Wednesday, January 09, 2013

State sponsored attack: a howto guide

This NYTimes article pounding the drums of cyberwar is nonsense. There is no evidence that the DDoS attacks against the banks are state-sponsored.

We in the West are sophisticated and smart. When Muslims claim the offensive "Innocence of Muslims" video is state-sponsored by the U.S. government, we know their conspiracy theory is silly.

But we aren't that smart when it comes to "state sponsored hacks". We see cyber-bogeymen everywhere, from Chinese stealing state secrets, to Iranians attacking banks in retaliation over an offensive video. In every country, the government stokes fears of outsiders to further their own ends. There is no government that doesn't do this. For Muslim countries, Islam-hating America is their prime enemy. For America, Muslim terrorists are hyped threat. In recent years, "cyber" has become a popular bogeyman as well. "Cyber" is the new Occam's Razor: it's the default explanation for everything.

A 70-gpbs attack against banks is trivially easy for any individual.

What's new with this attack is that it doesn't come from a botnet of thousands of machines, but from a few data centers. This is an easy attack. Data centers have 10-gbps+ connections to the Internet and hundreds of vulnerable servers. Just run nmap or Nessus or any hacking tool targeting the data center, and you'll compromise several servers to run your attacks from.

Easier yet is simply run an exploit across the Internet (instead of a single data center). Take the recent Ruby-on-Rails bug. Just go to Shodan, find a bunch of servers running Rails, and compromise them. Of those you compromise, take the ones with high-speed connections, and use them to do your DDoS attack.

Easier still is just renting VPS (virtual private servers) for $10 each for a month in data centers across the world, and use them to run your DDoS attacks. For $1000 for a month, you can easily create a 70-gbps attack. I guess $1000 is more than most individuals might want to pay, but it's not at the "state sponsored" level. It's more at the level of some rich dude giving a credit card to his son telling him "you and your friends, go have some fun".

The NYTimes claims:
"The skill required to carry out attacks on this scale has convinced United States government officials and security researchers that they are the work of Iran, most likely in retaliation for economic sanctions and online attacks by the United States."

This is a lie. I know no of competent security researcher that has been convinced this is the work of Iran's government. The only people who agree with that statement are those with something to sell, either pimping new government regulations or products. (If you are a competent researcher without a blatantly obvious conflict of interest, I'd love to hear your view).

This (DDoS against banks attack) is something any security researcher I know can carry out in their spare time. It's foolish to believe, in the absence of specific evidence, that a nation state is involved.

Update: Below is the signup page for a VPS hosting service. For $10, you get a 30-day trial with unmetered bandwidth. Just grab a few of these from different companies and different data centers, and you can easily DDoS a target site.

I chose this because it's the first result for googling "VPS hosting". Googling "unmetered vps" gives a lot more results costing less than $10.

Seriously, you don't need any hacking skills whatsoever. Just go get a Visa/Amex gift cards from your local store, sign up for VPS hosting, and poof, 100-gbps DDoS attacks.

Update: There is likewise no evidence that this wasn't a state-sponsored attack. That the Iranian government sponsored this is perfectly plausible. The point of this post is to criticize the evidence. The proper thing to believe, given the evidence, is "we don't know", not that we know one way or the other.

Also, there is at least some sophistication to this attack. It's been going on for some weeks, implying some investment of time and resources. This implies a more skilled operator who has some experience overcoming whatever the defenders are doing to mitigate the attacks. You can start an attack by simply VPS machines, but it's hard to sustain it over time as defenders come after you and filter or disable your accounts. While a VPS provider claims "unmetered" bandwidth, they won't be happy when you are filling up their pipes.

Update: Here is a post that looks at the online identities of the group claiming responsibility for the attacks. There's a lot of links to Iran, they have more confidence it's government sponsored than I do.

Update: Here's a story from DarkReading about somebody discovering compromised web-servers in the Iranian bank attacks. It was compromised because of it's password set to "admin".

Update: Dan Goodin has a great article on this. He goes into great detail describing how this is a more sophisticated attack than I portray here. But, at the same time, he quotes the experts as saying "no evidence of state-sponsored attack". Also, he quotes the real experts, people from CloudFlare and Arbor who deal with these sorts of attacks every day and who have analyzed the details of the banking attack.


decius said...

FWIW I completely agree. These attacks started at the same time as protests over the film, the resources of a nation state are not necessary to launch this sort of attack, and the idea that a nation state would want to project power in the world by temporarily inconveniencing users of online banking services is very hard to believe.

I have disagreed with your view on another DDOS incident that some people have attributed to state actors, but in that case there are a variety of specific reasons for that attribution (whether or not you think those reasons are compelling). In this case I see absolutely no reason to attribute this incident to a nation state. The argument that only a nation state could have launched such an attack is completely bunk and no other reasons have been offered.

JPGoldberg said...

I heard the same "this is too sophisticated to be anything other than state sponsored" on NPR a couple of hours ago. I didn't catch the source for that nonsense (I was driving), but it is obviously utter nonsense.

I'd be surprised (and a bit disappointed) if this really was IRI sponsored attack. I'd expect better from people who can bring down a drone.



Anonymous said...

The attacks aren't sophisticated, nor are the attackers skilled.

The attacks have succeeded to the extent that they have so far due solely to the ineptitude and unpreparedness of the defenders.

When the defenders exhibit competence in mitigating these attacks, they're entirely ineffective. The attackers have very little clue about how to effectively DDoS their targets.

Dave Dittrich said...

I completely agree with Robert's assessment that this attack method is not as sophisticated as the story makes it seem. It does not come close to requiring "nation state" level support, and is not even the first time that compromised servers have been used for DDoS attacks. I know of what I speak, as I was the first person to produce technical analyses of DDoS tools in 1999. A very similar method to that described above was used to compromise Windows servers in 2001 in order to similarly install a script that could be remotely controlled to generate DDoS traffic from those computers (see for one example.) Those who claim this is so sophisticated either do not know what they are talking about, or have their own agenda.

And if Tom Gjeltin's story on NPR was correct about some bank paying a consulting company to look into acquiring "cyberweapons" to fight back, they are insanely stupid. The technical details above prove that the likely result would be harm to innocent third parties whose systems were turned into "unwitting agents" of DDoS attacks, controlled from far away, likely by proxies. This discussion of "going on the offense" is really getting out of hand, with people who have no technical expertise at all trying to justify taking extreme short-cut risky actions. (For more on misguided thoughts of attacking back, see my Honeynet blog post.)

krypt3ia said...

It's great that we can agree so readily and be the people who really should technically as professionals. Still though, these stories get onto the likes of NPR and elsewhere with morons making these ridiculous assertions and the talking heads and general public sit there heads bobbing.

sarah lee said...
This comment has been removed by the author.
sarah lee said...

Only Cyber crime is not more enough for that heinous work, It was really blamable..

Feel free to visit security company