Friday, November 18, 2016

Asymmetric Warfare

Asymmetric warfare is where the attack is cheap but the defense is expensive. It is very difficult to win in this situation; the attacker can wage a war of attrition at much less cost than the defender. Similarly, one of the insights in our 2003 SOSP paper was that services were vulnerable to denial of service if handling a request was significantly more expensive than requesting it. We implemented two mitigations, "effort balancing", making requesting a service artificially expensive, and rate limits on services. Both were ways of cheaply denying requests, and thus decreasing asymmetry by adjusting the relative cost to the attacker. Below the fold, the most recent example of asymmetric warfare to come my way.

Dan Goodin writes in New attack reportedly lets 1 modest laptop knock big servers offline that Danish security company TDC has identified "BlackNurse", a relatively low-bandwidth attack that uses ICMP type 3 code 3 packets. TDC reports (PDF) that the attack causes firewall CPU saturation:
BlackNurse is based on ICMP with Type 3 Code 3 packets. We know that when a user has allowed ICMP Type 3 Code 3 to outside interfaces, the BlackNurse attack becomes highly effective even at low bandwidth. Low bandwidth is in this case around 15-18 Mbit/s. This is to achieve the volume of packets needed which is around 40 to 50K packets per second. It does not matter if you have a 1Gbit/s Internet connection. The impact we see on different firewalls is typically high CPU loads. When an attack is ongoing, users from the LAN side will no longer be able to send/receive traffic to/from the Internet. All firewalls we have seen recover when the attack stops.
ICMP type 3 code 3 means "port unreachable" is true but "net unreachable" and "host unreachable" are false. Why would handling "net unreachable" and "host unreachable" be cheap but "port unreachable" be expensive? According to Johannes Ullrich:
this is likely due to the firewall attempting to perform stateful analysis of these packets. ICMP unreachable packets include as payload the first few bytes of the packet that caused the error. A firewall can use this payload to determine if the error is caused by a legit packet that left the network in the past. This analysis can take significant resources.
Again we see that expensive operations with cheap requests create a vulnerability that requires mitigation. In this case rate limiting the ICMP type 3 code 3 packets that get checked is perhaps the best that can be done.


David. said...

Ransomware is another example. SF Muni has been unable to collect fares for days because their systems fell victim to ransomware. The costs to mount this attack are insignificant in comparison to the costs imposed on the victim. Quinn Norton reports:

"The pre­dic­tions for this year from some analy­sis is that we’ll hit seventy-five bil­lion in ran­somware alone by the end of the year. Some esti­mates say that the loss glob­al­ly could be well over a tril­lion this year, but it’s hard to say what a real num­ber is."

David. said...

Renting a Mirai botnet 4 times bigger than the one that took down Dyn costs $25-30K for two weeks. That is rather asymmetric.

David. said...

Apparently SF Muni is losing $559K/day to the ransomware attack. Paying $73K to the attackers would have been a bargain. That's the problem with asymmetric warfare ...

David. said...

More detail on the SF Muni ransomware incident from Sean Gallagher at Ars Technica:

"In coordination with our partners at Cubic Transportation Systems, which operates [the ticketing kiosk system] Clipper, we took the precaution of turning off the ticket machines and faregates in the Muni Metro subway stations, starting on Friday until 9am Sunday,"

So, say a day and a half of no fare collection, or about $840K in lost fares, plus staff time to recover:

"SFMTA did not pay the 100-Bitcoin (about $73,000) ransom demanded by the attacker, Rose said. SFMTA's internal information technology team is instead restoring systems from backups. "Existing backup systems allowed us to get most affected computers up and running this morning, and our information technology team anticipates having the remaining computers functional in the next two days."

A big cost for not patching "a known vulnerability in an Oracle WebLogic server".

Brian Krebs reports the perpetrator's e-mail was compromised and revealed:

"A review of more than a dozen Bitcoin wallets this criminal has used since August indicates that he has successfully extorted at least $140,000 in Bitcoin from victim organizations."

Krebs ends with good advice:

"Finally, as I hope this story shows, truthfully answering secret questions is a surefire way to get your online account hacked. Personally, I try to avoid using vital services that allow someone to reset my password if they can guess the answers to my secret questions. But in some cases — as with United Airlines’s atrocious new password system — answering secret questions is unavoidable. In cases where I’m allowed to type in the answer, I always choose a gibberish or completely unrelated answer that only I will know and that cannot be unearthed using social media or random guessing."

That's a $500K/yr run rate. A pretty good business given the low costs involved.

David. said...

Charles Arthur's Tesco cyber-raid raises serious questions over UK banks’ security is a good lay-person's introduction to the risks of on-line banking:

"The idea of banks building up a false sense of security before a disaster might sound familiar. Simon Moores, an independent consultant on security, likens the situation now to the US financial market in 2006/7, when complacency over the inherent risks of mortgage-based products was compounded by ratings agencies which had an interest in certifying sketchy financial instruments as safe. “It’s just like The Big Short,” Moores says, referring to the film and book about the lead-up to the financial collapse, which was forecast by only a few. “The computer security industry is worth £30bn, but it doesn’t work any more. Having a box to protect your bank website or business doesn’t work. But nobody is prepared to accept the fact.”

David. said...

Wordpress sites are under a massive brute-force attack:

"These IPs all belong to the same organization and are on the same network. Doing a Google search on the top IP brings back many reports of abuse around the Internet. They belong to a hosting company in Ukraine called “Pp Sks-lugan“. The servers are a mix. Some aren’t running any services. Others appear to be running Windows IIS web server.

These IPs are using brute force attacks exclusively. They don’t launch any sophisticated attacks. They are hammering away at WordPress sites at a rate of over a quarter million login attempts each, in some cases, during a 24 hour period."

Some good advice from Lauren Weinstein:

"The simplest way to deal with this issue is to move the default WP login URL to some
unguessable string. This can be done manually or with easy to install plugins.
Leaving the login on the default is always a bad idea."