Daily Archives: December 10, 2015

Someone Tried to Take Down Internet’s Backbone with 5 Million Queries/Sec

Posted on December 10, 2015 | Leave a comment
Someone DDoSed one of the most critical organs of the Internet anatomy – The Internet’s DNS Root Servers.
Early last week, a flood of as many as 5 Million queries per second hit many of the Internet’s DNS (Domain Name System) Root Servers that act as the authoritative reference for mapping domain names to IP addresses and are a total of 13 in numbers.
The attack, commonly known as Distributed Denial of Service (DDoS) attack, took place on two separate occasions.
The first DDoS attack to the Internet’s backbone root servers launched on November 30 that lasted 160 minutes (almost 3 hours), and the second one started on December 1 that lasted almost an hour.

Massive Attacks Knocked Many of the 13 Root Servers Offline

The DDoS attack was able to knock 3 out of the 13 DNS root servers of the Internet offline for a couple of hours.

Also Read: Secure Email Service Paid Hackers $6000 Ransom to Stop DDoS Attacks.

The request queries fired at the servers were valid DNS messages addressed towards a single domain name in the first DDoS attack, and the second day’s DDoS attack addressed towards a different domain name.
According to the analysis published by the root server operators on Tuesday, each attack fired up to 5 million queries/second per DNS root name server that was enough to flood the network and cause timeouts on the B, C, G, and H root servers.
There is no indication of who or what was behind the large-scale DDoS attacks because the source IP addresses used in the attacks were very well distributed and randomized across the entire IPv4 address space.
However, the DDoS attacks did not cause any serious damage to the Internet, but a mere delay for some of the Internet users who made DNS queries through their web browser, FTP, SSH, or other clients.

This Smart Design Defends DNS Protocol Infrastructure

The motive for such attacks is still unclear because disabling or knocking down a root server won’t have a severe impact on the Internet as there are several thousand of other DNS servers managing DNS queries.

“The DNS Root Name Server system functioned as [it’s] designed, demonstrating overall robustness in the face of [massive] traffic floods observed at numerous DNS Root Name Servers,” Root Server Operators says (PDF), referring to the backup system employed by DNS servers.

Like the Internet, DNS is constructed on a mesh-like structure, so if one server doesn’t respond to a request, other servers step in and provide a DNS query result.
According to the DNS root server operators, the attack was not the result of a reflective DDoS attack in which open and misconfigured DNS is used to launch high-bandwidth DDoS attacks on the target.
Despite all the facts, any attack on the critical infrastructure of the Internet is taken extremely seriously.
The DNS root server operators recommended the Internet Service Providers (ISPs) to implement Source Address Validation and BCP 38, an Internet Engineering Task Force standard that helps defeat IP address spoofing.

 

Leave a comment

Posted in Security

Employee Error Leading Cause of Data Breaches, New Survey Says

Posted on December 10, 2015 | 1 comment

Code
A company’s cybersecurity is only as strong as its weakest link.

“Employee error” turns out to be the most common reason for a data breach at companies, according to a new cybersecurity report released Wednesday by the Association of Corporate Counsel. This means the breach occurred as the result of a mistake the employee made, such as accidentally sending an email with sensitive information to someone outside the company.

The report, which contained survey responses from more than 1,000 in-house lawyers in 30 countries, found that 30% of breaches this year occurred as a result of employee error. Other common reasons for a breach included unauthorized access by insiders intending to steal company data and phishing attacks, when third parties send spam emails designed to trick employees into giving up their personal information.

The findings highlight how easy it is for cybercriminals to take advantage of negligent employees. For instance, hackers in a recent case allegedly stole information from newswire companies by sending phishing emails to employees and then put that information on overseas servers for financial traders to access.

Lawyers in the healthcare industry reported the highest number of breaches, followed by insurance, manufacturing and retail, according to the survey. Experts have said health companies are especially vulnerable because they hold sensitive information, including people’s prescriptions and illnesses, that would be valuable to hackers.

Although cyber risk has traditionally been handled by companies’ IT departments, the survey found that most in-house lawyers expect their role in cybersecurity to increase next year, despite the fact that only 10% of lawyers surveyed had a portion of their budget allocated explicitly to cybersecurity.

Half of the survey respondents said their company has cybersecurity insurance; among those, 68% had coverage valued at $1 million or more. Of the lawyers who have experienced a breach, only 19% said their insurance policy fully covered the related damages.

1 Comment

Posted in Security

A Sender Policy Framework (SPF) Primer for Exchange Administrators

Posted on December 10, 2015 | 1 comment

Email spam continues to be a huge problem for organizations these days, and it usually falls on the Exchange administrator to do something about it. Aside from the usual anti-spam measures we can put in place to protect our own servers from spam, we also need to consider how to prevent spammers from spoofing (imitating) the domain names for our own organization. After all, it can be very embarrassing or cause serious brand damage to have spam and malware that uses your domain name.

To detect spoofed email many receiving servers, particularly those operated by large email providers such as Microsoft, Yahoo, Google, and AOL, will perform a check of the Sender Policy Framework (SPF) record for the sender’s domain when a sending server is attempting to send an email message.

SPF records allow a domain owner to specify which mail servers are permitted to send email for that domain name. When the sending server issues its “MAIL FROM” command in the SMTP conversation, the receiving server will look up the SPF record in the domain name of the “From” address to see if there is a match for the source IP address of the SMTP connection.

4-X-SPF_1

If you were reading about SPF records on the internet you may find advice from some websites that it is better to have no SPF record than it is to have an incorrect SPF record. There’s some truth to that, but also some risks. Some mail hosts will reject mail if there is no SPF record for the domain. It tends to be few hosts that do that, but because they are very large mail hosts the impact can be quite noticeable. Ultimately, it is best to have a correctly configured SPF record in DNS for your domain.

An SPF record is simply a TXT record with a certain syntax. The syntax is made up of two parts; mechanisms, and modifiers. Modifiers are optional and are not commonly used except for special circumstances. During management and troubleshooting of transport you’ll most often be dealing with SPF records containing only mechanisms.

The mechanisms for an SPF record define the sets of hosts that can send email from the domain. Mechanisms can be defined by:

  • all – matches any host, and is placed at the end of the SPF record as a “catch all” for any senders that did not match other mechanisms listed ahead of it.
  • ip4 – matches a single IPv4 address or IPv4 network range.
  • ip6 – matches a single IPv6 address of IPv6 network range.
  • a – matches a host name or domain name. The IP addresses that the name resolves to in DNS are matched against the sender’s IP address. This mechanism is useful for matching against a web server IP address based on the domain name.
  • mx – matches against the MX records for the domain. This mechanism is useful when the outbound mail is handled by the same servers as the MX records resolve to for inbound mail.
  • ptr – reverse DNS queries are used to match the sender IP address to the host names that it resolves to. This mechanism is generally not recommended due to the DNS load it causes.
  • exists – simply checks that the domain exists in DNS.
  • include – matches the sender IP against the SPF record another domain. This is commonly used when your outbound email is routing via a cloud service such as Exchange Online Protection.

Mechanisms are used in combination with a qualifier that tells the server what to do when a match is found. The qualifiers are:

  • +” for pass (this is the default if no qualifier is explicitly provided)
  • ” for fail (email from unauthorized hosts should be rejected)
  • ~” for SoftFail (may result in email being accepted but marked as “likely spam”)
  • ?” for Neutral (regardless of the result the email should be accepted)

An example of a mechanism paired with a qualifier is “-all” at the end of an SPF record, which means “Fail/reject email from any sender who did not match an earlier mechanism in the SPF record.”

If this all seems very complicated to you, don’t worry, it starts out that way for everyone who has to deal with SPF records. Fortunately, there are many tools available to help you construct and validate your SPF records. For example, Microsoft provides the Sender ID Framework SPF Record, which has an awkwardly long name but is nonetheless very useful.

4-X-SPF-2

After entering your domain name the wizard will step you through a series of questions to determine the most likely SPF record that you will need. In this example I answered the questions as follows:

  • Domain’s inbound servers may send mail (in other words, the servers listed as MX records also handle outbound email)
  • An additional domain name whose A record is a valid outbound email server (a common example of this is an externally hosted website that uses its own SMTP service to send notifications and other emails)
  • This domain sends mail only from the IP addresses identified above (in other words, anything else trying to send email from my domain name should be considered unauthorized)

The resulting SPF record looks like this.

4-X-SPF-3

By adding that string as a TXT record in the public DNS zone for the domain name I will have prevented unauthorized email servers from spoofing my domain name. At least, they won’t be able to do it when sending to any receiving server that checks SPF records. Anyone who is not checking SPF records can still receive the spoofed email, but may reject it for other reasons such as spam content or malware.

Apart from tools to generate your own SPF record, many email services will provide you with the exact strings to add to your SPF record. When you add a domain name to Office 365 Microsoft advises you of the SPF record they suggest, which is appropriate for organizations sending their outbound email using Exchange Online Protection. Similarly, email marketing services and SMTP hosting services will also have documented solutions to adjust your SPF record so that you can successfully use their services without your email being rejected.

After you have your SPF record in place you should validate it. And in fact, you should repeat this validation test any time you suspect an external organization may be rejecting your email because of your SPF record. MXToolbox has an SPF record validator that takes a domain name and IP address as input and lets you know what the result will be if that IP address sends email for your domain.

4-X-SPF-4

Aside from the result for that specific IP address, the MXToolbox SPF record lookup tool will also validate the general health of your SPF record for problems such as excessive DNS lookups or syntax problems.

4-X-SPF-5

Despite the importance of SPF records for internet email delivery, your internal mail flow between Exchange servers in your own organization is not dependent on SPF records. The Exchange servers in your organization already understand that other Exchange servers in the same organization are authoritative for your domains.

1 Comment

Posted in Network