In the fall of 1988, a significant event took place in a suburb of Boston – approximately 6,000 nodes of the ARPANET computer network were paralyzed by malware written by a graduate student in the Department of Computer Science at Cornell University. The Morris worm, and this is the name given to the program by the name of the author, repeatedly infected network nodes and brought them to a state of denial of service. This event is considered one of the key milestones in the development of computer security.
Much has changed in 32 years: attacks have become more sophisticated, and defense more intelligent.
For any infrastructure provider, securing their systems is a paramount task, especially in our age when new vectors of attacks, such as ransomware viruses, automated spear-phishing, and deepfakes, are emerging. The complexity and effectiveness of such attacks make it necessary to defend using similar methods, using the capabilities of artificial intelligence and machine learning.
The point of such protection is to create some pattern of the normal state of the infrastructure, and then track abnormal deviations. If earlier statistical methods were used for implementation, now machine learning is used for this. So if the most ordinary user suddenly starts creating unusual activity that was previously uncharacteristic for him, then the neural network reacts to this and creates a security event: “Security officer/engineer, look, you have such a thing happening here.”
And it seems that this method is almost ideal, but suddenly it turns out that by creating such a security system, we open Pandora’s box and create a whole class of new threats. The weak link is the neural network itself because by modifying the data supplied to the input, you can force it to produce an incorrect result, and therefore prevent triggering. On Habré, by the way, there was a wonderful article about various methods of deceiving neural networks.
Here an increase in rates begins and you can go along the path of coaching a neural network for such situations or learning on common patterns. Any attack is not made from scratch. There are pre-existing tools, techniques, and tactics often used in specific sequences. Moreover, different groups use different sets of these techniques and tactics. By comparing the state of the system, attacks can be recognized and patterned, and then the order of response to them can be determined.
Such a scary word is phishing
Of course, one should understand from what and from whom to defend. Technical methods are great, but social engineering has not been canceled. To dissolve a careless specialist into something is becoming a much more significant threat, even for systems that are not connected to external networks. From this point of view, deepfake technology is becoming a truly terrible weapon. Imagine that your immediate supervisor calls you and, in a voice you know, gives an order to take some action.
How to protect yourself? It’s simple – to meticulously follow the work regulations and orders of the Department of Homeland Security. Regular training and awareness-raising work well.
For example, sometimes they conduct test phishing attacks when an email arrives from some partner or employee, the purpose of which is to force you to follow a link or provide any data. Based on this, then analyze the incident – guys, we conducted exercises, such and such statistics. Training is organized on why this cannot be done, how to identify this phishing attack, some basic things, the sender’s domain. Better not to go anywhere at all, but write to the Department of Internal Security right away.
Also, there are often situations when support is exposed to a phishing attack. Calls like “reset my password on my server” or something like that. It is worth trying to initially protect yourself from such that all support is carried out only through the ticket system. Neither email nor phone. To create a ticket, you need to go through authorization, which unambiguously guarantees the identification of the applicant. We do not take into account the option when the client’s login and password from the control panel were compromised – this is already very bad, an extremely bad situation.
Sometimes there are cases when letters from an incomprehensible corporate domain “This is my site. Send a backup, logs, data ”or something similar. In such a simple way, they used to often try to appropriate someone else’s intellectual property or even harm, for example, “Turn off the server urgently !!!”. Now there are fewer and fewer such cases, but nevertheless, they still occur.
Rules and exceptions
There was a case when the client stole access to the panel and tried to do something with his servers. Support sees from which IP addresses are made authorization. Received a call from the number attached to the account. The caller asked to turn off all its servers. The panel at the same time there was authorization from the address that was never previously used for this, and the client had all the data specified in the questionnaire. After the maximum possible validation, the client believed, the account was blocked, and the servers turned off. But such cases are an extremely rare exception to the rules.
Theoretically, another script is possible when the account is hijacked, rent virtuals, and make any attacks with them. But here other protection systems are already playing their role. On our side, there is an anti-spooning IP address, which does not allow to release packages to the world with a forged address, as well as scoring systems, about one of which we have written here so long ago, on Habré. Such a system is able to independently decide on account blocking.
The complexity is that we cannot look into the client systems, dump the network traffic or log on to all its connections. Therefore, you have to validate customers even at the registration stage, for example, we have to create something or run to confirm at least some phone number. And the option with SMS is by no means reliable.
On the Internet full of disposable SMS services, which are often used by spammers. For the conditional 3 values, you can request the contents of SMS via API and fully automate the process. 100, 200 registrations per hour from one place, and this is not the limit. So we now use a phone call as a confirmation, which is much more difficult to fake and automate.
Most of the unfair registrations occur with foreign IP addresses. As soon as the vulnerable service is found, they begin to massively break, register hundreds and thousands of fake accounts. But the problem here is that our customers abroad also have. To separate them, we had to implement the rating system, the so-called "confidence index". We look at the country of IP addresses, payment methods, and many other parameters, exposing on the basis of this conditional estimate from 0 to 100 points. The account then passes multiple checks. Each woven check, these points take off. When it comes to 0, the account is blocked.
Such a system is not ideal, but it allows you to comply with the balance between safety, convenience, comfort, and mutual trust between us and the client. We do not violate the privacy and privacy of users and at the same time put such barriers to potential attackers who practically kill the economic feasibility of holding attacks.
About overlay networks and DDoS attacks
Many media often raise topics such as Darknet and related legends. And if not much to go into details, it seems that there are just the most dangerous attackers and the most sophisticated vectors of attacks. Here you should immediately designate such a moment that DarkNet itself is not some kind of global network, but only the conditional name of various overlay networks working on top of the Internet. Each of these networks was created to ensure anonymity and all of them differ in architecture and the method of implementation.
It should also be understood from whom we are protected and try to achieve notorious anonymity. If from the Internet provider or owner of any resource – then the task is quite fulfilled. But if from the special services of states, it is probably a useless thing. The problem is that such a network is calculated that consists of a certain number of nodes and more than them, the higher the conditional anonymity. If you take control of a certain amount of such nodes under control, then as a result, you can monitor part of customers, even despite the resistant encryption and various methods of concealing / disguise traffic.
Often the failure does not even give the technology, but the social aspects of human activity. Even the clock of activity and devices can play a role, not related to anonymous networks. Was in the Soviet Union such a bike that Mgushniki students decided to pinch and passed to each other in a clogged Moscow metro a few weeks an ordinary empty suitcase and went out at different stations. For the tenth time, they accepted the KGBSHI. This is the question about the fact that such activity is bilateral, everything is followed by it.
As for attacks conducted from such networks, there also have their own characteristics. Overlay networks such as I2P work quite slowly, which almost immediately puts the cross on the high-speed bruthfors of passwords and other simple joys of Mamkina hackers of intruders. The fact is that anonymies for the sake of data are divided into parts and sent from the node to the node with different routes. Then the route is longer, the anonymity is higher, but the final delay is higher so that the same DDOS through I2P is extremely problematic. Attacks of the application level here are a greater threat.
Since the topic DDoS attacks touched, it is probably worth discussing the main question of almost every customer, who comes to us: “If they are DDOS me, what then?”. And here it is worth taking into account that DDoS attacks are different. There are those that are aimed at scoring the communication channel, there are those that attack the protocol level or application level. So options are possible.
If an attack can harm an IaaS provider, the provider will protect its infrastructure by dropping all traffic to the attacked client. If the attack is already at a higher level, then the client can either defend itself on its own, passing traffic through the cleaning nodes.
If the client is regularly attacked, then he should turn on the protection. There are different tariffs, from relatively inexpensive to complex, and spreading for hundreds of thousands. The price will depend on how sophisticated attacks the attacker uses and how complex the defenses must be built in order to repel them.
The financial issue will play the main role here. It is easier for someone to “lie down” for a couple of hours than to pay for expensive protection. Of course, a similar question arises for the attacker, because the more complex an attack, the more expensive it is. As a result, the question boils down to who has more money or who will give up earlier and say: “That’s it, it’s not profitable to attack him any longer, it’s too expensive” or vice versa – “I’ll spend more money on defense than I will simply lose from downtime.”
In the last 5 years, DDoS attacks have increased significantly, mainly due to the spread of the Internet of Shit. All sorts of “smart” bulbs, televisions, vacuum cleaners, refrigerators, and hundreds of other types of devices that are disgusting from the point of view of security are connected to the network. So crazy scenarios like “millions of Xiaomi vacuum cleaners started to go to the Portland hairdresser site” are becoming quite real.
The question is not even about hacking such devices, but the fact that they often have open Telnet or SSH shells. You can upload any scripts and do whatever you like. This has become a headache since then as attacks have become more distributed and complex. Organizing protection when you are attacked not by 100 thousand addresses, but by 100 million, and even from the same number of different devices, is an extremely difficult task.
The scary thing is that most of these devices will remain unprotected because in order to do this, you will have to change the firmware. If the model is poorly or not adequately supported by the manufacturer, then nothing can be done about it. There have been stories when the vulnerable firmware of the wireless modules of some smartphones was infected with malware that attacks all Wi-Fi networks in the range of reception. To patch such a vulnerability, you will need to completely rebuild the phone’s firmware, but no one in their right mind except the manufacturer will do this, SDKs for such modules are much more expensive than purchasing a new device.
Hardware bugs and software vulnerabilities
Almost 3 years have passed since there was a huge scandal related to the fact that a large manufacturer of server equipment, Supermicro, was caught installing tiny spyware chips on server motherboards, allowing them to remotely gain control over the system. According to Bloomberg sources, about 30 American companies were affected, including Apple. So such an exotic attack vector can also be viewed as a potential threat.
How can an IaaS provider protect itself from such situations? It is impossible to fully protect against the fact that the next batch of servers will not have hardware tabs. One way or another, the question of trust in certain vendors arises and a risk-based approach is applied. But the likelihood of such an attack is small because here it is not even a separate party that comes into play, but the state.
If a similar vector exists in your threat model and, suppose, a hardware tab exists, it can be neutralized by complete network isolation and proper firewall configuration. A bookmark is useless if it has no connection with the control center. She will never receive commands and will not be able to send information anywhere. This approach is possible and actively used.
If we are talking about the fact that when detecting 0-day vulnerabilities, we have a large degree of maneuver – this is so. Working closely with server hardware manufacturers allows us to react much faster, for example, by receiving and applying patches directly, even before they become publicly available. We also try to always keep the firmware of all server components up to date.