Dyn is a DNS SaaS provider whose core service is providing managed DNS for its users. The DDoS attacks severely affected DNS services, preventing Dyn users from accessing their websites. Because Dyn serves many companies, the damage caused spread quickly, causing serious harm. More than 100 websites became inaccessible due to these attacks for as long as three hours. Amazon alone suffered a loss of tens of millions of dollars.
The "zombies" launching the attacks mainly consisted of network cameras, digital hard disk recorders, and smart routers. The Mirai botnet infected millions of devices, of which only one tenth were involved in this attack.
Currently, the Internet has many zombie hosts and botnets. Driven by the desire for profit, DDoS attacks have become a major security threat to the Internet.
Look for zombies: By default, the remote login function is enabled for IoT devices to facilitate remote management of the administrators. An attacker can scan IP addresses to discover live IoT devices, which are then scanned for open Telnet ports.
Build a botnet: Some IoT device users use the default password directly or set a simple password (a simple combination of user name/digits, such as "admin/123456") for their devices. These passwords are easily cracked by an attacker through brute force. After successfully cracking the password to an IoT device and logging in to it through Telnet, the attacker remotely implants the Mirai malware into the IoT device to obtain absolute control over the device.
- After obtaining absolute control over the infected devices, in addition to using the devices to launch DDoS attacks, the malware can also cause serious damage to the systems, services, and data of the devices. For example, the malware can tamper with data, steal privacy, modify configurations, and delete files, and may further attack core service systems.
Load the attack module: The attacker loads the DNS DDoS attack module on the IoT device.
Launch an attack: The attacker launches a DDoS attack against DNS service from Dyn in the United States through the botnet, bringing down hundreds of customer websites.
IP spoofing is launched by exploiting the normal trust relationships between hosts. Hosts with IP address-based trust relationships use IP address-based authentication to determine whether to allow or reject the access of another host. Between two hosts with a trust relationship, users can log in to one host from another without password verification.
The process of an IP spoofing attack is as follows:
- Crash the network where a trusted host resides to launch the attack without resistance.
- Connect to a port of the target host to guess the sequence and sequence increment value.
- Masquerade the source address as the address of a trusted host and send a data segment with the SYN flag set to initiate a connection.
- Wait for the target host to send a SYN-ACK packet to the compromised host.
- Send the target host an ACK packet, with the source address masqueraded as the address of a trusted host and sequence number as that expected by the target host, plus 1.
- After the connection is established, send commands and requests to the target host.
A Distributed Denial of Service (DDoS) attack is a typical kind of traffic attack.
In a DDoS attack, the attacker resorts to every possible means to control a large number of online hosts. These controlled hosts are called zombie hosts, and the network consisting of the attacker and zombie hosts is called a botnet. An attacker launches DDoS attacks by controlling many zombie hosts to send a large number of elaborately constructed attack packets to the attack target. As a result, links are congested, and system resources are exhausted on the attacked network. This prevents the attack target
from providing services for legitimate users.
DDoS attacks are divided into different types based on the types of exploited attack packets. Currently, popular DDoS attacks include SYN flood, UDP flood, ICMP flood, HTTP flood, HTTPS flood, and DNS flood.
The most common means of launching an SQL injection attack is to construct elaborate SQL statements and inject them into the content submitted on web pages. Popular techniques include using comment characters, identical relations (such as 1 = 1), JOIN query using UNION statements, and inserting or tampering with data using INSERT or UPDATE statements.
Cross-site scripting (XSS) is a type of code injection attack launched by exploiting security vulnerabilities of website applications. It allows malicious users to inject code into web pages to compromise users who view the pages. This type of attacks often involves HTML and client-side scripting language.
SQL injection and XSS are described in detail in HCNP-Security.
Phishing websites are generally divided into two types: The first type uses the idea of "winning a prize" as the bait to trick the user into providing sensitive information such as ID card number and bank card details; the second type uses a fake website masquerading as a genuine online bank or electronic transaction website to steal users' information such as bank card details or payment passwords to online accounts. The whole process is like fishing, giving these malicious websites the name "phishing websites". The phishing techniques are simple. They take advantage of people's desire for cheap prices or weak anti-fraud awareness. Once a user gets duped, his/her personal privacy information will be leaked and sold; or the attacker may use the bank card details provided by the user on the fake website to immediately steal the user's online assets.
Web browsing and email transmission are the main ways for viruses, Trojan horses, and spyware to access intranets.
Virus: a set of instructions or program code compiled by an attacker by exploiting inherent vulnerabilities of computer software and hardware. A computer virus, when executed, replicates itself by modifying other computer programs and inserting its exact copies or possible evolutions to infect other programs, thereby damaging the computer systems and tampering with and compromising service data.
Trojan horse: a malicious computer program exploited to control another computer. A Trojan horse usually has two executable programs: One is the client (the controller) and the other is the server (the controlled part). The "server" is implanted into a target computer, and the "hacker" refers to a computer that uses the "controller" to enter the computer that runs the "server". After the infected computer starts running, a Trojan horse "server" will open one or several ports, allowing hackers to not only steal important information on the computer but also damage internal computers
Worm: a malicious program that can exploit the system vulnerabilities to propagate itself throughout the network. It uses the network to replicate and propagate itself through networks and emails. Major damage caused: A worm can consume host resources and even damage the host system, which may lead to DoS. Also, worm propagation causes network congestion. It may even cause the entire network to break down and become out of control.
Backdoor: a covert function hidden in the program. It is usually designed by the programmer for convenient access to the system in the future.
Spyware: a software program that allows attackers to install backdoors on users' computers without users' knowledge to collect user information. It collects, uses, and disseminates sensitive information of enterprise employees, severely affecting the normal business of enterprises.
Using professional tools for vulnerability scanning and restoration on systems or personal computers can prevent virus intrusion and infection to a certain extent.
As a border device, the firewall can block unauthorized network access, web page and email viruses, illegitimate applications, etc., to protect the intranet.
WAF is short for Web Application Firewall. It is a protection device that protects web applications by executing a series of HTTP/HTTPS security policies.
Ref : [1]