This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued

Denial-of-Service (DoS) amplification. Relatively early in the history of the Internet — it was only 14 years old at the time — the first DoS amplification attack was discovered. [TFreak] put together smurf.c, likely in 1997, though it’s difficult to nail the date down precisely.

The first real DoS attack had only happened a year before, in 1996. Smurf worked by crafting ICMP packets with spoofed source addresses, and sending those packets to a network’s broadcast address. A host that received the request would send the packet to the target, and if multiple hosts responded, you got a bigger DoS attack for free. Fast forward to 1999, and the first botnet pulled off a Distributed DoS, DDoS, attack. Ever since then, there’s been an ongoing escalation of DDoS traffic size and the capability of mitigations.

DNS and NTP quickly became the popular choice for amplification, with NTP requests managing an amplification factor of 556, meaning that for every byte an attacker sent, the amplifying intermediary would send 556 bytes on to the victim. You may notice that so far, none of the vulnerable services use TCP. The three-way handshake of TCP generally prevents the sort of misdirection needed for an amplified attack. Put simply, you can’t effectively spoof your source address with TCP.

There are a pair of new games in town, with the first being a clever use of “middleboxes”, devices like firewalls, Intrusion Prevention Systems, and content filters. These devices watch traffic and filter content or potential attacks. The key here is that many such devices aren’t actually tracking TCP handshakes, it would be prohibitively memory and CPU intensive. Instead, most such devices just inspect as many packets as they can. This has the unexpected effect of defeating the built-in anti-spoofing of TCP.

An attacker can send a spoofed TCP packet, no handshake required, and a vulnerable middlebox will miss the fact that it’s spoofed. While that’s interesting in itself, what’s really notable is what happens when the packet appears to be a request for a vulnerable or blocked resource. The appliance tries to interrupt the stream, and inject an error message back to the requester. Since the requestor can be spoofed, this allows using these devices as DDoS amplifiers. As some of these services respond to a single packet with what is essentially an entire web page to convey the error, the amplification factor is literally off the charts. This research was published August 2021, and late February of this year, researchers at Akamai have seen DDoS attacks actually using this technique in the wild.

The second new technique is even more alien. Certain Mitel PBXs have a stress-test capability, essentially a speed test on steroids. It’s intended to only be used on an internal network, not an external target, but until a recent firmware update that wasn’t enforced. For nearly 3,000 of these devices, an attacker could send a single packet, and trigger the test against an arbitrary host. This attack, too, has recently been seen in the wild, though in what appears to be test runs. The stress test can last up to 14 hours at worst, leading to a maximum amplification factor if over four billion, measured in packets. The biggest problem is that phone systems like these a generally never touched unless there’s a problem, and there’s a decent chance that no one on site has the login credentials. That is to say, expect these to be vulnerable for a long time to come. Continue reading “This Week In Security: DDoS Techniques, Dirty Pipe, And Lapsus$ Continued”

Remoticon 2021 // Vaibhav Chhabra And The M19 Collective Make One Million Faceshields

[Vaibhav Chhabra], the co-founder of Maker’s Asylum hackerspace in Mumbai, India, starts his Remoticon talk by telling a short story about how the hackerspace rose to its current status. Born out of frustration with a collapsed office ceiling, having gone through eight years of moving and reorganizations, it accumulated a loyal participant base – not unusual with hackerspaces that are managed well. This setting provided a perfect breeding ground for the M19 effort when COVID-19 reached India, mixing “what can we do” and “what should we do” inquiries into a perfect storm and starting the 49 day work session that swiftly outgrew the hackerspace, both physically and organizationally.

When the very first two weeks of the Infinite Two Week Quarantine Of 2020 were announced in India, a group of people decided to wait it out at the hackerspace instead of confining themselves to their homes. As various aspects of our society started crashing after the direct impact of COVID-19, news came through – that of a personal protective equipment shortage, especially important for frontline workers. Countries generally were not prepared when it came to PPE, and India was no different. Thus, folks in Maker’s Asylum stepped up, finding themselves in a perfect position to manufacture protective equipment when nobody else was prepared to help.

Continue reading “Remoticon 2021 // Vaibhav Chhabra And The M19 Collective Make One Million Faceshields”

Announcing: The 2022 Hackaday.io Sci-Fi Contest

Ladies and Gentlemen, Sentient robots, Travellers from the distant future, or Aliens from the outer rim, it’s time to enter the 2022 Hackaday.io Sci-Fi Contest!

We last ran the Sci-Fi contest in the far, far past — before the Voigt-Kampff machine was detecting replicants on the gritty streets of 2019’s LA. Back then, we had some out-of-this-world entries. It’s time for the sequel.

Thanks to Digi-Key, the contest’s sponsor, your best blaster, your coolest costume, or your most righteous robot could win you one of three $150 shopping sprees in their parts warehouse. Create a Hackaday.io project, enter it in the contest, and you’re set. You might as well do that right now, but the contest closes on April 25th.

Sci-Fi is all about the looks, so if it’s purely decorative, be sure to blind us with science (fiction). If your project actually functions, so much the better! Of course we’d like to know how it works and how you made it, so documentation of the project is the other big scoring category. Whatever it is, it’s got to be sci-fi, and it’s got to have some electronics in it.

If you’re looking for inspiration, you could do a lot worse than to check out [Jerome Kelty]’s Animatronic Stargate Helmet, that not coincidentally took the grand prize last time around. It’s an artistic and engineering masterpiece all rolled into one, and the description of how it’s made is just as extensive. [Jochen Alt]’s “Paul” robot isn’t out of any particular sci-fi franchise that we know, but of rolling on one ball and reciting robot poetry, it absolutely should be.

Honorable Mentions

In addition to the overall prizes, we’ll be recognizing the best projects in the following honorable mention categories:

  • Star Star: Whether you’re “beam me up” or “use the force”, fans of either of the “Star” franchises are eligible for this honorable mention.
  • ExoSuit: This category recognizes sci-fi creations that you can wear. Costumes and armor fit in here.
  • Stolen off the Set: If your blaster looks exactly like Han Solo’s, you’re a winner here.  This is the category for your best prop replica.
  • Living in the Future: If your sci-fi device was purely fantasy when imagined, but now it’s realizable, you’re living in the future. A working tricorder or a functioning robot companion would fit in fine here.
  • The Most Important Device: Has no function, but it certainly looks like it does. Just blinking lights that blink back and forth, yet the government spent millions of dollars on it.

You don’t have to tell us where your project fits in. We’ve got you covered.

Engage!

Get started now by creating a project page on Hackaday.io. In the left sidebar of your project page, use the “Submit Project To” button to enter in the 2022 Sci-Fi Contest.

You have from now until April 25, 2022 to get it finished. Of course, if your time machine actually works, you can finish it whenever. Check out the Hackaday.io contest page for all the fine print.

Cranes made by Origami (Orizuru). The height is 35mm.

Bringing The Art Of Origami And Kirigami To Robotics And Medical Technology

Traditionally, when it comes to high-tech self-assembling microscopic structures for use in medicine delivery, and refined, delicate grippers for robotics, there’s been a dearth of effective, economical options. While some options exist, they are rarely as effective as desired, with microscopic medicine delivery mechanisms, for example, not having the optimal porosity. Similarly, in so-called soft robotics, many compromises had to be made.

A promising technology here involves the manipulation of flat structures in a way that enables them to either auto-assemble into 3D structures, or to non-destructively transform into 3D structures with specific features such as grippers that might be useful in both micro- and macroscopic applications, including robotics.

Perhaps the most interesting part is how much of these technologies borrow from the Japanese art of origami, and the related kirigami.

Continue reading “Bringing The Art Of Origami And Kirigami To Robotics And Medical Technology”

The Light Guide Hiding In Your Extrusion

There should be a line of jokes that start “A physicist and an engineer walk into a bar…”. In my case I’m an engineer and my housemate is a physicist, so random conversations sometimes take interesting turns. Take the other day for example, as one does when talking she picked up a piece of aluminium extrusion that was sitting on our coffee table and turned it over in her hands. It has a hole down its centre and it’s natural to peer down it, at which point her attention was caught by the appearance of a series of concentric rings of light. Our conversation turned to the mechanism which might be causing this, and along the way took us into cameras, waveguides, and optical fibres.

The light reaching us after traveling along a straight narrow tube should at a cursory glance be traveling in a straight line, and indeed when I point the extrusion out of my window and look down it I can see a small segment of the tree in the distance I’ve pointed it at. It didn’t take us long to conclude that the concentric rings were successive reflections of the light coming into the end hole from off-centre angles.

In effect, the extrusion is a pinhole camera in which the image is projected onto the inside of a cylinder stretching away from the pinhole rather than onto a flat piece of film, and we were seeing the successive reflections of the resulting distorted image as they bounced to and fro down the tube towards us. It’s likely the imperfect mirror formed by the aluminium wall allowed us to see each image, as light was being diffused in our direction. Adding a piece of tape with a small pinhole at the end accentuated this effect, with the circles becoming much more sharply defined as the projected image became less blurry. Continue reading “The Light Guide Hiding In Your Extrusion”

Screenshot of a 1988 news report on the Morris Worm computer virus

Retrotechtacular: Cheesy 1980s News Report On Early Internet Virus

It was a cold autumn night in 1988. The people of Cambridge, Massachusetts lay asleep in their beds unaware of the future horror about to be unleashed from the labs of the nearby college. It was a virus, but not just any virus. This virus was a computer program whose only mission was to infect every machine it could come in contact with. Just a few deft keystrokes is all that separated law abiding citizens from the…over the top reporting in this throwback news reel posted by [Kahvowa].

Computer History Museum exhibit of the floppy disk used to distribute the Morris worm computer virus.
Computer History Museum exhibit featuring the original floppy disk used to distribute the Morris Worm computer virus.

To be fair, the concept of a computer virus certainly warranted a bit of explanation for folks in the era of Miami Vice. The only places where people would likely run into multiple computers all hooked together was a bank or a college campus. MIT was the campus in question for this news report as it served as ground zero for the Morris Worm virus.

Named after its creator, Robert Tappan Morris, the Morris Worm was one of the first programs to replicate itself via vulnerabilities in networked computer systems. Its author intended the program to be a benign method of pointing out holes, however, it ended up copying itself onto systems multiple times to the point of crashing. Removing the virus from an infected machine often took multiple days, and the total damage of the virus was estimated to be in the millions of dollars.

In an attempt to anonymize himself, Morris initially launched his worm program from a computer lab at MIT as he was studying at Cornell at the time. It didn’t work. Morris would go onto to be the first person to receive a felony conviction under the 1986 Computer Fraud and Abuse Act. After the appeals process, he received a sentence a community service and a fine. After college Morris co-founded the online web store software company Viaweb that Yahoo! would acquire in 1998 for 49 million dollars. Years later in an ironic twist, Morris would return to academia as a professor at MIT’s department of Electrical Engineering and Computer Science.

Interested in some info on viruses of a different nature? Check out this brief history on viruses from last year.
Continue reading “Retrotechtacular: Cheesy 1980s News Report On Early Internet Virus”

Top side of the VL670 breakout board, with two USB connectors and the VL670 chip in the center.

A Chip To Bridge The USB 2 – USB 3 Divide

On Twitter, [whitequark] has  found and highlighted an intriguing design – a breakout board for the VL670, accompanied by an extensive yet very easy to digest write-up about its usefulness and inner workings. The VL670 is a chip that addresses a surprising problem – converting USB 2.0 signals into USB 3.0.

If you have a USB 2.0 device and a host with only USB 3.0 signals available, this chip is for you. It might be puzzling – why is this even needed? It’s about the little-known dark secret of USB3, that anyone can deduce if they ever have to deal with a 9-pin USB 3.0 connector where one of the three differential pairs doesn’t quite make contact.

When you see a blue “3.0” port, it’s actually USB 2 and USB 3 — two separate interfaces joined into a single connector. USB 3 uses two single-directional differential pairs, akin to PCI-E, whereas USB 2 uses a single bidirectional one, and the two interfaces on a blue connector operate basically independently of each other. There’s many implications to this that are counterintuitive if you simply take “USB 3.0” for “faster backwards-compatible USB”, and they have painful consequences.

For instance, USB 3 hub ICs have two separate hub entities inside – one for USB 3 and one for USB 2. Even if you have a USB 3 hub plugged into a USB 3 port, multiple USB 2 devices plugged into it still cannot break through the USB 2 uplink limit of 480 MBps. If you ever thought that a faster hub with a faster uplink would fix your USB 2 device speed problems – USB-IF engineers, apparently, thought differently; and you might have to find a workaround for your “many cheap SDRs and Pi 4 in a box” setup. Continue reading “A Chip To Bridge The USB 2 – USB 3 Divide”