Internet Censorship By Denial Of Service

 Computing, Security  No Responses »
Sep 282016
 

One of the things that has happened recently was that a commentator on security matters (Brian Krebs) was taken offline by a massive denial of service attack, which (not so) mysteriously happened after he published an article on denial of service attacks. The short version of the story was that his site was hit by a denial of service attack totalling approximately 650Gbps (that’s roughly 6,000 times as much network bandwidth as your typical broadband connection), when his denial of service protection threw their hands up in the air and said: “That’s too much like hard work for a pro-bono service” and gave him 2 hours to move his site.

Google helpfully provided an alternative with Project Shield, and the site was reasonable quickly available again. And to be fair to the original denial of service attack providers (which I’m not naming), this level of attack was sufficient to cause problems to their paying customers and protecting from this level of attack is very expensive.

And indeed paying for denial of service protection is very expensive; the income for the entire lifetime of this blog site would pay for approximately 2 hours of protection. If that.

There are two aspects to this attack, although to be honest neither are particularly new.

The first is technical. Most distributed denial of service attacks are quite simple in nature – you simply ask a question of a dumb “server” with the return address of the site you want to attack. If you send out enough questions to enough dumb “servers” (which can actually be simple workstations or even Internet of Things devices), then you can overwhelm most sites on the Internet.

There are two fixes for this :-

  1. Don’t run dumb and insecure servers.
  2. ISP’s should stop allowing people to forge addresses on network traffic (Ingres Filtering or BCP38).

The second fix is the simplest method, but given how successful the decades long campaign for ISPs to do ingres filtering has been, tackling both ISPs and dumb servers is worthwhile.

As this latest attack may have been chiefly by IoT devices simply sending requests to the victim, the implementation of ingres filtering may not have been of much use in this case, but it is still worthwhile – this attack is not the only one that is happening. Attacks are happening constantly. However, tackling these “dumb servers” that were controlled by the attacker is also a priority, and we need to start seeing concrete action by the ISPs to tackle their customers’ mismanaged networks (home networks in many cases) – aggressive filtering of infected customer networks, and customer notifications that include advice.

Of course ISPs are not going to like doing that just as IoT manufacturers don’t like paying more to make secure appliances. Well, it’s time to name and shame the worst offenders; the bad publicity may help to counteract the lack of incentive to invest in processes that don’t immediately help the bottom line.

The second aspect is rather more serious. We now have an Internet where it is relatively easy to silence anyone who says something you do not like – if you’re rich enough to hire a denial of service gang. Anyone that is who cannot afford protection from such gangs, and there are suspicions that some gangs also provide denial of service protection services.

And this story is not the first time it has happened, and we need to start thinking about mechanisms to keep smaller publishers online when attackers try to censor them. Unless we want all our media controlled by the big players of course.

2016-03-28-swamped bandstand.small

Linux: Command Line Calculations

 Computing, Linux  No Responses »
Sep 012016
 

Although I use graphical on-screen calculators for many calculations, it can sometimes be convenient to perform calculations at the command-line (or in shell scripts). In which case the old tool is expr :-

» expr 3 \* 9 
27

Very convenient; even though I can do such a calculation in my head there are circumstances where checking with a calculator is suitably cautious. You can of course perform calculations directly in the shell; if you are using a modern shell such as zsh or bash :-

» echo $((3 * 9))
27

Whilst convenient, such methods do have their disadvantages :-

  • The expr tool takes it’s expression after the shell has had it’s way with interpreting it – which is why I have escaped the “*” to multiply. You cannot put quotes around the expression either as expr assumes it to be a string.
  • These calculations are integer calculations, so you cannot find out what 77/4 is (19.25). Oops! Turns out that if you make one of the numbers in the expression a float, then the result is properly calculated: echo $((77.0/4) -> 19.25.
  • These calculators are limited to relatively small numbers – according to zsh, 2^63 is -9223372036854775808

If you need something a little more sophisticated then qalc (this is the command-line interface for Qalculate!) makes a pretty good command line calculator. It has to be installed with sudo apt-get install qalc and once installed it should be run interactively to get the initial configuration out of the way :-

» qalc
You need the download exchange rates to be able to convert between different currencies.
You can later get current exchange rates with the "exchange rates" command.
Do you want to fetch exchange rates now from the Internet (default yes)? yes
> quit

Once installed you can perform calculations in the same way as expr (although you can enclose an expression in quotes) :-

» qalc "3 * 9"
3 * 9 = 27
» qalc "2 ^ 72"
2^72 = approx. 4.7223665E21
» qalc "0xff"  
255 = 255
» qalc "86400s to hours"                                                                  
86400 * second = 24 h

You can add the “-t” option to prevent qalc telling you the expression it calculated; perhaps more useful in scripts than interactively.

damascus-unix-prompt

Linux: ZFS: Be Careful With Child File Systems

 Computing, Linux  No Responses »
Sep 012016
 

One of the advantages that ZFS brings, is that it is so easy to create file systems, that you can create them for purposes that you would not previously do. For example, I have an additional file system mounted under my home directory for a certain application that generates a lot of data that I do not need backed up. Because the script I use to back up stuff does not cross file system boundaries (i.e. it does not descend into a directory that contains a mounted file system), I can simply exclude a large amount of frequently changing data by making a file system.

Or I might (as it happens I do not, but I could well do) create file systems for large lumps of data to easily see how much space they occupy – perhaps ~/Pictures. You can run a command like du -sh ~/Pictures, but that is an expensive command (it takes a while) and it tells you how large the files are; not how much space they occupy on disk. And on-disk compression can make that a significant difference! So simply run df -h ~/Pictures if that directory is on a separate file system.

But there is a bit of a gotcha with that. If you create such file systems in the normal way (such as zfs create pool/mikes-pictures; zfs set mountpoint=/home/mike/Pictures pool/mikes-pictures) you risk creating a situation that may prevent your home directory from mounting. If the “child” file system is mounted before the parent, it will not be possible for the parent file system to be mounted when booting.

Instead create the hierarchy properly :-

zfs create pool/h2
mkdir /h2
zfs set mountpoint=/h2 pool/h2
zfs create pool/h2/mike
zfs create pool/h2/mike/Pictures
ls /h2/mike/Pictures

You will also have to fix the permissions, but this is a far safer way of organising things suitable for future file system creation.

damascus-unix-prompt

Linux: Fixing The Invisible Mouse Pointer

 Computing, Linux  No Responses »
Aug 292016
 

It seems that occasionally GNOME can go a little screwy and its fancy mouse pointer plugin can result in an invisible mouse pointer. Which makes doing anything just a little bit tricky.

If you can open a terminal, enter the command :-

gsettings set org.gnome.settings-daemon.plugins.cursor active false

And all should be well. At least until it decides to turn itself back on again (so make a note of this fix!).

damascus-unix-prompt

Anti-Virus Is Dead. Long-Live Behavioural Analysis …

 Computing, Security  No Responses »
Jul 142016
 

One of the throw-away statistics I tripped over recently was that there are 5 new malware releases every second.  Now many of those new releases are variations on a theme – there are pieces of software designed to distort a piece of malware into a new piece of malware with the same functionality. This is done deliberately to evade anti-virus software.

And it works. Every so often I feed some strange mail attachments into virustotal to find out how widely it is recognised. It is not uncommon to find that only 2-3 will recognise it as malware out of 50-odd virus checkers on that site. So if you happen to be dumb enough to download and activate the attachment, your anti-virus checker has a roughly 5% chance of protecting you.

Not exactly what you should expect.

I recently sat through a sales pitch for a not-so-new corporate product that does anti-malware protection very differently. Of course it is also insanely expensive, so I will not mention the actual product, but it does offer something new. Protection against malware by checking and blocking behaviour.

Whilst they add all sorts of clever data analysis tricks, fundamentally anti-virus products recognise malware because they recognise the data that makes up the malware. If they don’t recognise the signature of the malware, then they do not know it is malware; so they have an incredibly difficult time recognising new malware releases.

But recognising malware based on behaviour is far more likely to successfully recognise malware – for example by recognising an attempt to make itself persistent in a way that an ordinary application does not do, and blocking it. Which is a far more practicable method of blocking malware (if it works!).

It is also something that should probably be built into operating systems, which to a certain extent already has been.

The New Defence

The New Defence

 

 

 Older Entries  Newer Entries