November 26, 2013

Anti-DDoS protection added to BIND DNS

A new version of BIND DNS has added a mechanism which will help combat against reflected Denial-of-Service (DoS) attacks, or specifically against a DNS amplification attack.  This module was introduced into version 9.9.4.

What is a DNS amplification attack?  It's an attack where, using the UDP transport, the attacker uses a large group of open resolvers to execute a DNS lookups with the source address spoofed to look like it's coming from the victim/target.  Usually the lookup is for all records ("ANY" in DNS speak) of a particular domain (or zone) so that large amounts of response traffic is sent to the victim/target which consume large amounts of bandwidth and/or CPU of the target.  This will keep the target busy and potentially make it unavailable.  More details about how the attack works can be found here:
Anatomy of a DNS DDoS Amplification Attack

So how can RRL help mitigate these attacks?  In essence, RRL examines the pattern of DNS requests and throttles the response to the requests when it detects an attack.  According to the documentation, it's highly configurable to combat against many types of attacks.  An important note is that incoming requests cannot be throttled by RRL.

While the attacks are not new, there has been an increase of them recently.  I recommend considering deploying this feature.

More information about BIND and RRL:
Using RRL to Prevent DNS Amplification Attacks
Quick introduction to Response Rate Limiting
How to enable Response Rate Limiting (RRL) on BIND 9.9.4
Download BIND from here

August 24, 2013

Retail thefts parallel to infosec

I just re-discovered a great post by Richard Bejtlich about the parallels of retail crime and computer crime.  I read this writing by Richard a few years ago (2010) when it was posted and while it is dated, I thought it is worthy of highlighting again because in my opinion it's still relevant.

Maybe retailers should band together to share information about the criminals and losses similarly to how the casinos operate.  Collectively they might be able to fight this crime more effectively.  Sounds kind of similar to what we in the infosec community have been trying to do doesn't it?

Richard's blog post on

Where you'll get hacked stats

I found this graphic showing where you'll get hacked.  Some interesting statistics in there.

Link to graphic on

January 27, 2013

Google indexes 86K+ printers accessible from Internet

Printers on the Internet = total fail!  Funny article by ZDNet's Zack Wittaker.

Whoops: Google indexes more than 86,000 HP 'public' printers

Cyber Warfare and the Mutually-Assured Destruction of Cyberspace

I frequently read the writings of Lenny Zeltser; he's a smart guy who always has something interesting to say.  He posted a short entry on his blog in July of 2012 stating his theory of how countries will use the principle of mutually-assured destruction to deter each other from a major world war in cyberspace.
Worth a read, check it out here:

November 19, 2012

NON-SECURITY: Definition of 'sale'?

I was doing some grocery shopping the other day and while in the beer isle I noticed a great 'deal'.

Sure would like to know what their definition of 'sale' is.  lolz

November 11, 2012

Windows 8 Runs 7-Year Old Malware (ouch)

One of the key points being marketed about Windows 8 is that it has much better security built into it than previous versions. I find it interesting that Microsoft will be releasing critical patches already.

Anyway, the fine folks at Bitdefender Labs decided to test Windows 8 against some malware and have posted the results. What they found is trully astonishing and I suspect Microsoft isn't going to be thrilled with it.

November 10, 2012

2008 Malware Challenge Revisited

My buddy Tyler Hudak has posted our a malware challenge contest that we ran in 2008.  We thought it would be a good idea to give those who haven't tried it an opportunity to do so.

Check out the challenge here at Security Shoggoth's blog:

August 18, 2012

Wired writers digital life hacked...and wiped

A few weeks ago Wired magazine writer Mat Honan's digital life was completely erased.  The attacker was able to do this in only one hour.  The hack exposed some weaknesses in Apple and Amazon's password reset processes.  These holes have since been closed.

I feel bad for Mat, but this story serves as a good learning lesson in areas such as:
  • Password resent processes
  • Helpdesk personnel training
  • Connecting everything with one email account
  • Backing up your files

Video by Matt:

July 5, 2012

Free Local Cleveland Security Event July 13th

Security B-Sides is coming to Cleveland again this year on July 13, 2012. One full day of interesting talks....for FREE! You don't want to miss it. Hurry, seating is limited!

Security B-Sides Cleveland When: Friday, July 13, 2012 Where: Embassy Suites Cleveland - Rockside Address: 5800 Rockside Woods Boulevard, Independence 44131 Cost: Free (as always!)

It is co-sponsored by the Northeast Ohio Information Security Forum (NEOISF.ORG).