Attacks/Breaches
4/4/2012
11:10 AM
Connect Directly
RSS
E-Mail
50%
50%

Anonymous Vs. DNS System: Lessons For Enterprise IT

A rumored attack on the world's DNS servers by Anonymous failed to materialize. But the many enterprises still ignoring persistent weaknesses could learn from the defensive strategy.

The Internet didn't go dark on Sunday.

A threat, first made in mid-February, had warned that the chaos-loving hacktivist collective Anonymous would take down the Internet for April Fool's Day under the banner of "Operation Blackout." The stated plan was to overwhelm the world's 13 domain name system (DNS) root servers with junk traffic, preventing Web users from reaching most websites. As recently as Thursday, a new Pastebin post suggested that a Trojan application would handle the junk traffic, which would attempt to take down the DNS servers down for at least two minutes. "[ 13 root servers ] * BOOYAH," it promised.

The story here, however, isn't the failure of any supposed Anonymous campaign, but rather the virtue of being proactive.

Namely, the organizations that keep the DNS running paid attention to the Operation Blackout threat, and began pouring millions of dollars into improving the system. That involved bringing online several massive, 40-gigabit routers, as well as hundreds of servers--around the world--which enabled the DNS root servers to handle more requests. That added capacity also made it harder for anyone to overwhelm the system with junk traffic or fake requests.

"Whether or not Anonymous carries out this particular attack, there are larger attacks that do happen," Bill Woodcock of Packet Clearing House' (PCH)--which helps maintain the Domain Name System--told the New York Times. "A forewarning of this attack allowed everyone to act proactively for a change. We can get out in front of the bigger attacks."

In the case of a potential Anonymous DNS onslaught, the obvious attack vector, based on past campaigns, was a distributed denial-of-service (DDoS) attack. "DDoS is very much a numbers game," said Woodcock. "If the target has more than the sum of the attackers' capability and normal day-to-day traffic, then it is fine."

As April Fool's Day drew near, meanwhile, the supposed attack against the DNS infrastructure looked like it might simply be another spoof, perpetrated by Anonymous or done in its name. "For the billionth time: #Anonymous will not shut down the Internet on 31 March," read a Thursday tweet from YourAnonNews. "#OpGlobalBlackout is just another #OpFacebookfailop. #yawn." (Operation Facebook was another Anonymous attack that wasn't, as was a rumored takedown of the national grid.)

On Sunday, of course, the April Fool's Day DDoS onslaught thankfully failed to materialize. "Operation Blackout appeared to be more of a ruse for your 'attack du jour' than a dedicated effort against DNS root servers. Moreover, the apparent attack sophistication and volume levels of those attacks which were directed at DNS servers were not notable or effective over the weekend," said Carl Herberger, a senior VP at Radware, in a blog post. On the other hand, he said, the weekend did see DDoS attacks against at least four international telecommunications companies, a major trading exchange, a bank, and a financial transaction provider.

In light of the non-attack, was the DNS rapid-improvement plan--and millions of related dollars in investment--wasted effort? Not at all. Paul Vixie of the Internet Systems Consortium emphasized that the improvements weren't simply "panic engineering" in the face of the threat, but part of a carefully considered security-improvement plan. "We are using the threatened attack to go kick the tires on everything, make sure there's no loose dangly parts," he told the New York Times last week.

The proactive strategy employed by the DNS keepers is notable, because so few businesses emulate it.

The FBI's top cyber cop, executive assistant director Shawn Henry, who's set to retire after 20 years with the bureau, warned businesses last week that when it comes to stopping hackers, "We're not winning." Furthermore, businesses largely have themselves to blame, because they've failed to properly understand the legal and financial risks they've created by neglecting to protect their networks.

The result, of course, has enabled the rise of hacktivist groups such as Anonymous and LulzSec. These groups don't steal data through mind-blowing Mission Impossible-style heists, but by trawling for banal, easy-to-exploit vulnerabilities in databases, such as SQL injection flaws. When it comes to coding errors, the bugs don't get much more mundane. The potential damage the attackers can inflict, however, is a different story.

The result, in a worst-case scenario, is a situation such as Nortel's, where attackers breached the company's network, then enjoyed access for another decade before being discovered and blocked. By then, of course, the damage was done.

Helpfully, hacktivists often tweet about what they've done, or are about to do. In many ways, that makes their attacks easier to defend against--or at least enables a prepared response.

But how thoroughly have you prepared for the attackers who may break in, without bothering to publicly broadcast their intentions?

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Midnight
50%
50%
Midnight,
User Rank: Apprentice
8/10/2012 | 10:17:54 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
Kudos to the DNS Root Servers Team!
People keep whining about groups like Anon but it really is true that you have to own your own system and it's daily needs. I have seen far to many companies rely on vendors who don't write clean code. The companies cry ignorance, and the vendors cry it wasn't their fault it's still just delusional. This problem is epidemic and the implications are deadly to business. There is a cure though, SELF RESPONSIBILITY!
I know it's a quaint old concept, but if a system is compromised, someone has not done their job. Yes it is that simple. Either a software vendor released code that was not Properly tested (ahem Apple, Microsoft, Cisco, Adobe to start with) or a Network Administrator did not keep up with updates/configurations/testing or a business owner has attempted to "Outsource the Responsibility" for their IT presence. (You do know the "cloud" is not a magic miracle fairy land of IT solutions, but more like the worst nightmare for securing sensitive data/resources? Really?)
The basics of security have not really changed since the first human wanted to keep a secret from another human. The basics of IT are the same since it's birth, people may change the tools they use and the form of the data, but the challenge is the same.
"Make my data available to me wherever I am, whenever I want, no matter how big the bulk, using or abusing any tool I want, instantaneously. Oh, and as an afterthought secure it from everybody else unless I want them to see it until I change my mind."
Heavens forbid these people are forced to take responsibility for the un-sane desires fulfilled. Groups like Anon and LULZ are a mixed bag, when they stand up and shout "The emperor is Nekkid!" that's one thing. We point and laugh. But when they start poking the emperor in the vulnerables, then it's not so funny because we must look at ourselves and see the state of our own clothes (or lack thereof.) The warnings are there and have been delivered, business intrusions are close to being UN-insurable losses because vendors, manager, and owners are implementing at "no feature show-stoppers" versus "no security show-stoppers." Vendors please have some real pride in your product instead of releasing beta code and using the public to debug it for you. Owners realize that you now are holding a machine with more power that a super-computer mainframe of the 70's... as a phone. You are responsible for what it does, how it is treated, how it is secure and safe. Don't lose that feeling of awe. You are indeed a teenager learning to drive dad's car. IT staff, you have a tough job. The business really does believe in you, but they don't understand the implications of their demands. And no don't try to explain it to them, they really don't get it or even want to. So take the stand, say "NO, not Yet" when it's clear the desire will endanger the company. But at the same time, find a solution for the board room that Will work. If that means they must give up their i-toys for another vendor that has security and stability as a higher priority, then that is what they get.
When pressed, all you have to say is "Sure you can use your i-toy here as long as you sign this document making you personally financially responsible for the business losses that will occur due to your decision, standard company policy. I am happy to assist you in this matter." Your insurance company will love you for it.
Acronym
50%
50%
Acronym,
User Rank: Apprentice
4/4/2012 | 9:48:25 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
"It's a game... a high-stakes game being played by one group against the rest of the world."

Increasingly, it is not a game at all. to increasing numbers of people, it is a war against the people by government supported heavily by corporations. Anonymous thrives by the support of ordinary people who are alarmed at the intrusions and abuse by government and corporations of individuduals who realize they can put trust in common people to protect them from the instusions of authority. You have all the power and all the money, but you don't protect people you protect assets and authorities.
Andrew Hornback
50%
50%
Andrew Hornback,
User Rank: Apprentice
4/4/2012 | 7:36:48 PM
re: Anonymous Vs. DNS System: Lessons For Enterprise IT
It's a game... a high-stakes game being played by one group against the rest of the world. It's possible to sit here and say that this was part of a planned security upgrade - however, what happens when Anonymous decides to attack something else? Do we throw millions down on the barrelhead in an attempt to mitigate that risk? How often does this happen before we run out of resources to defend against these attacks?

Rather than continuing to play the game defensively, it's about time that this becomes an offensive game with the idea of neutralizing this group and their threats, whether real or simply perceived.

Andrew Hornback
InformationWeek Contributor
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-1544
Published: 2014-07-23
Use-after-free vulnerability in the CERT_DestroyCertificate function in libnss3.so in Mozilla Network Security Services (NSS) 3.x, as used in Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7, allows remote attackers to execute arbitrary code via vectors that trigger cer...

CVE-2014-1547
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0, Firefox ESR 24.x before 24.7, and Thunderbird before 24.7 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1548
Published: 2014-07-23
Multiple unspecified vulnerabilities in the browser engine in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allow remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via unknown vectors.

CVE-2014-1549
Published: 2014-07-23
The mozilla::dom::AudioBufferSourceNodeEngine::CopyFromInputBuffer function in Mozilla Firefox before 31.0 and Thunderbird before 31.0 does not properly allocate Web Audio buffer memory, which allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow and applica...

CVE-2014-1550
Published: 2014-07-23
Use-after-free vulnerability in the MediaInputPort class in Mozilla Firefox before 31.0 and Thunderbird before 31.0 allows remote attackers to execute arbitrary code or cause a denial of service (heap memory corruption) by leveraging incorrect Web Audio control-message ordering.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Sara Peters hosts a conversation on Botnets and those who fight them.