Qrator Labs has introduced trends in the field of network security in 2019.
Qrator Labs, which specializes in countering DDoS attacks and ensuring the availability of Internet resources, presented trends in the field of network security in 2019.
The growth of the IoT market means that attackers can exploit vulnerable devices if they wish, creating a significant attack bandwidth — as happened in the middle of the year, when the WSDD Protocol was used to cause visible damage. The Apple ARMS Protocol, which was used to obtain an amplification factor of about 35.5, was also seen in attacks on The qrator Labs filtering network.
During 2019, new amplifiers (PCAP) were identified, and a long-known attack vector using TCP amplification (replicated SYN/ACK flood) was recorded in practice.
The technique of an Amplification attack is that a request is sent to a vulnerable server belonging to a third unsuspecting party, which is replicated multiple times by this server and sent to the victim’s website. In this case, LDAP and TCP protocols were used to strengthen the attack.
Attacks involving the SYN-ACK amplification vector have become one of the most serious network threats, while until 2019 they remained only a theory. One of the first high-profile attacks using the SYN-ACK amplification technique was organized on an international hosting platform Servers.com. SYN/ACK amplification Traffic reached a peak of 208 million packets per second, and the longest attack period with continuous bombardment of “junk” traffic was 11.5 hours.
It is also quite interesting that the most frequently used method of reaction in the past in the form of resetting all UDP traffic, which virtually neutralizes a large proportion of attacks using amplification, does not help to neutralize the SYN-ACK vector at all. Smaller Internet companies have great difficulties in neutralizing such threats, as it requires more comprehensive measures to combat DDoS attacks.
In 2019, a new class of problems was identified related to the use of the BGP Protocol to optimize the passage of Telecom operators ‘ networks. Many companies want to automatically control the flow of outgoing traffic, which allows them to significantly reduce costs. For this purpose, various devices are installed that use specific tactics for working with the BGP Protocol, which can only work if filters are correctly configured around them to prevent leakage of routes. Unfortunately, there are few specialists who know how to properly configure the filters in connection with which the optimizers are constantly “breaks” and routes flow away in an unknown direction.
Instagram Facebook and Google were suddenly redirected to one of the traffic exchange points in St. Petersburg in January 2020 from a provider from the Donetsk people’s Republic, which was engaged in traffic optimization. Such incidents are dangerous not only for network errors, but also for malicious traffic interception (Man-in-the-middle attacks).
Recently, due to the purchase of BGP optimizers, such situations occur regularly. The industry of qualified network engineers actively supports limiting the use of optimizers, since no one knows how to work with them. However, even in Russia, you can see how many companies are starting to buy BGP optimizers to reduce traffic costs, which in the light of the introduction of legislation about traffic exchange points and Autonomous systems can give a very unpleasant cumulative effect.
Yevgeny Gnedin, head of information security Analytics at Positive Technologies, said: “today, criminals can monetize botnet networks in several ways. The most common of them are the implementation of DDoS attacks, cryptocurrency mining, use in targeted attacks, in particular, for selecting passwords to servers, or simply renting out a botnet. At the same time, we are seeing the emergence of truly multifunctional botnets, a vivid example of this is Neutrino, which not only exploits vulnerabilities for hacking servers and mining cryptocurrency, but also hacks other people’s web shells, taking control of resources already hacked by someone. Currently, Neutrino is among the top three in the number of attacks on positive Technologies ‘ honeypots.”
Despite the fact that mobile device manufacturers are trying to support as many versions of modern apps as possible, in 2019 it became noticeable that many of them still stop being updated on older devices. This is especially true for the most popular browser in the world — Chrome. At the moment, there are entire fleets of devices that run old versions of the browser, and new ones are no longer available.
These older versions of browsers contain vulnerabilities that can lead to the leakage of personal data and financial information.
On the other hand, on many devices, Chrome continues to be actively updated, due to which Google presumably conducts a/B testing of the browser on users.
Everyone used to think that when a new version of the browser is released, all computers are automatically updated to it. However, this is not entirely true. Google simultaneously releases two minor versions of the Chrome browser (affecting less significant improvements and improvements) and updates some of the user devices to one, half to the other. Most likely, this is done to test a new version of the QUIC Protocol, which is already supported in Google Chrome. QUIC (Quick UDP Internet Connections) is a new experimental Internet Protocol developed by Google to replace the old WWW Protocol stack. The vulnerability of QUIC is that its ill-considered implementation in Internet services can weaken their protection against DDoS attacks. Popular sets of tools for organizing DDoS attacks have built-in support for UDP, which can pose a greater threat to QUIC than for traditional WWW protocols based on TCP.
The Chrome testing situation shows how Google is developing a new generation of network protocols. In this way, you can find out which version of Chrome has better responsiveness, where different network settings work better, and which user opens the page faster. For users, this situation is significant from the point of view that two separate people can start opening sites a little differently. It is also an indicator of how quickly Google (or other companies, such as Telegram) can deploy a new Protocol, for example, to bypass blocking, on all devices in the world.
“According to our estimates, the total number of DDoS attacks in 2019 increased by about 1.5 times. This increase in the number of incidents was achieved due to the growth of attacks on individual industries: banks, payment systems, crypto exchanges, online retail, Dating sites, ” commented Artem Gavrichenkov, technical Director of Qrator Labs. — You can see that in the last year there was a redistribution of certain markets between its individual players. And if large businesses can withstand attacks, this is a big problem for medium-sized businesses: small companies often do not have the financial resources available to use external protection solutions on a permanent basis, so they are more likely to fall victim to DDoS attacks.”
According to formal data from Qrator Labs, attacks on the media sector decreased by 7.59%, but the situation is somewhat more complicated than it seems. In late 2019 and early 2020, attacks on the media increased by an order of magnitude. In recent years, most Russian media outlets have started using free or inexpensive DDoS protection tools, particularly foreign Ones. Since budget protection often has an appropriate level of quality (due in particular to errors in its implementation), at the end of 2019, the industry saw many successful attacks on media sites. As a result, the attackers realized that most media sites can be easily brought down even with minimal effort, and recently they started doing it just for fun.
“In 2020, there will be a continuation of the situation with attacks on the media. Already at the beginning of the year, a large number of information guides appeared, many of which caused a lively response in the minds of people, both positive and negative. Violent bursts in the information space are usually followed by active hacking attempts and DDoS attacks, which the media industry may not be ready for, ” said Artem Gavrichenkov, technical Director of Qrator Labs.
Data from Positive Technologies, a company that specializes in developing SOFTWARE and providing services in the field of cybersecurity, shows that in terms of industries attacked by cybercriminals, government agencies, companies in the industrial and financial sectors, as well as medical and scientific organizations remained the leader at the end of the year. In most cases, the target companies ‘ computers, servers, and network equipment were targeted during the year. “To protect against mass attacks today, it is enough to follow standard recommendations. But this approach does not work with complex targeted attacks by professional hackers. We need to study their techniques and tools, implement specialized security systems that can detect such tools and techniques: SIEM (Security information and event management), NTA (Network traffic analysis), sandbox, etc.and of course, it is important to improve the practical skills of employees of the IB service, because countering complex threats requires highly qualified personnel,” commented Eugene Gnedin, head of information security Analytics at Positive Technologies.