Light Dark
November 30, 2015 By Andrew Lemke 3 min read
Advanced Threats

An Introduction to Temporal Lensing

The Panzerhaubitze 2000 is a 155 mm self-propelled howitzer capable of Multiple Rounds Simultaneous Impact (MRSI). Essentially, the artillery shells are fired with different trajectories, but all impact the target concurrently. How is this type of artillery related to denial-of-service attacks?

Well, as released in a new research study titled “Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks,” it is possible to perform a similar distributed denial-of-service (DDoS) attack that uses timing to ensure simultaneous arrival of IP packets. The authors term this temporal lensing and claim it is a potential new class of attack, especially if combined with amplification attacks. Amplification attacks result in the multiplicative creation of new packets in an asymmetric sense. Can you see the lens below?

Note that this attack hasn’t yet been seen in the wild. But if history is a teacher, it’s only a matter of time before it does.

JavaScript Injection DDoS, or the Great Firewall of China

In April 2015, we witnessed a massive denial-of-service attack against the code-sharing site GitHub via China’s Internet backbone — specifically China Unicom, a major service provider in China.

This represented a new class of attack utilizing JavaScript injection and the users of Baidu (the fourth-largest website in the world, as per the Alexa Internet ratings) to attack Github. Essentially, every visitor to Baidu had JavaScript silently injected into their browser sessions. This resulted in two Web pages being requested from Github for every Baidu visit. Unbeknownst to the users, they were participants in a massive attack against GitHub.

This is a powerful new vector. If your infrastructure becomes the target of a large population of Web surfers, you’d better be prepared for the onslaught. Imagine for a moment what would happen if every Google visitor also started hitting your site with traffic. Ouch!

Denial of Service via BitTorrent

You all remember the classic Smurf and Fraggle attacks from the 1990s, right? For those of you not schooled in the basics, this was an attack that relied on amplification of data — in this case, ICMP (for the Smurf attack) and UDP port 7 (for the Fraggle attack). In both instances, the protocol was the underlying weakness. Many computers would respond when only one computer made a small request.

As it turns out, we have a new threat vector in the BitTorrent protocol that is being termed distributed reflective denial-of-service (DRDoS). Again, we have a protocol that allows for the amplification attacks. As described in a recent research paper, BitTorrent and BTSync protocols can enable DRDoS attacks using an amplification mechanism.

Some characteristics of the DRDoS attack vector include the fact that:

  1. It is anonymous. Because it utilizes UDP, it is entirely spoofable.
  2. It can be initiated by a single computer but still generate a tremendous amount of traffic coming from multiple sources on the BitTorrent network.
  3. It amplifies the original packet very well. The researchers state that the amplification factor can be as much as 120 times.

Recommendations

I hate to present threats without also providing solutions, but in the case of DDoS, it really requires an in-depth consultation to ensure you’ve got your bases covered. Recommendations depend on the threat level for your organization, your risk appetite, your desire to be actively involved, the degree to which you can sustain any downtime, etc.

To complete a comprehensive DDoS defense strategy, the following questions need to be answered:

  • Have you already been attacked?
  • If so, how did you resolve that situation?
  • Do you know the motivations and persistence of the attackers?
  • Are you willing to be up at 3 a.m. and solve an outage over the next 72 hours?
  • What are the technical characteristics of the attacks?

Additionally, some of the following technologies need to be considered as part of your architecture decisions:

  • Scrubbers versus content delivery networks;
  • ISP-based defenses versus on-premises;
  • TLS keys and related regulatory and compliance concerns;
  • Web application firewalls (WAF); and
  • Global load balancing.
 | 
Andrew Lemke
Security Strategist, IBM

More from Advanced Threats
May 24, 2024

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

May 16, 2024

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

May 2, 2024

A spotlight on Akira ransomware from X-Force Incident Response and Threat Intelligence

7 min read - This article was made possible thanks to contributions from Aaron Gdanski.IBM X-Force Incident Response and Threat Intelligence teams have investigated several Akira ransomware attacks since this threat actor group emerged in March 2023. This blog will share X-Force’s unique perspective on Akira gained while observing the threat actors behind this ransomware, including commands used to deploy the ransomware, active exploitation of CVE-2023-20269 and analysis of the ransomware binary.The Akira ransomware group has gained notoriety in the current cybersecurity landscape, underscored…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature