internet hacks

184 Articles

Memcached Servers Abused For DDoS Attacks

March 1, 2018 by 11 Comments

Cloudflare announced recently that they are seeing an increase in amplification attacks using memcached servers, and that this exploit has the potential to be a big problem because memcached is capable of amplifying an attack significantly. This takes DDoS attacks to a new level, but the good news is that the problem is confined to a few thousand misconfigured servers, and the solution is to put the servers behind a tighter firewall and to disable UDP. What’s interesting is how the fundamental workings of the Internet are exploited to create and direct a massive amount of traffic.

We start with a botnet. This is when a bunch of Internet-connected devices are compromised and controlled by a malicious user. This could be a set of specific brand of web camera or printer or computer with unsecured firmware. Once the device is compromised, the malicious user can control the botnet and have it execute code. This code could mine cryptocurrency, upload sensitive data, or create a lot of web traffic directed at a particular server, flooding it with requests and creating a distributed denial of service (DDoS) attack that takes down the server. Since the server can’t distinguish regular traffic from malicious traffic, it can’t filter it out and becomes unresponsive.

This DDoS attack is limited to the size of the botnet’s bandwidth, though. If all the web cameras in the botnet are pounding a server as fast as they can, the botnet has reached its max. The next trick is called an amplification attack, and it exploits UDP. UDP (as opposed to TCP) is like the early post office; you send mail and hope it gets there, and if it doesn’t then oh well. There’s no handshaking between communicating computers. When a device sends a UDP packet to a server, it includes the return address so that the server can send the response back. If the device sends a carefully crafted fake request with a different return address, then the server will send the response to that spoofed return address.

So if the web camera sends a request to Server A and the response is sent to Server B, then Server A is unintentionally attacking Server B. If the request is the same size as the response, then there’s no benefit to this attack. If the request is smaller than the response, and Server A sends Server B a bunch of unrequested data for every request from the camera, then you have a successful amplification attack. In the case of memcached, traffic can be amplified by more than 50,000 times, meaning that a small botnet can have a huge effect.

Memcached is a memory caching system whose primary use is to help large websites by caching data that would otherwise be stored in a database or API, so it really shouldn’t be publicly accessible anyway.  And the solution is to turn off public-facing memcached over UDP, but the larger solution is to think about what things you are making available to the Internet, and how they can be used maliciously.

Count Your Fans With This Stylish ESP8266 Display

February 8, 2018 by 15 Comments

Continuous self-affirmation is a vital component to the modern lifestyle. Of course you know the world loves you, but exactly how much do they love you? Checking your phone every few minutes to see if you’ve gained any followers is gauche, and perhaps more to the point, doesn’t let you show off when you’ve got visitors over. In the modern era, the up-and-coming social media star needs a stylish way to display just how popular they are for the world to see.

That’s the idea behind this very slick social media counter created by [Becky Stern]. Built into a standard shadow box frame and using LED displays glowing through a printed piece of paper, the finished product looks more like modern art than the usual hacker fare.

The counter is powered by a NodeMCU, but you could drop in your favorite variant of the ESP8266 and things would work more or less the same. For the displays, [Becky] is using four Adafruit 7-Segment LED modules, which are easily controlled via I2C which keeps the wiring to a minimum.

It’s interesting to note that since her follower count on Twitter has already hit five digits, two of the display modules are used next to each other for that particular service. Her Instructables and Instagram counters only have one display each however, limiting her counts on those services to 9,999 each. There’s probably something to be learned here in terms of the relative follower counts you can expect on the different social networks if you’re targeting your content to the hacker and maker crowd, but we’ll leave the analysis to those with a better handle on such matters.

Hardware aside, [Becky] spends a lot of time in the video talking about the code she’s come up with to pull her stats from the various services and push them out to the LED displays at a regular interval. It’s nice to see so much attention and explanation given to the software side of a project like this, as more often than not you’re left to your own to figure out what the source code is doing.

This project is quite similar to the YouTube Play Button hack we covered a few months back, but the addition of multiple social networks in one device is a nice improvement over the basic concept.

Continue reading “Count Your Fans With This Stylish ESP8266 Display”

The Grooviest Random Number Generator Ever

January 4, 2018 by 28 Comments

Cloudflare is one of those Internet companies you use all the time, but don’t usually know it. Big websites you visit use Cloudflare to shore up their defenses against denial of service attacks. The company needed some truly random numbers for its security solutions, so it turned to some groovy old tech: lava lamps. In their office is a wall of 100 lava lamps monitored by cameras. The reaction of the lamps is unpredictable, and this allows them to generate really random numbers. [Joshua], a Cloudflare employee, talks about the technical details of the system in a recent blog post.

You might think this is a new and novel idea, but it turns out the LavaRnd (or maybe it is LavaRand — there’s some dispute if you read the comments below) system has been around for a while. In fact, we covered it way back in 2005. Silicon Graphics patented the system in 1996.

Continue reading “The Grooviest Random Number Generator Ever”

Becoming Your Own ISP, Just For Fun

November 18, 2017 by 46 Comments

When moving into a new house, it’s important to arrange for the connection of basic utilities. Electricity, water, and gas are simple enough, and then it’s generally fairly easy to set up a connection to an ISP for your internet connection. A router plugs into a phone line, or maybe a fiber connection and lovely packets start flowing out of the wall. But if you’re connected to the internet through an ISP, how is the ISP connected? [Kenneth] answers this in the form of an amusing tale.

It was during the purchase of data centre rack space that [Kenneth]’s challenge was laid down by a friend. Rather then simply rely on the connection provided by the data centre, they would instead rely on forging their own connection to the ‘net, essentially becoming their own Internet Service Provider.

This is known as creating an Autonomous System. To do this involves several challenges, the first of which is understanding just how things work at this level of networking. [Kenneth] explains the vagaries of the Border Gateway Protocol, and why its neccessary to secure your own address space. There’s also an amusing discussion on the routing hardware required for such a feat and why [Kenneth]’s setup may fall over within the next two years or so.

It’s not for the faint hearted, and takes a fair bit of paperwork, but [Kenneth] has provided an excellent guide to the process if you really, really just need to own your own corner of the internet. That said, there are other networking tricks to cut your teeth on if you’d like a simpler challenge, like tunneling IP over ICMP.

 

A Web-Based Modem

October 18, 2017 by 41 Comments

If you are beyond a certain age, you will recall when getting on the Internet was preceded by strange buzzing and squawking noises. Modems used tones to transmit and receive data across ordinary telephone lines. There were lots of tricks used to keep edging the speed of modem up until — at the end — you could download (but not upload) at a blazing 56,000 bits per second. [Martin Kirkholt Melhus] decided to recreate a modem. In a Web browser. No kidding.

We started to say something about a modem in the cloud, but that wouldn’t really be accurate. The modem uses the HTML 5 audio API, so it really runs in the browser. We would have been really surprised if [Martin] had cooked up a modem able to interact with a real modem, but as you might expect, the browser modem only communicates with other instances of itself. If you want a brief introduction to HTML 5 audio, you might enjoy the video below.

Continue reading “A Web-Based Modem”

Untether From Your Location With A VPN

October 12, 2017 by 38 Comments

By now, most of us know the perks of using a VPN: they make private one’s online activity (at least from your ISP’s point of view, probably), and they can also make it appear as if you are in a different locale than you physically are. This is especially important for trying to watch events such as the Olympics which might air different things at different times in different countries. It’s also starting to be an issue with services like Netflix which allow content in some areas but not others.

While VPNs can help solve this problem, it can be tedious to set them up for specific purposes like this if you have to do it often. Luckily, [clashtherage] has created a router with a Raspberry Pi that takes care of all of the complicated VPN routing automatically. In much the same way that another RPi router we’ve seen eliminates ads from all of your internet traffic, this one takes all of your traffic and sends it to a locale of your choosing. (In theory one could use both at the same time.)

Obviously this creates issues for Netflix as a company, and indeed a number of services (like craigslist, for example) are starting to block access to their sites if they detect that a VPN is being used. Of course, this only leads to an arms race of VPNs being blocked, and them finding ways around the obstacles, and on and on. If only IPv6 was finally implemented, we might have a solution for all of these issues.

Have Some Candy While I Steal Your Cycles

September 27, 2017 by 46 Comments

Distributed computing is an excellent idea. We have a huge network of computers, many of them always on, why not take advantage of that when the user isn’t? The application that probably comes to mind is Folding@home, which lets you donate your unused computer time to help crunch the numbers for disease research. Everyone wins!

But what if your CPU cycles are being used for profit without your knowledge? Over the weekend this turned out to be the case with Showtime on-demand sites which mined Monero coins while the users was pacified by video playback. The video is a sweet treat while the cost of your electric bill is nudged up ever so slightly.

It’s an interesting hack as even if the user notices the CPU maxing out they’ll likely dismiss it as the horsepower necessary to decode the HD video stream. In this case, both Showtime and the web analytics company whose Javascript contained the mining software denied responsibility. But earlier this month Pirate Bay was found to be voluntarily testing out in-browser mining as a way to make up for dwindling ad revenue.

This is a clever tactic, but comes perilously close to being malicious when done without the user’s permission or knowledge. We wonder if those ubiquitous warnings about cookie usage will at times include notifications about currency mining on the side? Have you seen or tried out any of this Javascript mining? Let us know in the comments below.