Category Archives: Network (Protocol, Topology & Standard)

Application Development, Network (Protocol, Topology & Standard), System

The 2nd stricken region of cyber attack vector – Embedded malicious code applies to everywhere causes memory overflow

824 Comments

Headline news alert that malware embedded to picture file boil up hijack storm to android world. Sound horrible! No need involve phishing technique lure victim engage click url action and such a way compromise your android phone. No safe world! The vulnerability (CVE-2016-3862) fix immediately. Resolution is that enforce IPC Router to check if the port is a client port before binding it as a control port. Security Guru might alerts that critical vulnerabilities found this year are similar. The design ignore the verification check. Quote an example, a vulnerability (CVE-2016-0817) in the Simple Network Management Protocol (SNMP) code of Cisco Adaptive Security Appliance (ASA) Software could allow an unauthenticated, remote attacker to cause a reload of the affected system or to remotely execute code. The vulnerability is due to a buffer overflow in the affected code area. Yes, the device allow anyone send SNMP packet (OSI 5 – 7 layers) is the fundamental design. But the design concept not including someone is going to fool him. Is it a flaw? But SNMP protocol contains technical weakness originally! SNMP design flaw not on our discussion this time. We jump to a more critical topic. Yes, it is the buffer overflow attack. I claimed that this is the 2nd stricken region of cyber attack vector.

Heads-up (Quick and Dirty):

Unsafe functions buffer overflow

Buffer overflows, both on the stack and on the heap, are a major source of security vulnerabilities in C, Objective-C, and C++ code.When the input data is longer than will fit in the reserved space, if you do not truncate it, that data will overwrite other data in memory. If the overwritten data includes the address of other code to be executed and the user has done this deliberately, the user can point to malicious code that your program will then execute.

Basic buffer overflow attack

NOP-sled is a quite common shellcode preamble used in memory corruption attacks to increase the probability of successful target exploitation. The attackers usually prepend their machine language code with a large amount of No Operation (NOP) instructions. Most CPUs have one or more NOP instruction types, which tell the processor to do nothing for a single clock cycle. The attacks consist on making the program jump into an specific address and continue running from there. By looking at the program and its output, attacker can write the address of bar into the return address. The step is that overwrite return address so that code execution jumps into the input given by attacker.

Heap-based overflow

The heap is the memory area where you can allocate memory during the execution of a binary. Heap attacks are typically harder to perform than a Stack based attack.

i. Overwrite pointer – A pointer points to valid executed code. But the attacker corrupting the pointer and put the malware function replace the valid executed code. A remote attacker may exploit this issue to execute arbitrary code within the context of the affected application.

Stack-based overflow

It affects any function that copies input to memory without doing bounds checking. If the source data size is larger than the destination buffer size. The data will go to high address and overflow previous data on stack. The attacker could use to execute arbitrary code with elevated privileges or cause a DoS condition.

Buffer overflow attack may appear everywhere in cyber world today. Any weakness of system and application design will lure the interest by hacker. IT Guru don’t ignore this channel.

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Is this a hoax? Or it is National Security Agency?

850 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/Equation-Group-pic-2_zpsojrksrjr.jpg

I believed that hot topics this week for sure hacking tools available download online. Rumour was told that those tools may develop by NSA (National Security Agency). Since this news make Anti-virus vendors nervous. As of today, their virus repository contained those files and confirm that those so called hacking tools is a genuine hacking tools. The Korean base anti-virus vendor AhnLab also given a malware naming convention to that malicious file. For more details, please refer to below chart for reference.

Status update on 18th Aug 2016 (today)

Kaspersky Confirmed that the leaked Hacking Tools Belong to NSA-tied Group. A former NSA employee told the Washington Post that those tools is a genuine hacking tools from NSA (see below).

https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html

Interim Summary:

It looks that the files available download on internet looks outdated. The latest time-stamp of that files create from 2013. The earlier creation date of some files are 2010. To be honest, we can’t ignore the possibility that this files leaked by our Hero whistle blower!  Since the backdoor malicious programs found are the execution files. I was surprised that NSA is not going to use inline hooking technique. As we know, hackers looking for payment to release whole set of files. May be those not open to public files contains inline hooking technique. Hacking Team is known to sell a malware surveillance software known as Da Vinci. Its remote access tools also make it possible to compromise a wide variety of hardware, including Android and Blackberry phones and Windows devices. Yes, we found the descendant of Da Vinci this time.

Remark: Da Vinci (Law enforcement sector deploy malware which supply by Italy-based Hacking Team).

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-1_zpsd7yypvqf.jpg

https://www.linkedin.com/pulse/who-jeopardizing-world-information-leakage-picco

 

Application Development, Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Mystery Surrounds Breach of NSA-Like Spying Toolset. Reflections: How important of SIEM today.

890 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/NSA-Cisco_zpszinq59nd.jpg

The mystery surrounds breach of NSA-Like spying tool set alerts security vendor. The world has been changed even though government without exception! The focus of everyone of this headline news might be the flaw of firewall vendors, right? Not sure whether you have chance to read the mystery NSA-Like spying tool documents? The critical guideline to the spy is that how to avoid people tracing them. To be honest, this is a unprecedented example which government teach the hacking technique. Below details is the example for your reference (For more details about these documents, please use your own way to download.)

!!! WARNING: Firewall logs everything !!!

!!! If you see “info-center loghost X.X.X.X” during a sampleman, DO NOT IMPLANT !!!
!!! Unless we own the syslog server !!!
!!! SNMP traps will also log our activity !!!
!!! SNMP traps going into system-view !!!

Target Firewall vendor

Regarding to the document (sampleman_commands.txt), the target Firewall vendors are Cisco, Juniper & HUAWEI. It is not difficult to understand what’s the reason those brand names are included in the list. Yes, it is because of the market share. They are the tycoon brand name. Besides, their design architecture sometimes has similarity. Per my observation, they make use of the instruction pipeline technique. The instruction in a pipelined processor are performed in several stages. Data hazards occur when instructions that exhibit data dependence modify data in different stages of a pipeline. There are three situations in which a data hazard can occur:

  1. read after write (RAW), a true dependency
  2. write after read (WAR), an anti-dependency
  3. write after write (WAW), an output dependency

I agree with that the firewall system design or flaws are the responsibilities of Firewall vendors. Since hardware vendor not aware they are vulnerable until scandal open to the world. From consumer’s point of view, is there any preventive control to alert customers?

How important of SIEM today?

An hints written on document stated that they are concerning targets to trace their IP locations. The critical point is that  both syslog and SNMP server must compromised. Otherwise they need to find another alternative. The story can tell how important of SIEM today!

SIEM solutions boots cyber safety world today

Key features of SIEM:

Real time alerting

1. Rule-based alerts with dashboard and email notification
2. Alert annotation
3. Pre-configured alerts for hundreds of security and operational conditions

For your choice to select suitable SIEM product  , please refer below.

Gartner Magic Quadrant for Security Information and Event Management analysis report

https://www.gartner.com/doc/reprints?id=1-2JNUH1F&ct=150720&st=sb&mkt_tok=3RkMMJWWfF9wsRoiuqTIcu%25252FhmjTEU5z16uwlUa6%25252Fg5h41El3fuXBP2XqjvpVQcNrNL3IRw8FHZNpywVWM8TILNUQt8BqPwzqAGM%25253D

 

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard), System

Internet traffic governance by firewall (Great wall), what circumstances China still under external Cyber attack?

926 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/China-Firewall_zpsutjpv0vx.jpg

The surveillance program in China running in visible level. China government defined traffic monitoring scheme, the People live in China entitled to benefits of citizenship must accept this policy.A well known secret indicated that a giant (Great wall) monitoring the inbound and outbound internet traffic continuously. Sounds great! From technical point of view, workstation located in China is under government protection. The benefits is that overall hit rate with cyber attacks will become lower. We are not a politicians for not going to speculate the reason to establish this security facility. But it looks that there is no perfect defence mechanism in the world. The Internet Security Threat Report on June 2016 provides the following parameters.

Web sites for remote control

  • 3,637 foreign IP addresses through the backdoor arrived to the territory.
  • 6,618 websites encountered cyber attack causes hacker remote control.

Remark: Among them, foreign suspicious IP address is located mainly in the United States, China, Hong Kong and South Korea and other countries or regions.

  • Foreign countries IP address relies on backdoor might came from Russia . They are execute web server remote control. The total suspected IP addresses are 1,667.
  • Website implanted backdoors, ranks in high volume.
  • Besides, implanted backdoor attack IP address covered US and Hong Kong area. The total statistic are 1129 came from US and 808 came from Hong Kong.

Reference: Internet stats for 2016

China, as a country, has the most internet users; with an estimated 640 million internet users, the number of internet users in China is twice the number of the entire U.S population.

What’s the reason?

Major Factor:

1. Enterprise firm Site to Site VPN connection bypass Great Wall governance: If there is security weakness occurs in their server system and network backbone. Hackers are able to relies on those vulnerabilities of the system  activate the cyber attacks.

2. Remote Proxy services bypass Great Wall

A terminology so called internet censorship circumvention, the method is establish a encryption tunnel, the tunnel end point of connection is the foreign countries proxy gateway. It is a onion network, if one of the proxy server not in service, the proxy services application will search another available gateway.
Since the network datagram was encrypted by TLS/SSL. The version update in frequent. From certain point of view, great wall might not decrypt the network traffic and such a way let him go!

3. Layer 2 Tunneling Protocol (L2TP) bypass Great Wall

The PPTP/L2TP/SOCKS5 protocols are provided for devices lacking compatibility with the Private Internet Access application or OpenVPN protocol. PPTP/L2TP/SOCKS5 should be used for masking one’s IP address, censorship circumvention, and geolocation. As far as I know, Great wall have capability to deny this network traffic.

4. Flaw found in ASN.1 compiler – for more details refer below url for reference.

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

China’s intelligence mobile phone has high growth rate. Since it is intelligence device, it is a mobile computing device. From technical point of view, it looks a workstation with Internet connection feature. China Mobile Phone Users reached 1.306 Billion in 2015. It is hard to guarantee 1.306 Billion mobile phone are compliance. That mean OS is the latest version, anti-virus installed with update pattern. To be honest it is not easy! With so many people dependent on mobile devices to communicate and work, mobile network security is more important than ever.

Additional information – SCMP regarding China Firewall

http://www.scmp.com/news/china/policies-politics/article/1922677/china-blocks-vpn-services-let-users-get-round-its-great

Any other? Is your turn to input. Be my guest!

Cell Phone (iPhone, Android, windows mobile), Network (Protocol, Topology & Standard)

The important thing is to never stop questioning (Albert Einstein)

870 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/sat-China_zpsfc8frkuz.jpg

The important thing is to never stop questioning, said Dr. Einstein. View the breaking news today.China has launched the world’s first quantum communications satellite into orbit. Watch TV News program noticed that a group of scientist find a way apply the quantum physics to traditional cryptography replacing RSA cryptosystem. The testing go to final stage in 2015. Competitions everywhere today including employees, business partners, countries. Life is not easy! World looks demanding now! Let’s review in short form in regards to RSA cryptosystem weakness.

RSA cryptosystem weakness:

  • The RSA cryptosystem can be very weak if you do not choose your primes carefully.
  • If the two corresponding ciphertexts are intercepted.
  • If you send the same message to more people with the same RSA encryption exponent e , then the plaintext can always be obtained easily from the intercepted ciphertexts.

Quantum Cryptography benefits:

  • Quantum entanglement – particles can share the same quantum state irrespective of their spatial distance from each other. The entanglement state discard when parameters change.
  • Quantum cryptography would be used in practice to produce one time pads that could be used to securely encrypt any message.

What is the key factors (built a quantum communications satellite):

Avoid eavesdropping – Being monitored

Cyber attack – Being attacked by hackers

Questioning about unknown factors?

In what Layer of the Earth’s Atmosphere install this satellite?

Answer: Exosphere – up to 10,000 km above the Earth

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/orbit-v4_zpsgkk97mbq.gif

Is there any external interfere to this layer? For instance, SUNSPOT & X-rays?

It was protected by atmosphere. Atoms are no longer gravitationally bound to the Earth and get knocked away by solar wind. As such, without interference caused by Sunspot suspend the network communications. (Remark: Satellite interfere by sunspot periodically. The result is that the satellite will lost electronic communications in short period of time.)

Does it compatible with mobile phone?

Yes, it is compatible with 4G mobile network and provides hack proof communication channel. I believed that it achieves independence from the use of fixed line or existing mobile networks through super fast Ka-band satellite backhaul.

The objective is that avoid eavesdropping on mobile phone. For instance, NSA tapped Angela Merkel’s mobile phone. The scandal expose to public in 2014.

Germany opens inquiry into claims NSA tapped Angela Merkel’s phone

https://www.theguardian.com/world/2014/jun/04/germany-inquiry-nsa-tapping-angela-merkel-phone

Interim summary:

The space of technology development is to infinite. But like Dr Einstein said, the important thing is to never stop questioning.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco070/questioning_zpsyrbxvutm.jpg

Network (Protocol, Topology & Standard)

How to protect your IT premises? Found vulnerability sometimes isn’t a flaw.This is the original design!

42 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/SS7-ASN1-Flaw_zpslcpchclx.jpg

Preface

People might questions leonardo Da Vinci if he still alive. Why did he choose this woman became mona lisa? Since nobody could explain on behalf of him. But strongly believe that this is the original design.

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. On the other hand, the culture of modern world relies on electronic communications system. Therefore network communication protocol especially TCP/IP protocol and Signaling System 7 are the major elements in nowadays world.

Recall historical data of specific elements (quick & dirty)

1. ASN.1

Originally defined in 1984 as part of CCITT X.409:1984

Design objective:

i. Overcome how different computer systems transmit data
ii. Model parameters exchanged between application entities

 

2. Signalling System 7

It was developed in 1975

Design objective

i. SS7 controls telephone calls, both wired and wireless, through the use of a control signal that is separate from the actual voice circuit.

ii. It allows phone networks to exchange the information needed for passing calls and text messages between each other.

3. TCP/IP version 4

The first version of this predecessor of modern TCP was written in 1973

Design objective

i. A set of general design guidelines and implementations of specific networking protocols to enable computers to communicate over networks.

ii. TCP/IP provides end-to-end connectivity specifying how data should be formatted, addressed, transmitted, routed and received at the destination.

Flaws found as of today

TCP/IP version 4 (CVE-2016-5696)

The difficult part for hacker taking over TCP connection is to guess the source port of the client and the current sequence number. A group of researchers found that open a connection to the server and send with the source of the attacker as much “RST” handshake packets with the wrong sequence mixed with a few spoofed packets. By counting how much “challenge ACK” handshake packet get returned to the attacker side.  Attacker might knowing the rate limit one can infer how much of the spoofed packets resulted in a challenge ACK to the spoofed client and thus how many of the guesses where correct. This way can quickly narrow down which values of port and sequence are correct.

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/ninja-anima-ver2_zpsoonzpftm.gif

Interim solution apply to Linux environment

Linux are everywhere today, in workstation, servers, mobile devices and IoT devices. Append the following to /etc/sysctl.conf:

net.ipv4.tcp_challenge_ack_limit = 999999999

Use “sysctl -p” to activate this feature

Flaw found in ASN.1 compiler

For more details, please see below:

https://www.linkedin.com/pulse/flaw-found-communications-industry-yet-determined-1-picco

Interim solution: unavailable

Current status: The extent of the vulnerability has yet to be determined, IT folks this vulnerability looks critical. It is hard to imagine what’s the impact at this moment. We keep our eyes open see whether a remediation will be announced by the telecommunication providers?

SS7 Vulnerability

A proof of concept shown that attacker could use the telephone network to access the voice data of a mobile phone, find its location and collect other information. Hacker able to manipulating USSD commands to spoof financial transactions such as the authorization of purchases or the transfer of funds between accounts.

The hacks exploit the SS7 vulnerability by tricking the telecom network believing the attacker’s phone has the same number as the victim’s phone. We know that hackers can hijack whatsApp and telegram via ss7. A vulnerability found on 2008.

Interim solution

Mobile phone network services provider has employed security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access.

For additional information details, please refer below:

SS7 hack explained: what can you do about it?

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/OSI-vs-SS7_zpsk76izco4.gif

How to protect your IT premises in regards to above flaws?

For weakness of TCP/IP protocol, the IP version 6 able to resolve design limitation of sequence number. In the long run, it is recommend IT team get rid of IP version 4. However the truth is that v4 and v6 are mixed mode in nowadays IT world.

The most headache topics are the ANS.1 complier flaw and Signalling system 7 vulnerability. For SS7 vulnerability, since those item of works (remediation and mitigation) are relies on Telecommunication service providers. Mobile phone network services provider employing security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access. For text messages, avoiding using SMS. As far as we know, whatsapp communication is being encrypted today!

How’s the status of ASN.1 compiler right now?

About SS7 vulnerability information update:

Nokia safeguards network operations with new security features in Sep 2015. The features consisting of Signaling Guard and Security Assessment service, detects and prevents attacks that exploit vulnerabilities in the SS7 protocol. For more details. Please refer to url below:

http://company.nokia.com/en/news/press-releases/2015/09/03/nokia-networks-safeguards-network-operations-with-two-new-security-launches-networksperform

About  SS7 vulnerability incident found and reported by German newspaper media on May 2017:

German newspaper (Süddeutsche Zeitung) reported that that hackers relied on SS7 attacks flaw as a backdoor. The vulnerability allow bypass two-factor authentication (2FA) systems to conduct unauthorized wire transfers.

http://www.sueddeutsche.de/digital/it-sicherheit-schwachstelle-im-mobilfunknetz-kriminelle-hacker-raeumen-konten-leer-1.3486504

 

Network (Protocol, Topology & Standard)

Are there any security weaknesses to 4G mobile network? Or it is trustworthy?

796 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/4G_zpsfq78cmqj.jpg

Let’s review how cellphones work? Quick & Dirty

1G – frequency-division multiple access (so called analogue cellphones)

It divide the frequency band available into little segments and let each person send and receive on a slightly different frequency.

2G – time-division multiple access (so called digital cellphones)

Phone calls were transmitted by sampling the sound of people’s voices and turning each little segment into a numeric code. As well as sharing phone calls between different frequency bands. The design concept is that giving each phone user a short “time share” of the band. The mobile telephony system splits up every calls into digital chunks and sends each chunk at a slightly different time down the same frequency channel.

3G – code-division multiple access (so called high speed digital cellphones)

The fundamental design of idea for code division multiple access are sharing the features of both TDMA and FDMA.  So a number of different callers can use the same radio frequencies at the same time. The 3G networks are a combination of IP and mobile signalling protocols (SS7).

4G – orthogonal frequency-division multiple access (so called high speed broadband cellphones)

A evolution of the three earlier generation of technologies (TDMA, FDMA, and CDMA). With OFDMA technology, signals are digitally coded, chopped into bits, and sent on separate sub-channels at different frequencies. Since signal has been coded and therefore they are not interfere with each other on the same frequency. But the 4G mobile networks are all IP based network. The 4G LTE networks typically include a number of security features that make communications secure.

4G mobile network – Is it trustworthy?

As we know hacker can hack WhatsApp and Telegram by fooling the network causes by Signalling system 7. SS7 is vulnerable since 2008. Mobile phone network services provider has employed security experts to perform analysis of the SS7 systems in use to try and prevent unauthorised access. In the long run, SS7 might going to obsolete in future because of modern technology fast growing trend. The 3G networks are a combination of IP and mobile signalling protocols (SS7). From cellphones users assurance view point, it is better to migrate their services to 4G mobile network instead of 3G.

Just how secure is 4G?

With 4G technology, encryption is only mandatory over the main Radio Access Network (RAN). The traditional crypto and side-channel attacks, 4G security features are able to addressed. The out of band management on 4G network has security considerations. Since the ‘backhaul’ portion of the network is unencrypted by default. For those company integrate their IT infrastructure to 4G network, they must setup a site to site VPN tunnel (IPsec) connect to other side end point. The primary weakness in 4G security is that its use of cryptography does not provide end-to-end security. It only encrypts the traffic between the phone and the base station, but there is no encryption while the data is communicated over the wired network. This means that there is no security against a malicious or compromised carrier.

Unforeseen attack vector due to speedy network

The 4G cellphones that have been infected with malware and are under the control of hackers could also become part of a ‘botnet’, and be used to conduct more advanced attacks, due to the increased bandwidth of 4G. The average download speed for 4G LTE is about 20Mbps. It is faster than traditional 3G network speed 6 times. The Multicast Video delivery scheme in OFDMA-based 4G wireless networks, to optimize multicast video traffic. On the other hand multicast video delivery, which is vulnerable to malicious video flooding attacks. The cyber attack has been changed. From traditional non mobile type network migrate to mobile computing network. The high network speed boost up DDOS power unintentionally. This is the major factor cause distributed denial-of-service (DDoS) attacks rapidly increase.

Theoretical mobile network bandwidth infographic:

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/4G-4_zpst1frchom.gif

Additional key factor :

4G mobile network lure hackers engage cyber attack. It is a jump board. A critical flaw was discovered in the ASN.1 compiler used by leading telecommunications and networking vendors. ASN.1 is an essential ingredient for achieving the lightning-fast mobile broadband networks of the 21st century. Protocols such as 4G: LTE RRC, LTE S1/X2 and IEEE 802.16m WiMAX are defined using ASN.1. Since the extent of the vulnerability of ASN.1 has yet to be determined. And such a way let the 4G mobile network inherent risk increases.

Short term conclusion:

The 4G mobile network looks not secure compared to other mobile network.

Reference: Flaw found ASN.1 & SS7

https://www.linkedin.com/pulse/how-protect-your-premises-found-vulnerability-isnt-picco

 

Network (Protocol, Topology & Standard)

About xor DDOS malware

920 Comments

http://img.photobucket.com/albums/v704/chanpicco/chanpicco071/Xor-pic_zpsmuqbdlvz.jpg

XOR DDOS – Tsunami SYN Flood ramping up to 140 Gbps attack against public network backbone.

XOR DDOS attack aggressive last year (2015). Xor DDOS attack triggers by Botnet. The attack capability able to reproduce 150Gbps attack vector. Since the coverage of mobile computing especially cellphone users on demand today. The OS kernel of mobile phone is linux. The architecture of XOR DDOS attack relies on botnet. And the attack target is Linux OS.
This type of attack growth rapidly today. The hackers through TCP 3502 port connect to victim device trigger attack.The objective of attacks are based on flood mechanism (Syn flood and DNS flood).

Historical changes of the MD-5 checksum values:

Oct 2015 – 238ee6c5dd9a9ad3914edd062722ee50

Oct 2015 – 2edd464a8a6b49f1082ac3cc92747ba2

Nov 2014 – fd3f2c810f4391be2e6b82429c53c318 (Attack target specify Linux OS)

Hackers custom cocktail attack mechanism:

SYN and DNS floods generated by the Xor.DDoS Malware have very specific characteristics. The payload consists of garbage memory data, this memory capable to store passwords and ssh private keys.

The attacker will send many SYN packs to victim host with multiple sources. The attack will be launched on port 22 (ssh). This attack is very effective if syn_cookies are turned off. Please be remind that syn_cookies turned off by default on Linux.SYN cookies are now a standard part of Linux and FreeBSD.

DNS floods are symmetrical DDoS attacks. These attacks attempt to exhaust server-side assets (e.g., memory or CPU) with a flood of UDP requests. Since DNS servers rely on the UDP protocol for name resolution, and is a Layer 3 attack. With UDP-based queries (unlike TCP queries), a full circuit is never established, and thus spoofing is more easily.

Design objective of XOR malware:

SYN Cookies is a simple DDoS defence today, and probably suitable for all Internet hosting including mail server and corporate web servers. 500 units of compromised mobile computing devices with an average 200 Kbs of bandwidth each launching an attack will fully utilize your 100Mbs network link.

Attack target:

From technical point of view, SYN Flood and DNS flood are effectively suspend the network connectivity and domain name lookup function. It clearly shown that engage this attack to ISP or Cloud services provider might bring a Tragedy to their business. As far as I know, ISP or Cloud services provider have mechanism to detect botnet in their network and monitor the malicious communications between bot and C&C server. But for victim hosts, since it is not run in the internal network. Even though you install malware detector, define Yara rule looks not help! I believed that this is one of the key topic which headache the ISP and cloud services provider.

For mitigation of the attack, a discussion will continuous on the next phase.