bases, and homes for years. They were made up until the 1980s. You have to wonder why a tape dispenser would be radioactive, and [Wheeler] has the explanation.

When you pull tape from the dispenser, you don’t want the dispenser to slide around the desk, so it needs to be heavy. But no one wants to have a giant dispenser nor do you want to pay for one made from a dense metal. So the plastic dispenser contains a ballast to make it heavier. In the case of the C-15 that ballast is thorium-containing monazite sand. A vintage counter shows the radioactivity which isn’t much, of course, but still way less than the ordinary sand used in newer models. You can also see in the video that the material is paramagnetic.

Monazite used to be a primary source of lanthanides but getting rid of the thorium led to alternate sources in the 1960s although it is still used as an ore for thorium. We know some lenses are radioactive. If you want to search your home for radioactivity and you don’t have a Geiger counter, you don’t need much to build one.

Continue reading “Is Your Tape Dispenser Radioactive?”

kumiko from nails

Nail This Tricky Kumiko Pattern

March 11, 2022 by 4 Comments

[Pask Makes] has previously made Kumiko patterns in wood and was happy with the results, but he wondered if he could make something visually similar from metal instead of wood.

For that, he reached for nails as it is a cheap source of uniform small rods of metal. Kumiko is, funny enough, a technique known for joining small pieces of wood without nails. There are many different patterns that use the technique and most are inspired by nature. It is the pressure of the wood in the pattern itself that holds it together and requires dedicated planning and thousands of minute adjustments. Since [Pask] was using a MIG welder to hold the nails together, it isn’t technically Kumiko but rather a Kumiko pattern.

The first step was to take the coating off the nails, which is something a little acid does a wonderful job with. After dropping a little acid, his nails were prepped and he was ready to tack them together. He printed a template on a sheet of paper and used a straight edge and a palm router with a groove bit to cut little channels for each of the nails to sit in. The nails were trimmed to the correct width with the help of a small jig. After he had tacked the nails together, he came back and filled in the centers.

It’s a straightforward little project that creates a beautiful pattern and it’s a good reminder that simple materials can make complex things. If you prefer the wood look, this Kumiko guitar might be more to your taste. Video after the break.

Continue reading “Nail This Tricky Kumiko Pattern”

Very Fancy Nail Is Actually A Secret Jewlery Stash

March 10, 2022 by 10 Comments

Typically, nails are purpose-built things made to hold bits of wood together, with their entire design focused on that purpose. However, [W&M Levsha] went in much the other direction, crafting one very fancy expensive nail in what we can only explain as a masterful demonstration of their skills.

The build starts with a piece of brass tube, which is engraved with a delicate pattern on an automated lathe. After clean up, the spiralling lines are attractive on the polished brass.A plug is then made for the end of the tube, which gets filed into a point to resemble a nail, hiding the seam between the plug and the tube.

The tube is then threaded to accept a nail head that screws into the top, allowing the “nail” to act as a fancy little stash, which [W&M Levsha] shows off by placing a bracelet inside. The project is finished by crafting a stunning wooden box to hold the fancy nail.

We’ve seen [W&M Levsha]’s handywork before; the cap-gun cigarette lighter was a similarly impressive feat of machining and craftsmanship. Video after the break.

Continue reading “Very Fancy Nail Is Actually A Secret Jewlery Stash”

Short Circuit Tracer For A Buck

March 10, 2022 by 22 Comments

Almost every meter you find today will have a continuity tester. Connect the probes and it will beep if there is a short and won’t if there isn’t. But where is the short? That’s another problem when trying to measure a component that is connected to many other components. [Learn Electronics Repair] wanted to have a tool to find shorts on a board and wanted to build a tester that uses 4-wire resistance measurement to isolate the device under test without having to do surgery on the circuit. His $1 build appears in the video below.

The first part of the video talks about the theory behind resistance measurement with two and four wires. Let shows several diagrams, but he mentions that at one point he shows an incorrect schematic (at 12:03) instead of the early correct one (at 10:35) and mentions it, but if you are skimming the video, you might get confused.

Continue reading “Short Circuit Tracer For A Buck”

Introducing The Universal Atari Keyboard Case

March 10, 2022 by 3 Comments

[10p6] wondered what it would be like if Atari had used a standardized keyboard across its 16-bit and 32-bit computer lines in 1985. Imagination is fun, but building things is even better, and thus they set out to create such a thing. Enter the Universal Atari Keyboard Case.

The case design is flexible, and can accept a keyboard from models including the Atari ST and Falcon. The keyboard can then be used with an Atari Mega, TT, or desktop-style Atari computers without mods. It also brings modern peripherals to bear on these old Atari platforms, enabling the use of modern USB mice while also using the two onboard joystick ports. Power and floppy LEDs are present, but subtly hidden beneath the case, only becoming visible when illuminated. It also includes 5-watt stereo speakers for getting the best out of the Atari’s sound hardware.

The final part, a full 473mm long, was 3D printed in resin for a high-quality surface finish. The results are so good it almost looks like a genuine factory keyboard.

If you’re regularly playing with your vintage Atari machines and you want a great keyboard to use with them, this could be the design for you. [10p6] has promised to soon upload the design files to Thingiverse for those eager to replicate the work.

We’ve also seen retro Atari keyboard converted to work with modern machines. Video after the break. Continue reading “Introducing The Universal Atari Keyboard Case”

An electromechanical wall clock on a workbench, showing "8888"

Silent Stepper Motors Make Electromechanical Clock Fit For A Living Room

March 10, 2022 by 13 Comments

Large mechanical seven-segment displays have a certain presence that you just don’t get in electronic screens. Part of this comes from the rather satisfying click-click-clack sound they make at every transition. Unfortunately, such a noise quickly becomes annoying in your living room; [David McDaid] therefore designed a silent electromechanical seven-segment clock that has all the presence of a mechanical display without the accompanying sound.

As [David] describes in a very comprehensive blog post, the key to this silent operation is to use stepper motors instead of servos, and to drive them using a TMC2208 stepper motor driver. This chip has a unique method of regulating the current that does not introduce mechanical vibrations inside the motor. A drawback compared to servos is the number of control wires required: with four wires going to each motor, cable management becomes a bit of an issue when you try to assemble four seven-segment displays.

Continue reading “Silent Stepper Motors Make Electromechanical Clock Fit For A Living Room”