敲门敲! 是谁有? DDoS攻击!

费利佩•索利亚诺

2018年5月29日

如果你是IT火狐体育手机的, or you need to be concerned about protecting your company's ability to do business 24/7, you have got to pay attention to what happened on October 21 when a distributed denial of service (DDoS) attack came knocking on Dyn's door (a domain name service provider).

You need to be vigilant and that is done by using the tools available in your network. You need to understand what happened last month and then put together a plan and course of action so that you don’t fall victim to a future attack that may have an even bigger impact on you and your business. Now is the time to make sure your networks and devices are safe from these types of attacks.

什么是DDoS?

A distributed denial of service attack can happen in several different ways. 在这种情况下, t在这里 was a deluge of web traffic that overwhelmed servers such that network service was denied to legitimate network users.

据Dyn说, the domain name service provider hit with the massive DDoS attack that day, t在这里 was a botnet – which is a computer network created by malware and controlled remotely without the knowledge of the users of those computers. This botnet consisted of an estimated 100k internet-connected devices, instead of the original estimates that t在这里 were tens of millions of IP addresses, that were responsible for the huge attack on critical systems.

相比较而言, Gartner estimates t在这里 are currently 6.40亿个物联网设备, 所以相对而言, t在这里 was a very tiny number of devices involved – this time. These 100k devices were hijacked to flood Dyns’ systems with unwanted requests, shutting down the internet for millions.

What virus was involved in the attack?

The compromised devices were infected with the Mirai恶意软件, an infamous virus that has the ability to take over cameras, DVRs, and routers. Mirai恶意软件 searches for 物联网 devices that are using their factory set passwords then uses them as part of a botnet to launch DDoS attacks.

Are t在这里 other viruses that could cause a DDoS?

绝对! 

Although t在这里 are some attacks that take advantage of system bugs or vulnerability (如 teardrop attacks), most of these other types of attacks involve generating large volumes of traffic so that network service is denied to legitimate network users, 比如这次攻击. These types of attacks include:

• ARP Flood攻击 – Floods a network switch with a large number of ARP requests, resulting in the switch using a large amount of the CPU time to respond to these requests. If the number of ARP requests exceeds the preset value of 500 per second, an attack is detected.
• 土地的攻击 – Spoofed packets are sent with the SYN flag set to a host on any open port that is listening. The machine can crash or reboot in an attempt to respond
• ICMP Ping死亡 – This is w在这里 ping packets that exceed the largest IP datagram size (65535 bytes) are sent to a host and crash the system
• SYN攻击 – This attack floods the system with series of TCP SYN packets, resulting in the host issuing SYNACK responses. The half open TCP Connections can exhaust TCIP resources, such that no other TCP connections are accepted.
• 百事可乐的攻击 – The most common form of UDP flooding directed at harming networks. A pepsi attack is an attack consisting of a large number of spoofed UDP packets aimed at diagnostic ports on network devices. A pepsi attack can cause network devices to use up a large amount of CPU time responding to these packets.

T在这里 are more showing up every day including Invalid IP attack and Multicast IP and MAC address mismatch.

What can you do to protect your network?

Your network switches and 物联网 devices can be protected against DDoS by filtering. Your network switches can be set to detect various types of port scans by monitoring for TCP or UDP packets sent to open or closed ports.

• 数据包惩罚值设置. TCP and UDP packets destined for open or closed ports are assigned a penalty value. Each time a packet of this type is received, its assigned penalty value is added to a running total. This total is cumulative and includes all TCP and UDP packets destined for open or closed ports.
• Port scan penalty value threshold. The switch is given a port scan penalty value threshold. This number is the maximum value the running penalty total can achieve before triggering an SNMP trap.
• 衰减值. 设置衰减值. The running penalty total is divided by the decay value every minute.
• 陷阱一代. If the total penalty value exceeds the set port scan penalty value threshold, a trap is generated to alert the administrator that a port scan can be in progress.

例如, imagine that a switch is set so that TCP and UDP packets destined for closed ports are given a penalty of 10, TCP packets destined for open ports are given a penalty of 5, and UDP packets destined for open ports are given a penalty of 20.

当然, the smartest switches in the world won’t help you if you don’t monitor the notifications triggered by these events. That’s w在这里 a good network management system is crucial. 一个好的资源 is your local ALE representative.

What about your smart "things"?

Besides taking care of the network, things that you can do to protect your smart devices, 在工作和家庭中:

1. 密码 – This is the easiest one to fix and most overlooked – change the factory default passwords that come with your device. In this DDoS case, the virus searched for default settings.
2. 更新软件 – As annoying as those reminders are to update your software, they often contain critical security updates. 花点时间更新一下!
3. 防止远程管理 – Disable the remote management protocol, 如, telnet or http that provides control from another location. The recommended remote management secure protocols are via SSH or http.

The next time DDoS comes knocking at your door, be sure your network is set up to notify you of these activities and know how to manage them. 在一个完美的世界, your switch/router networking devices would have their filtering capabilities enabled by factory default. If you have further questions on how to make your network more secure using Alcatel-Lucent Enterprise solutions, 或者对a感兴趣 deeper dive into the technology, please contact your nearest ALE representative.