Smurf attack explained.

Cyber attacks are to be taken seriously. Even cute names can hide deadly poison. Today, let’s be aware of the smurf attack.

What is a Smurf attack?

A Smurf attack is a type of distributed denial of service (DDoS) attack. It took its name from the malware used to implement it, the Smurf malware. It targets computer networks to make them unavailable by exploiting vulnerabilities of the Internet Control Message Protocol (ICMP).

A Smurf attack floods a server with the use of ICMP data packets. Too many queries are sent with a forged IP address (the victim’s one) to one or multiple devices. When those devices respond to the server, the traffic attack gets amplified, and the victim falls down.

Which ICMP vulnerability does the Smurf attack exploit?

The ICMP allows devices of a network to detect communication problems. It diagnoses and reports bugs through messages (data packets) sent from the recipient to the source (sender) in case data don’t arrive properly. 

The Ping command is commonly used to test hardware connected to the network (routers, computers, printers, etc.). And Ping works through ICMP. With a ping, you can know if a hardware is reachable. A message is sent (echo request) to a specific device, and then an acknowledgment is received (echo reply). Ping also allows measuring the time that takes for a message to travel from a source to its destination and back.

The issue is, ICMP doesn’t handshake as a part of its process. Therefore, hardware can’t check if the requests they receive are legit.

How does Smurf malware works?

Smurf malware produces a network data packet with a spoofed source IP address. The data packet travels as an ICMP ping message that will order the devices on the network’s nodes to send an answer. This cycle will be repeated using constant requests. Through ICMP echoes, a non-stop loop will be produced to overwhelm the target. 

How does a Smurf attack work?

A Smurf attack starts with the activation of Smurf malware to create the echo request that will have a spoofed IP address changed to the victim’s one. 

The request is sent, and then an intermediate IP broadcast from the network will transmit it to every host on the network.

Since inside the data packet there’s an ICMP ping message, it will request every node in its way an acknowledgment (answer). The more ICMP requests are sent, the more ICMP answers will be received.

Consider that the number of hosts on the intermediate network (IP broadcast) defines the scale of the attack’s amplification. One thousand hosts in such a network will generate one thousand answers for every spoofed echo request.

How to prevent or mitigate a Smurf attack?

  1. Pay attention to indicators like bandwidth trouble, crashing of server or router. A Smurf attack could be right on the corner.
  2. Monitor exhaustively your traffic for inspecting uncommon volume, behavior, signature on data packets.
  3. Get sufficient bandwidth to handle traffic spikes.
  4. Look for redundancy and an efficient load balancing system to distribute traffic.
  5. Protect your DNS servers against DDoS. 
  6. Disable IP addresses broadcast on networks’ routers and firewalls.
  7. Block-directed broadcast traffic trying to access the network.
  8. Set up routers and hosts not to answer ICMP echo requests. 
  9. Set up your operating system to forbid IP broadcast requests (ICMP).
  10. Set up your firewall’s perimeter to block pings incoming from outside the network.

Conclusion.

A Smurf attack belongs to the most dangerous category of threats, DDoS attacks. Have a strategy for keeping your network safe. Don’t leave it for tomorrow!

5 Famous Cyber attacks.

Cyber crime never stops. The list of cyber attacks that have badly hit organizations worldwide is sadly long. Even during the hardest moments in this pandemic, the virus stopped the world, but not cyber crime.

Let’s take a look at 5 painfully famous cyber attacks.

Mirai botnet attack (2016). 

A DDoS attack hit Dyn’s servers, a big provider of DNS infrastructure for the Internet, strongly. It took down the Internet in wide regions of the USA and Europe. Twitter, CNN, Reddit, Netflix, and more known websites went down.

Attackers used a peculiar weapon, the Mirai botnet. The botnet army for attacking was not made up of infected computers but Internet of things (IoT) devices. Dyn calculated around 100 thousand malicious endpoints involved in the attack.

WannaCry attack (2017).

This ransomware hit over 200 thousand victims, Microsoft Windows operating system users, in around 150 countries. Attackers used the malicious software “Wanna Cry” to take data hostage until a ransom was paid, combined with a worm to spread it across entire networks. “WannaCry” encrypts victims’ files to block their access. It also can block users out of their devices. Criminals demanded between $300 and $600 worth of bitcoins. 

Microsoft Windows OS showed a vulnerability, and 2 months before the attack, a patch was available. The problem was the people don’t always update. That simple action could have protected users.

SolarWinds scandal (2020).

This cyber intrusion affected around 200 international organizations, including Microsoft, several agencies from the U.S. government, the U.K. government, NATO, the European Parliament, etc. 

Attackers created a back door on a SolarWinds’ software application (Orion). As soon as customers installed the application, attackers could access their systems. This is considered one of the most dangerous cyber attacks due to the high-profile targets it affected and its duration. The scandal exploded in December 2020 after different data breaches were confirmed. But attackers had access and operated for more than 8 months!

Colonial Pipeline’s attack (2021).

Attackers hit the biggest fuel pipeline in the U.S. The company, which moves around 2.5 million of fuel barrels daily from the Gulf Coast to the Eastern Seaboard, had to shut down its systems. Shortages all across the coast, chaos at gas stations, higher prices were the result. 

Attackers got access to the company’s networks through a valid VPN (virtual private network) account. The company employees use such accounts to get remote access. The account and its password seemed to be leaked into the Dark Web. The main hypothesis points that was the way, attackers got it. With a single compromised password, they took down a giant to demand ransom money in exchange.

Kaseya’s ransomware attack (2021).

The target was Kaseya, an IT solutions provider. Approximately 1,500 businesses (Kaseya’s clients) in the world were affected. Attackers demand $70 million to restore the affected data. 

It was a supply chain ransomware attack implemented through a weakness (authentication bypass) in one of the company’s IT tools, VSA. It’s a management and remote monitoring tool to handle networks and endpoints. 

This way, the attackers avoided authentication controls and got a valid session to upload malicious code. They also executed commands through SQL injection. The case is still on. We will see its final consequences soon.

Conclusion.

Such panorama is enough to understand we can’t relax. We all, users and online business owners, have to strengthen our security defenses as much as possible. History proves that cyber criminals can target all kinds of victims, from enterprises, governments to regular users. To underestimate cyber criminals could be really painful for your business and pocket!

​What is a Botnet?

Have you heard the word Botnet? Sounds scary, doesn’t it? It is a network of infected devices that cybercriminals use for their malicious purposes. In the world, there are millions of infected devices, maybe even billions, and they are just a few clicks away from attacking their next target!

​What is Botnet?

A Botnet is a network of infected devices (a.k.a. hijacked devices or zombie computers) that cybercriminals first infect and later use for various cyberattacks, including DDoS attacks, SPAM spreading, phishing attacks, and more. The term Botnet is a combination of two words. The first is “bot” short of “robot”, which means an automated machine, that can perform a specific task. The second word is “net”, and it comes from “network” because here we are talking about multiple devices that can be triggered at once.

One feature of the Botnet that makes it so dangerous is that the users of the infected devices usually have no idea that the devices have a malicious code on them. They might not see a spike in resources’ use, or they can think that the devices are experiencing a bug making them work more. Botnets are sneaky threats!

​What are Botnets used for?

  • DDoS attacks. An attacker can use its Botnet or Botnets and create a massive wave of traffic towards a particular target. The goal is to overwhelm the target (usually a server) with so many DNS queries that it won’t be able to answer any, including those coming from regular users, and cause downtime. The scenario could be many times worse if the cybercriminal uses DDoS amplification and create even heavier traffic.
  • Mining cryptocurrency. Your device might be mining cryptocurrency for somebody else, and you might not even know it. It will use your computer’s or mobile phone’s resources, to mine. That way, the attacker has many zombie devices that can bring a lot of profit without investing in hardware or paying any electricity or internet bills.
  • Phishing attacks. Phishing attacks are a tricky way to get someone’s username, password, or other valuable information. A botnet device could write messages on your behalf, asking for information from your contacts, that later the criminals could use to attack their accounts. A phishing attack could also lead your contacts to a fake site that looks a lot like a real one, and there they might input their personal data or bank data.
  • Spam spreaders. A hijacked device can be a spreader of spam messages. If your device runs a hacker’s script, you might be spreading dangerous messages all around the Internet. Those messages could be directed to your contacts on your behalf or anonymously. Either way, your device could be the “recruiter” of new devices for the Botnet, helping phishing attacks happen or spreading information around the Internet.

​How to protect ourselves from Botnet attacks?

  • Use strong passwords and 2FA. Make your passwords as complicated and large as possible. Adding a second factor in your authentication will increase your security a lot.
  • Keep your devices up to date. The latest software (OS included) will have the latest security patches that can protect you better.
  • Don’t click any link or open any attachment that looks strange, even if it comes from a trustworthy contact of yours. It might start malicious software that will infect your devices.
  • Use antivirus software for your devices. It can detect the infected file on time and save you from the infection.
  • Look for abnormal activities on your device. A sudden spike in CPU or GPU use might indicate that the computer is working for somebody else.

5 most common phishing attacks

Phishing attacks can be hard to notice. Be careful when a suspicious sender wants you to open any URLs or download a file. Let’s explain a little bit more. 

What does a phishing attack mean? 

A phishing attack is a type of cyber attack. The attackers are operating in a way to make the victim take one of the next actions:

  • Enter data. A fake site, visually alike to a popular one, asks you to fill in your information, such as emails, passwords, usernames, and bank information. 
  • Download a file. The file contains a virus, which affects your device. They could make you pay a ransom to return control over your device.

They send a message that looks traditional and makes it hard to identify a difference from any other. Usually, it is professionally written and offers something that the victim wants. Another way is to make the message sound urgent, such as changing the password in X amount of time.

Cybercriminals are using this method for a long time. The term “phish” associates the word fish and the way we lure a fish with bait. 

Email phishing

The largest number of phishing attacks are sent via email. With a fake domain, which is similar to a true company, they send thousands of requests. The fake domain usually contains letters change, for example, placing “n” and “r” next to each other to make “rn” rather than “m.” Another way is to apply the company’s name as a part of the email address.

The main rule for spotting a phishing email is always checking the email address of a message that wants you to download a file or click a link.

Spear phishing

Spear phishing involves email too. The difference is that spear phishing emails are sent to a specific person. Attackers for this attack already have some or all information about the victim like:

  • Name 
  • Job title
  • Place of employment
  • Email address 
  • Detailed information about their job role. 

Whaling

Whaling attacks are even more targeted, aiming at senior managers. 

The end goal of this attack is the same, but the technique is a lot more complex.

A common variety of whaling is scams involving false tax returns. Malicious URLs and fake links are not useful in this case.

Attackers highly appreciate tax forms containing useful information: names, addresses, and bank account information. 

Smishing and vishing

Telephones replace emails as the way of communication, with bot vishing and smishing. Smishing includes attackers sending text messages. The content is similar to email phishing. Vishing, on the other hand, includes a telephone conversation.

An example of a vishing scam is when the criminal presents himself as a bank fraud investigator. The attacker is telling the victim that their account has been breached and will ask to verify their identity or provide payment card information.

Angler phishing

Angler phishing is an approximately new attack. Social media allows attackers a lot of ways to trick people. For example, fake URLs cloned websites, tweets, and posts. Also, instant messaging allows basically the same as smishing. These vectors can be implemented and applied to convince people to download malware or reveal personal information.

Furthermore, cybercriminals can benefit from the already posted information in social media to make a highly targeted attack.

DDoS attack – Everything you need to know

What does a DDoS attack mean?

Distributed Denial of Service, which is for short, called DDoS, is a cyber-attack. It’s performed to disrupt essential targets like a network, system, or server. That is achieved by overwhelming them with lots of traffic, which is coming from many devices. The word “distributed” refers to the many various sources that are used to achieve the attack. When the target is down, the DDoS attack is complete. The outcome is simply not allowing any user to access it.

The DDoS attack can be of several kinds. Techniques can modify, or they could be mixed and accomplish a stronger hit to the target. Overall, any DDoS attack operates by infecting devices. If there are more connected to the Internet, more of them are going to attack the victim. This happens even globally and from any kinds of compromised sources like computers, servers, IoT devices, wearables. The target is not able to handle the traffic. It becomes sluggish and eventually becomes completely drowned.

How does it work?

Internet-connected devices are the ones, which carry out DDoS attacks.

These networks include computers and other devices like IoT devices that are infected with malware. This way, for the attacker, it is possible to take control of them and operate remotely. Every one of these devices is referred to as zombies or bots. In addition, a group of them is called a botnet.

When a botnet is built, the attacker can proceed to perform the attack. Each bot receives instructions remotely.

The victim’s network or server, which is affected by the botnet, sends with each bot request to the IP address of the target. Like that, the network or server likely gets flooded. The result is a denial of service to accessing regular traffic.

The reason for which separating regular traffic and attack traffic is so difficult is simple. Every bot is presented as a legitimate Internet device.

The motive for DDoS attacks

DDoS attacks are gaining more popularity and becoming the most common kind of cyber threat. The number of attacks performed is growing rapidly. 

The motives that are behind the attack are mainly:

  • Shakedown – The ones that apply DDoS attacks or using them as a threat and like a method for forcing their target to pay them. 
  • Business disputes – Companies strategically can use DDoS attacks to take down the site of an opponent.
  • Philosophy – These people are called “hacktivists”. Their targets are usually sites that implement an ideology, which the attackers disagree with.
  • Boredom – These are cyber vandals who are searching for an adrenaline rush. They typically use pre written scripts to start DDoS attacks. 

Keep yourself safe from DDoS attack. 

If you want, there is a method to defend yourself from DDoS attacks. In case your name servers are the main target of the DDoS attack, there is a way to protect them. What you are going to need is a DDoS protected DNS. The essential of it is that it is a network, which contains a strategically located in various places servers. So they are able to balance the load intelligently. So providers of DDoS protected DNS can mitigate the traffic successfully. 

Also, if one server completely goes down, your domain will continue to resolve, thanks to the other servers.