Earth Day really did make a difference – at least in the world of internet security.
That’s one of the conclusions revealed in a paper presented today at the Virus Bulletin (VB2012) conference in Dallas, Texas.
On 22 April 2012, more than a billion people around the world are thought to have done their bit to preserve the environment, with many choosing to turn off their computers to reduce energy consumption.
And what happened? Well, I can’t tell you if the planet has a rosier future, but it’s certainly the case that denial-of-service attacks plummeted according to researchers.
Internet attacks dropped on Earth Day (22nd April), as they also did on 29th May (Memorial Day weekend) and 28th June (just before US Independence Day celebrations).
Although it’s very tricky to prove a connection, there were plenty of theories presented at VB2012 as to why other dates showed a massive slump in DDoS attack traffic.
Could the drop on 30th January be due to Chinese families travelling in the run-up to the Chinese New Year celebrations? And were attackers recovering from St Patrick’s Day on March 20th?
My suspicion is that the Earth Day effect could be real: home botnet computers were turned off and botnet-based attacks declined. If everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed.. it could also mean a reduction in botnet attacks.
Did you just get hit by a DDoS attack from Mars?
Malicious hackers and extortionists are frequently in the headlines for launching denial-of-service attacks against all manner of internet sites – including gambling websites, blogs, businesses, and media organisations critical of governments.
Victims in the recent past have included the Azerbaijan-hosted Eurovision Song Contest, sites connected with elections in Russia and Mexico.
The motivations for such attacks may be financial, or political, or ideological. However, while an inaccessible website being bombarded with unwanted traffic can be highly visible and obvious, what is seldom discussed is the impact such malicious traffic is having on the net as a whole.
CloudFlare’s John Graham-Cumming attempted to paint a picture of the internet’s malicious traffic for delegates at the Virus Bulletin conference in Dallas today. Internet traffic that is “ever present, but difficult to see”.
CloudFlare, a San Francisco-based firm that protects websites from security threats, handles some 64 billion page views every month – giving it the opportunity to track large numbers of attempted attacks against its clients.
Aside from his “Earth Day” revelations, Graham-Cumming described the constant barrage of attacks which occur against CloudFlare’s network around the clock, every day of the week, in an attempt to disrupt their customers’ websites. Attacks, he explained, tend to peak mid-week but hardly ever stop.
Some denial-of-service attacks, however, shoot themselves in the foot somewhat by being far too easy to filter.
According to Graham-Cumming’s paper, the largest source of attacks (23%) comes from Martian IP addresses (that is IP addresses that can legitimately appear on a corporate network or home environment, like 10.0.0.0 or 192.168.0.0 to 192.168.255.255) but are not valid on the public internet.
In one swoop, almost a quarter of attack traffic can be instantly disregarded as it is clearly being spoofed.
The other networks which appear to be serving up the most traffic (it’s hard to be definitive as the originating network can be spoofed) are China Telecom with 3.45%, China Unicom with 2.13% and Comcast and Dreamhost with 1.74% and 1.45% respectively.
CloudFlare’s clash with UGNazi hackers
Of course, being in the business of protecting the web presence of so many organisations does make CloudFlare something of a target itself. John Graham-Cumming’s paper acknowledges this, detailing an attack by the UGNazi hacking collective against his company in June 2012.
The UGNazi attack had the 4Chan message board in its sights, and managed to successfully redirect users hoping to visit the anarchic website towards UGNazi’s Twitter page instead.
Although CloudFlare isn’t entirely blameless, a contributing factor in the attack was a flaw in Google’s two factor authentication, intended to secure access to CloudFlare’s online accounts:
[UGNazi] succeeded in taking over the personal and work email of CloudFlare’s CEO and using that to gain access to the DNS settings of one of our customers. They used that to redirect that particular site.
The attack involved four key vulnerabilities that, when put together, allowed the hackers in:
1. AT&T was tricked into redirecting the CEO’s voicemail to a fraudulent voicemail box;
2. Google’s account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed his personal Gmail account to be reset;
3. A flaw in Google’s Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on his CloudFlare.com address;
4. CloudFlare BCC-ing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.
Sadly, it seems that the trend for denial-of-service attacks is rising. But some hackers are becoming aware of the methods that firms are using to deflect them.
The fear must be that hackers who previously launched DDoS attacks might switch to using other attack methods (such as breaking into websites) which could potentially be much more damaging to an organisation.