How CloudFlare dealt with a 65Gbps DDOS Attack…

Abraham Williams on Google+ pointed us to an article over on the CloudFlare blog about how they dealt with a recent 65Gbps attack.  The article titled “How to launch a 65Gbps DDOS attack and how to stop one” gives some high level details about how they deal with such attacks and how someone can get 65 Gbps of bandwidth to even start one.  The article does a great job of explaining one method using Open Unrestricted DNS Resolver.  The basic idea is that since DNS can be done with UDP packets you can easily forge the from address and cause the Open Unrestricted DNS Resolver to reply to the targeted computers or network.  This is exploiting two flaws in the internet.  The first that UDP is a fire and forget protocol which doesn’t require any proof of where you are coming from.  The second is that Open Unrestricted DNS Resolver exist or at the least allow UDP requests.  DNS can and should be required to be done over TCP which makes forging the information much harder and less reliable.

They have an article they wrote before this one that talks about and apologizes to their customers for the disruption in the first place.  It’s found here and called “Post Mortem: What Yesterday’s Network Outage Looked Like” .  It is a shinning example of what a company should do when an event like this happens.  It is very transparent, clear and easy to understand and most of all genuine.  While I know it’s great PR it’s not something I see a lot of companies like them doing.

 

Let us know if you have ever dealt with something like this in your job?

Do you think they took the proper response?

What do you think of the post mortem?

Update: Changed Open to Unrestricted becuase as pointed out in the comments below it seemed to imply the awesome DNS service by a similar name.  They, to our knowledge, were not part of the problem.

One of the simplest ways to tunnel your traffic securely…

So the folks over at LinuxJournal.com wrote up a great tutorial for tunneling through SSH.  What’s so great about that?  Well it’s an easy way to do simple stuff securely on your home or office network.  You only need to open up port 22 for SSH and point it to an SSH Server.  Then you can point to a local port and use SSH to get it to your destination server securely.

Wait…Can’t someone just login to my machine that way?  If you take percausions like using only SSH Keys and not passwords and use a gawk script like this one over at everythingbash.com.  This script will create and send you a cool list of everyone who has and has tried logging in. 

WARNING!!!! I have had several customers and friends notice that their SSH Servers just get pounded with people trying to connect using default or bogus accounts.  So be sure to disable, remove or set the shell to /bin/false any account you aren’t using.

Is linux really more secure?

With the recent breaches at Kernel.org and the Linux Foundation several people have started asking is Linux really more secure?  Our assesment of the sitution is that any OS is only as secure as the users and Admin’s make it.  A weak user password or failing to keep up with system patches both can end with the same result as the Kernel.org breach showed.  Others like Leo Leporte’s Twit Network website were caused by missed updates.  So whether it’s Windows, Linux or the Mac poor choices will always lead to insecurity.  Protect your data and that of your fellow users and use long, safe and secure pass phrases.  if your a system admin or Developer push hard to maintain your systems to a reasonable patch level for your company.

Security breaches just keep on coming…

According to several reports both kernel.org and linux.org were hacked over the last few weeks.  Showing that both linux isn’t perfect and that users are the weakest link in any operating systems armour.  In both cases nothing super secert from the users was stolen.  The kernel.org attack is not an issue, as no one can update the kernel code or other software hosted at the site without a large nuber of contributors being told about the update.  So with everything safe and the users passsword changed we can all breath a sigh of relief and walk away remembering that even simple things like password policies are important.

Please make us accountable for security..

This post is a direct plea to any C level managers or other managers that control what IT people do.  We at LinuxInstall.net are tired of reading about companies like yours getting hacked.  We feel comfortable saying this because while not every industrial market has seen a break in, it’s only a matter of time before they all confess.  So what can you do?

First you should hold everyone accountable for their part of your IT Security, even if they don’t work for that department.  By this we mean that your developers should be held accountable to write secure code.  Your administrators should be expected to follow strict hardening standards.  Everyone else in the company should use strong passwords and be smart about what they click on while visiting a web page.  

So how do you verify that this is all being done?  Start with an audit of every one’s processes which you have performed by outside security experts.  They will be able to accurately evaluate that your standards are both secure enough and being enforced.  With internally developed websites, the cost of outside code reviews should save you from having to spend the money on fraud protection for all of your customers or users.  Read the audits and ask both the auditors and internal staff enough questions to let them know you really did look at it and want more detail or clarifications.  It doesn’t make you look stupid and you will earn more respect this way.  This process will also very likely end with a request for more staff, so be prepared.

For everyone, including IT, forced training about good web surfing habits and passwords are a must for every company.  Regular checks by your security team for weak passwords inside your company will help to scare people straight about the policy.

Finally, listen to your staff.  You pay them to be the experts on this.  Let them be experts.  They are the ones that should be focused on reading about the latest trends and maintaining their skills. To keep up their skills they need to go to both local and remote conferences on coding, security and things of this nature.  That means that you need to spend money on it.  The volume of knowledge around the entire security world is now beyond one person.  Your teams should be both generalists and specialists.  This will let them learn the basics and then focus on their area of interest.  When you get the request to spend money, just review and approve it on the condition of cross training their teammates.

Remember security is every ones concern.  If the company is breached bad enough, going out of business is a real possibility.  With everyone working together and working securely you can take a large step towards securing the net.

TrendMicro reports Virus attack targeted at Routers…

TrendMicro is reporting that they have uncovered a virus targeting D-Link routers which are Linux based.  Once infected the router starts listening to IRC for botnet commands and can also start brute force atacking the Username and Password combinations it finds on the router.  They are still looking into what else the code may do.  They are identifing it as ELF_TSUNAMI.R and will be posting updates as they have them.  No mention of whether D-Link has posted an update to address the issue.  Since D-Link and TrendMicro are partners the solution may already be in place.  This is identified as a Low Risk, High Damage Poritential and Low threat for being spread. 
Are you running Antivirus software on your Linux machines?