Light Dark
November 30, 2015 By Andrew Lemke 3 min read
Advanced Threats

An Introduction to Temporal Lensing

The Panzerhaubitze 2000 is a 155 mm self-propelled howitzer capable of Multiple Rounds Simultaneous Impact (MRSI). Essentially, the artillery shells are fired with different trajectories, but all impact the target concurrently. How is this type of artillery related to denial-of-service attacks?

Well, as released in a new research study titled “Temporal Lensing and Its Application in Pulsing Denial-of-Service Attacks,” it is possible to perform a similar distributed denial-of-service (DDoS) attack that uses timing to ensure simultaneous arrival of IP packets. The authors term this temporal lensing and claim it is a potential new class of attack, especially if combined with amplification attacks. Amplification attacks result in the multiplicative creation of new packets in an asymmetric sense. Can you see the lens below?

Note that this attack hasn’t yet been seen in the wild. But if history is a teacher, it’s only a matter of time before it does.

JavaScript Injection DDoS, or the Great Firewall of China

In April 2015, we witnessed a massive denial-of-service attack against the code-sharing site GitHub via China’s Internet backbone — specifically China Unicom, a major service provider in China.

This represented a new class of attack utilizing JavaScript injection and the users of Baidu (the fourth-largest website in the world, as per the Alexa Internet ratings) to attack Github. Essentially, every visitor to Baidu had JavaScript silently injected into their browser sessions. This resulted in two Web pages being requested from Github for every Baidu visit. Unbeknownst to the users, they were participants in a massive attack against GitHub.

This is a powerful new vector. If your infrastructure becomes the target of a large population of Web surfers, you’d better be prepared for the onslaught. Imagine for a moment what would happen if every Google visitor also started hitting your site with traffic. Ouch!

Denial of Service via BitTorrent

You all remember the classic Smurf and Fraggle attacks from the 1990s, right? For those of you not schooled in the basics, this was an attack that relied on amplification of data — in this case, ICMP (for the Smurf attack) and UDP port 7 (for the Fraggle attack). In both instances, the protocol was the underlying weakness. Many computers would respond when only one computer made a small request.

As it turns out, we have a new threat vector in the BitTorrent protocol that is being termed distributed reflective denial-of-service (DRDoS). Again, we have a protocol that allows for the amplification attacks. As described in a recent research paper, BitTorrent and BTSync protocols can enable DRDoS attacks using an amplification mechanism.

Some characteristics of the DRDoS attack vector include the fact that:

  1. It is anonymous. Because it utilizes UDP, it is entirely spoofable.
  2. It can be initiated by a single computer but still generate a tremendous amount of traffic coming from multiple sources on the BitTorrent network.
  3. It amplifies the original packet very well. The researchers state that the amplification factor can be as much as 120 times.

Recommendations

I hate to present threats without also providing solutions, but in the case of DDoS, it really requires an in-depth consultation to ensure you’ve got your bases covered. Recommendations depend on the threat level for your organization, your risk appetite, your desire to be actively involved, the degree to which you can sustain any downtime, etc.

To complete a comprehensive DDoS defense strategy, the following questions need to be answered:

  • Have you already been attacked?
  • If so, how did you resolve that situation?
  • Do you know the motivations and persistence of the attackers?
  • Are you willing to be up at 3 a.m. and solve an outage over the next 72 hours?
  • What are the technical characteristics of the attacks?

Additionally, some of the following technologies need to be considered as part of your architecture decisions:

  • Scrubbers versus content delivery networks;
  • ISP-based defenses versus on-premises;
  • TLS keys and related regulatory and compliance concerns;
  • Web application firewalls (WAF); and
  • Global load balancing.
 | 
Andrew Lemke
Security Strategist, IBM

More from Advanced Threats
April 9, 2024

Hive0051 goes all in with a triple threat

13 min read - As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051's use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day. An examination of a sample of the lures associated with the ongoing activity reveals…

November 6, 2023

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

August 2, 2022

Black Hat 2022 Sneak Peek: How to Build a Threat Hunting Program

4 min read - You may recall my previous blog post about how our X-Force veteran threat hunter Neil Wyler (a.k.a “Grifter”) discovered nation-state attackers exfiltrating unencrypted, personally identifiable information (PII) from a company’s network, unbeknownst to the security team. The post highlighted why threat hunting should be a baseline activity in any environment. Before you can embark on a threat hunting exercise, however, it’s important to understand how to build, implement and mature a repeatable, internal threat hunting program. What are the components…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature