CYBRARY PODCASTS

DDoS and IoT Nightmares | The Cybrary Podcast Ep. 32

podcast default

In this episode of The Cybrary Podcast we sit down with Richard Hummel, the Manager of Threat Research at Arbor Networks - the Security Division of NetScout. Speaking with Mike Gruen, the CISO of Cybrary, Richard talks about DDoS attacks in the gaming industry and how IoT devices should scare everyone.

Hosted by: Mike Gruen, CISO at Cybrary, Richard Hummel
Length: 41 minutes
Released on: August 19th, 2020
podcast default

Listen to the Audio

Watch the Video

Enjoyed this podcast?
Share it with friends now!

Summary

This episode features Richard Hummel, manager of threat research at arbor networks. Mike Gruen, CISO at Cybrary, discusses with Richard the changing landscape of IoT devices as it relates to cyberspace and COVID 19. There has been an influx of people coming and staying online as a result of the pandemic; this includes online video games. Richard discusses how gaming and gambling platforms have become the biggest targets for DDOS attacks. Gamers can even pay a small fee to malicious users to have them compromise an opponent's system in an effort to win. As a result, service assurance becomes a necessity to those that constantly use home networks that are more at risk.

Hummel continues to explain the risks in the evolving field of IoT: companies and manufacturers have no oversight to ensure secure devices. The industry leans towards usability, speed of production/distribution, and minimal costs. The resulting landscape is a field of vulnerable IoT devices that we have today and continues to grow. Consumers purchase these devices and connect them to their home networks. Some bring these vulnerable devices to their workplace through bring-your-own-device-policies. Hummel claims that brute force is still a major technique used to compromise IoT devices. This proves successful because users often do not or cannot change the default privacy setting on their connected devices. Moreover, lack of storage space on certain devices can prevent critical updates from being installed.

However the hacker gains access to the IoT device, it could then be used as part of a botnet that targets individuals or even larger organizations. Added to this issue, malicious actors are evolving in their tactics and motive when executing DDOS. Specifically, attackers are diversifying their attack vectors for financial gain or notoriety.

Richard Hummel closes with an anecdote about Mirai malware which highlights the growing concerns expressed throughout the episode.

Transcript

Mike: Hi and welcome. Today we're talking to Richard Hummel from NetScout about DDoS attacks and general cyber threat landscape. Welcome.

Richard: Thank you for having me. It's a pleasure to be on.

Mike: Cool. Do you want to give a little bit of background about yourself?

Richard: Absolutely. So Richard Hummel, I manage the Acer research team over here. We focus on threat intelligence in the DDoS space. We look at some apt, we do some crime. I've been with the company for about two years. previous to that, I was working for my FireEye, previously. So that was, I say partners, which we were acquired by fire. So I've been in kind of this threat Intel space for a long time and moved around from crime to kind of the DDoS a little bit more, data CPT and crime. previous to that, I was. In government contracting doing primarily, regional type tracking for espionage related campaigns and threats. And then there's four years in the army private party law. So I've been around kind of this for about 12, almost 13 years now. and that's right in small space thing, any number of things.So I come here, you know, from NetScout with, more of kind of Adidas background, today.

Mike: Oh, awesome. Yeah. So maybe, maybe that's a great place to start is like, can you give a little background? What is DDoS what does it mean? A little bit of history there.

Richard: So I mean, obviously the biggest thing to keep in mind is as NetScout, as a company, we're focused on service assurance. The internet really connects the world together. And if you don't have access to the internet, obviously you, your livelihood is not there. You're not able to conduct business, especially now, right now where you have, like the majority of the workforce is working from home. You have schools everywhere. They're all using internet connected technologies and we're to continue learning, continue business. So now more than ever, it's really critical to have kind of that service assurance where you're making sure that adversaries can't just saturate your network and your bandwidth with this massive monitor and really take it down, is when we think about DoS you're you're denying services to something, right? Whether that's an application, access to a website, or it's connecting to, your service providers, whatever it might be. that is a denial of service event. So when you think of DDoS, you're talking about distributed denial of service. Now you're talking about botnets are massive networks are reflectors amplifiers that can take a command from an adversary somewhere, amplify that traffic at it. A specific individual or multiple individuals with it express intent of taking down that network. And so that's where we come in with the DDoS. and I guess what we're looking at here as, as well as like understanding kind of what it looks like in the landscape today. what we've seen so far since, the pandemic was announced, and really kind of how IOT plays into that. It's really what I wanted to cover in this podcast today.

Mike: Yeah. Awesome. So a great segue into what are we seeing with regard to the pandemic and things that have happened since then?

Richard: Certainly. So, just a little bit of background, kind of on where, where you look at some of these threats. We look at it, that's the higher, higher picture. So we're looking at global events, we're looking at global trends, statistics. We would break that down by region. We look at the different verticals. So, you know, is it a health industry? Is it a education? Is it finance? And you'll see that like there's some higher level order of these verticals, like telecom, right? That's all encompassing. So you got your wiring, this you've got your wired, you have satellite all kind of falls into the same bucket, okay. and so when you actually look at DDoS through your metrics like 95% of the activity is. Telecommunications. and that makes sense, right? Because all of the consumers are, are there. And really the, the biggest targeting DDoS attacks that we see is actually gaming related. so a lot of people don't really understand or know that, but the reality is, is that, the gaming industry is huge. and not only that, but gambling as a result of e-sports the really, really big, and the vast majority of attacks out there are against consumer IP addresses or gamers that are in competitions, or there's some sort of underground e-sport going on in this some betting, and they're trying to take down networks so that their adversary compete them. And this is like the dynamic that we live in. Right? So this is what we're seeing in a lot of these things, right? And this is no different now since the pandemic occurred, in fact now more than ever kids are at home, they're playing games. Right. And it's really easy for somebody to go out there in underground form, pay 50 bucks and they can launch an attack at anyone really, and you can get IP addresses. Like if you're, if you're playing a game against somebody and you're also involved in like what communications there's ways to pull their IP address, which possibly go to their, their home address. Right. Where they're actually gaming from or whatever portal they're using to access that game. So now you have the IP address and all you got to do is say, I want to watch this Peter and stressor attack at that IP address and I'm gonna pay 50 bucks and now I have a hundred gigabit per second of tackling it. And that basically brings on an hour. Now they can't communicate with their allies, you know, whatever, whatever it is they're playing. This is strong, right? so it takes them down and it's just, it's kind of frightening actually, when you look at it, the numbers, I'm about 80% of the targets that we've seen so far targeted. since the pandemic was announced back on March 11th at this point, 80% of those targets are broadband operators and almost every single attack that we sequence broadband is typically the result of attacks against game. and so it's not even attacks against like the game companies themselves or their servers, right? Sometimes it might be.

Mike: Right. That's what I was trying to figure out when he first started talking about gaming. I was thinking like, to what end. Right. But if you're going after the individual players, now it becomes more, I can see where, where it sort of comes from.

Richard: Exactly. So there are times when these attacks go after the organization themselves or specific servers, like, when there's new games announced, or there's DLC content, or maybe there's a launch of a game and they're doing like online downloads only, especially now. Right? Because. You can't really go to a game stop if they're not open. So how are you going to download your game? Well, you have to download from server somewhere. And so people need, maybe they don't like to release, or maybe they don't like that. The vendor that's the shipping a game.

Mike: Right

Richard: They can find there, the public IP spaces, they can look up an organization by the ASM, right? The autonomous system name, and be able to say, Hey, this belongs to EA sports, or this belongs to some other big organization. let me just go ahead and watch an attack at these guys. And maybe that just like hits one portion of them in a certain segment of a region of North America. Right. Maybe it takes them down, maybe it doesn't, but that's what we're seeing. Yeah.

Mike: Right. And I can see why it's way more effective against individuals. Right? If I'm a, if I'm a company, I have services and systems that are sort of designed to detect and respond to that, as opposed to my home network. Not ready for a DDoS attack.

Richard: Exactly. Well, and the thing is, is like all of these home networks, all these consumer routers, they're still using an ISP space somewhere, right? So the vast majority of ISP is have a protection against these things. Right. But the reality is, is when you're in a competitive game like this, a couple of minutes could be the difference between whether you lose a match or you win a match That could have millions of dollars riding on it, depending on what kind of game it is and who's betting on it, especially in Asian cultures, this is a very, very big prominent. and so like, even if you manage, just knock out their internet for 30 seconds, which, I mean, it's not that hard to do.

Mike: Right

Richard: So like attackers are getting much smarter. In fact, some of the techniques that we've seen that we've covered actually in one of our more recent reports was looking at an attacker's kind of capabilities and what they've evolved to. it used to be that I have an IP address. I want to attack it. I'm just going to go after the line, the address, and I'm going to use a certain protocol or vector or certain type of attack. and maybe this is a UVB attack againgst like DNS, right? So I'm just going to split it with DNS, I'm gonna just hit everything I can against it. That's still happens. That's what we would call basically a single vector type of attack. But what we're seeing now is not necessarily the high volume attacks, because we know how to mitigate these now. Right? Most, most carriers out there, most enterprises out there understand that if they get a UDP attack, it's, it's against one IP address and it's this vector and it reaches a certain threshold. I know that's a DDoS attack. I'm just going to drop it on the floor. Right? So the largest impact on records we came out with last year, it was one point terabits per second of attack traffic shoot. Right?

Mike: Right

Richard: The idea is, is that took down the customer for less than three minutes.

Mike: Right.

Richard: And so like, we just, we know how to mitigate these now. And so now what we're seeing, is smaller volumes. We're seeing 100 to. You know, 200, 100 to 400 gigabit per second ranges, but now we're seeing that combined with a bunch of different types of attacks. So you might have DNS in space sealed out. my sequel, you, arms at remote Martin management system, all of these different things in one singular attack. In fact, we, we recorded all of these one attack in the past six months that used 17 different. Protocols are vectors in one attack. And so now, instead of just mitigating one aspect of that, you have to have war mitigation and defense techniques configured to hit all of those protocols and all of those vectors at the same time. Now you take that and you combine it with something called a carpet bombing.

Mike: Right.

Richard: Look, what carpet bombing is, is it's basically says instead of going after one IP address, I'm going to find the entire network blocks. So maybe I'm going after a cider block of let's just say a hundred different just for sake of size here. And let's just say that for my mitigation techniques, I can mitigate traffic, but I'm not going to set my actual scrubbing of traffic until it reaches five gigabit per second of threshold volume.

__Mike: __Correct.

Richard: Well, what happens now? When you hit all 100 of those IP addresses with 4.9 gigabits per second of traffic. You never hit the threshold that in one of those. And so you're not treating your mitigation

Mike: Right

Richard: and just putting it out, but now you're saturating the entire network block. And so this is what we would call carpet bombing.

Mike: Oh, interesting.

Richard: Now another thing, and this just gets more complicated.

Mike: Right.

Richard: Complex. This is what attackers are doing. They're they're adding more and more capabilities. Now they're, they're adding TCP Senate tax and a TCP Senate tax historically has been very difficult to mitigate just because the way the TCP protocol works versus GDP, there's a lot more that goes into mitigating that type of thing. So not only are you adding more vectors, not only are you targeting more IP spaces inside of a block, you're also adding a much harder to mitigate protocol. and that all combines, you can take down a target for 30 seconds for a few minutes. And that has a big lasting consequences, especially on the gaming industry. For sure.

Mike: Interesting. Are you seeing it? I mean, I know like healthcare is an obvious one as well with the pandemic that that's been in the news about things that have been gone after, but, are we seeing, are you seeing anything in other areas? Like I could see if I want to go after a company now that I know everybody's remote, maybe trying to figure out what their VPN is and going after that to prevent users from even logging into the system.

Richard: Sure. So now, so here's, here's the one thing to keep in mind. Actually, we kind of did this exercise just in the past few weeks because the actual traffic we're seeing on VPNs has, has just risen astronomically.

Mike: Right.

Richard: and you see lots of industry reports coming on saying, yeah, this VPN is just, it's using so much data. But here's the reality. The only VPN nodes that most people can find out are public ones and corporations shouldn't be using public VPNs. Right. So there, there's plenty of tools out there. There's get hub repositories. We can let them go to go and download. every single known VPN node out there. Right. And this is it's going to be for all of your public, you know, kind of a commercial license type, paid things, but most organizations, enterprises, if they do have in house of VPN, they're not going to publicize their nodes. Right.

Mike: Right.

Richard: So it is very difficult to be able to identify those and even, even working in the space. And understanding what we're looking for. It's still being able to find those nodes and actually launch DDoS attacks to them as we are very, very difficult. And so if you have some sort of insight knowledge, sure. Maybe we could see that, but honestly, we don't see a whole lot.

Mike: Right. So maybe it would be a malicious, someone who, a malicious, former employee or current employer.

Richard: It could be any employee and that would be huge.

Mike: Right.

Richard: Yeah.

Mike: Right.

Richard: and I know you guys have plenty of insider threat segments here on cyber already, so I'm sure you're very familiar with, but yeah. So like another aspect of this too, is what if we're just looking for certain protocols, right? Because open VPN or various other types of VPNs use certain protocols to connect. Right. and so maybe if you're sniffing a network's number and you see a lot of that traffic coming through and using a certain protocol might encrypted so you can't really see a whole lot, but if you do happen to get in the middle of that, and you're able to decrypt that sessions, you might understand that, Hey, this is actually VPN on traffic, but again, that's like, Having to access.

Mike: Right.

Richard: So it's not like somebody on the external is going to be obvious, like, Oh yeah, that's BP and traffic. Now I'm going to think that's a little difficult to do. Yeah.

Mike: Interesting. Cool.

Richard: Yeah, so. So we're gonna talk a little bit about the different vectors that we're seeing. you know, cause I, I talked about these techniques and like, what are we seeing? And. Just from a quick high level. the primary vectors that we're seeing come across is DNS attacks. we're using UDP, UDP, DNS attacks. and then we're seeing NTP, which is a huge one because there's tons of NTP servers out there that are just response, reflection, amplification, cl DAP is another one. and then TCB scent. Those are kind of our top four right now. followed very closely by like IT fragmentation.

Mike: Cool. So maybe for the people who are maybe a little newer to the space, could you maybe elaborate on what each one of those four is?

Richard: Yeah, so, so I mean, obviously DNS is what you're going to use to resolve. If you go into an, a website and you say google.com, right? That's your domain. And so you're going to have some sort of IP address that is posting that domain. So what attackers will do is I'll find a DNS servers out there and they have specially crafted packets that if they send to it often they're spoofing traffic, right? So I'm going to spoof, the IP address I want to actually target. And I'm going to send them a certain packet that doesn't really end, that leaves up open connection. And so now all these DNS servers everywhere are going to respond with this traffic and maybe they might add some parameters to make sure those packets are really large in size. And so now I've got all these DNS servers everywhere, responding to my server when I didn't actually send anything. Right. Because it was scoop.

Mike: Right

Richard: That's an arm being saturated with polished trap. And this is what we, this is the reflector location aspect of these DDoS attacks. same is going to be true for the rest of the protocols.

Mike: Right.

Richard: Is you're going to be spoofing. You're going to be spoofing the source. and then you're also going to be crafting that packet in such a way that you're getting maximum effort. And so when we actually look at some of these different vectors, like right now, I think we're tracking about 29 different factors you can use for reflection or amplification. Some of them have a one to one ratio. Right. So one packet generates one packet, right? That's not true is reflection capability or amplification factor. However, if I look at them cash me, which, I don't know if you read the news maybe about seven or eight months ago. That was true. It's right.

Mike: Right.

Richard: He modeled this as this unknown vector and it had this massive amplification. I think we saw as high as one package generating up to $52,000. which is huge, right?

Mike: Right.

Richard: When you can say like a lot of these other vectors, like we've never seen anything that big before. And so it took very few of these servers that could respond to this, to launch a 1.7 terabyte per second attack, which happens to be that largest attack we've ever seen as a result of memcached. and so, yeah, actually in one of the reports that we just Published in February, if anybody's interested, you can just go to netscout.com/start report. You can download it. There's there's a periodic table of DDoS attack vectors in there. I think it's a page 10 if I remember. but it has, it has all of the vectors on there that we know about. So it goes through like arms, it goes through CoLab, which is like the protocol that runs on attitude, devices, and it lists and the top right corner, then maximum amplification factor that we've seen right below that there's there's little, five little radials. And those go anywhere from like a hundred thousand up to millions. And that indicates how many of these reflectors we know about in the wild. and now we're really conservative about how we scan. So we're not just like blasting everything all day, all, all the time. We basically send one request at something per day to see if a response in certain way. Because we don't want to add to the saturation of the network, especially now. Right. and so we want to make sure that we're being very conservative with this. There are other scanners out there that just blast you all day long. There's just as many practices they want. and so they might have more numbers than we do, but we try to be conservative, and spoke even. So you can look at protocols like sip. And there's like 9 million plus, reflectors amplifiers out there. you can look at DNS and we're between one to 8 million, different reflectors amplifiers out there. It's notable because when we actually start digging into these attacks that we're seeing, I already told you DNS and TPCL dab. Those are our top attacks. Right.

Mike: Right.

Richard: When you actually start looking at. How many of these reflectors amplifiers attackers are actually using you start to get a picture of, well, what could an attack look like versus what attacks we're actually seeing? And the interesting thing is, is like for some of these protocols, attackers are using such a minute portion of the available reflectors. And yet they're still achieving huge volumes. A good example of this is a protocol I just mentioned called co-op. Well, did this case study to look at these different factors? Cause you would think like if a researcher comes down and says, Hey, attackers are exploiting this factor to do reflection and certification for DDoS attacks. I think the logical next step. Is that well, let's secure those let's make it so that, that doesn't actually happen more. Just like if a vulnerability exists on a, on something, we patch it.

Mike: Right

Richard: So you would think that that happens in this space and the reality is it doesn't really, most of vectors have been relatively flat. In other words, how, how many servers existed a month ago still exist today? Some of them actually grow a co-op is like I said, an interesting one because it exists in, I have two devices, right? And the growth of IoT devices on the internet is just astronomical. Verizon predicts that this year alone, 20.4 billion IoT devices will connect to the internet for day. And that's just one statistic. If you look at organizations like Statista, you'll see that by 2023 or 2025, they're projecting like 170 billion plus IoT devices, which is just nuts. Right.

Mike: Right.

Richard: And so you see more of these devices. Which means you see more devices that are vulnerable to this reflection amplification. And so that vector actually grows.

Mike: So why do you think it is that they're not being patched or what is it about IOT devices in particular that makes it maybe harder to secure or patch?

Richard: So I think the biggest, the biggest issue here is that manufacturers have no. urge to do this and they have no oversight that says they must do this because think about it from a manufacturer's perspective. I want to create as many auto devices as possible. I want to get them on the shelves as fast as I can. I want them to be able to be available for customers to buy at any time, which means they might sit on the shelves for awhile. They might sit in warehouses for awhile and I want to make them user-friendly

Mike: Right.

Richard: And I want him to get out fast and I want to manufacture this as cheap as I can. So. There's a number of problems in that scenario. One, if I'm doing it for really cheap, it means I'm not spending the time on security like I should be, if I want to keep them on the shelves for a while, it means they're sitting on the shelves for months without ever receiving any kind of patches or updates or security fixes. And then if I want to have ease of use. I'm going to have a lot less options as a user to buy this thing, to actually go in and change up my configuration settings. and so there's very few actual laws that mandate certain types of security. There's, there's a few of them now. there's, some of the, the internet industry standards organizations are pushing for more security here. California passed the bill for all their IT manufacturers that says, Hey, you must have some semblance of security on these devices, but the reasonable security that they have is kind of open for interpretation. So what does that exactly mean? And so, yeah, you have all these things kind of combining, and then you have the exponential growth of IoT devices that creates a massive problem.

Mike: Right.

Richard: In most users, when it gets something, they plug it in and they want to use it.

Mike: Right.

Richard: It's Christmas morning, I get five new tech gadgets because I'm a tech nerd at every single one of them connects to the internet. That makes every single one of them, an IoT device.

Mike: Right.

Richard: It's the first thing that I do when I plug it in Christmas morning and turn it on, start using it, go into my admin panel and change my username or password. Probably not. Right,

Mike: Right.

Richard: and the reality is, another study we did about almost a year ago now within five minutes of an IoT device connecting online, it is getting brute force attack for default usernames and passwords within five minutes.

Mike: Wow.

Richard: And then within 24 hours, you're having exploitation attempts thrown at it for known exploit vectors. And so, I mean, unless you're the kind of person that you don't do, anything else until you lock down your IoT device, which I mean come on let's face it, how many of us actually do that? Even me as a security researcher. I don't. So, it's just one of those things that like, it's going to continue to be a problem until. really like laws are put into place that this must happen. Right.

Mike: Right.

Richard: Until manufacturers get serious about securing these devices. And unfortunately it's not happening fast enough today.

Mike: Right. And I think there's a, one of the other things, especially for some of the devices there's limited space, there's limited memory. There's, you know, it's a, you know, and so the idea of having to put in all of the software to allow for an update or something probably is also problematic in its own way.

Richard: Yeah, I tell you what, like a year, a little over a year ago, my wife and I, were expecting that third child, and for the first two we did and have any, any kind of video monitor during, we didn't have any like monitors for their, their baby rooms that, that connected to the internet. And we figured, well, let's just, let's just get a video monitor this time. and then, then we got, you can like, well, what if this connects to the internet?

Mike: Right.

Richard: What if we can't secure it, what if somebody can hack into this? Do we want them looking at our child? Like, what's this mean? And so when I started researching and I started looking at these different things, we ended up going with one that doesn't actually operate with any kind of wifi it's just uses radio signals just like you know, most monitors do, because I didn't want to have the. I didn't want to get a monitor and then connect it to the wifi and really not be able to manage it because there's no administration panel.

Mike: Right

Richard: There's no ability for me to go in and change passwords. so we just didn't even want to go down that route. And so those are the kinds of things that I think about. but even still, like, even thinking consciously about that, there's so many devices that come into our home that are insecure.

Mike: Yeah.

Richard: It's just kind of a frightening picture when you look at it.

Mike: Yeah, definitely. yeah, my wife and I went through the same thing when we were looking at, baby monitors and stuff as like in the end, we just decided not to, you know, it's like, we'll just go with, you know, we don't want anything on the internet connecting to the network.

Richard: Yeah. Yep. So, yeah. So like when people ask me, what is, what is the thing you fear most and the coming like scenario for like threat Intel and the security aspect and in really IoT, is it. Because more and more, we're bringing it into our homes. enterprises are allowing for your own devices, limited things are entering things in the reality is, is that just because you're behind a firewall doesn't mean you're protected anymore. There's tons and tons of malware out there now that I have proof of concept to actually get around firewalls. and so enterprises might say, Oh yeah, yeah. You know, we let people bring their idea to, I said, but they're behind our firewall. So it's all good. Well, not really.

Mike: Right

Richard: So this is something that everybody needs to be concerned about.

Mike: Well, not to mention the IOT device started off on the other side of that firewall. So who knows what it's bringing in.

Richard: Right. Exactly. You know, what are you connecting to your internal network? Yeah.

Mike: Right

Richard: Yeah. so yes, it's really interesting. I'm wondering when I look at this kind of space and in what is capable and what attackers are looking for, and in more and more, we're seeing attackers to, what EPT adversaries do they do their recon first, right?

Mike: Right

Richard: They look at the networks, they figure out how things are connected, how things respond. in fact, some, some notable outages that happened several months ago, basically took down Portions are very prominent online retailer. and you know, I won't go to the name, but if you do a little bit of research, you've got to find out who this is. And it turns out what the attackers did is they actually figured out, where the geographic footprint was for trusted networks. And I say, trusted networks. These are basically inside. What is kind of a, let's put it in the terms of like Windows administration. So like a trust forest, right? So they're inside this, this network, a boundary that says, Hey, if anything connects from within this boundary, go ahead and let it through. We'll do some other security checks later on down the road. Right. Cause if I was outside that and I launched a DDoS attack, it's just gonna, it's gonna fall flat. Right. It's never going to go anywhere. We've gotten mitigations in place. but they identified that footprint. They figured out how to get some servers inside that perimeter to essentially amplify this traffic and start doing the DDoS attacks. And so they already mitigated or bypass that first layer of protection. and then what else they do is they start doing, Is it, is it down, type requests, right?

Mike: Right

Richard: So whether they're looking at down detector or they're seeing sending ping requests, they're monitoring the efficacy of their attacks and is my DDos attack actually taking this down. And if it's not going to be fit it, let me add a new vector. Let me change vectors or let me add a new tactic. And so adversaries are getting really, really smart about this. And then they're really agile and able to pivot really quickly.

Mike: So what are, I mean, what are some of these people after? Like, what's the point.

Richard: So, I mean, obviously in the gaming one financial, right, right. you know, another, I have a laugh every time I tell a story. So about eight months ago we had a report come out and we had a, what we would call shock stories. So security operating center stories. We have a, what we call Arbor cloud, which they do, basically managed services for DDoS mitigation. They do it for a lot of organizations. They do a lot of for universities and stuff, and they actually had one incident where. a university had reached out, said, Hey, our services are down. We're trying to figure out what's going on. and in working with the university, the SOC was able to determine that. It was midterms and a student in one take his test and launch paid to launch an attack at the testing centers, IP space and took it down.

Mike: Wow

Richard: And so, so, you know, that's an obvious motivation, right? Just why not pay for 50 bucks? I can get out of taking this task. I can kick it down the road. I have more time to study whatever I want to do. Right.

Mike: Right

Richard: It's interesting. Now though, because we don't have that happening right now. Because students are not actually in school,

Mike: Right

Richard: they're doing online. And so it, it's, it's really interesting to actually kind of see that dynamic where you see the education kind of go down in the number of attacks and you see like the broadband operators go off, so there's more gaming happening and you see that kind of disparity. and so like when we look at motivations, that's, that's the predominant way, like you hear about the extortions because the extortions make, make news, right?

Mike: Right

Richard: Everybody, ah, somebody explaining money from you, that happens to sell from time to time. but it's not nearly as much. It's not like when lizard stressor or lizard squad first came on and started doing their extortion attempts. because a lot of times those are, those are kind of showboating. and every now and then we'll see something where, okay, I'm going to demonstrate, or I'm going to, extort you for something. And if you don't want them to take you down, sometimes it's, it's still so successful. In fact, one of the things that we actually recently saw. I think it would have been toward the end last year. we saw attacks against financial institutions in Asia minor in Europe. Hmm. And what was notable about those is that there was some kind of showboating going on between, adversaries and underground, like how I'll look, what I can do or look like,

Mike: Right

Richard: or here's like, you know, my best attack. Right

Mike: Right

Richard: and so like, we didn't, we heard rumors about maybe extortion against these financial institutions, but we can never prove that. and what we saw though, is all these attacks going at this financial institutions and what actually happened is that the, the network pipes that they took to get there was traversing satellite telephone because the financial institutions were actually using satellite IP space to host some of their services. and even though satellite wasn't the target, right. They ended up going down because there was so much traffic going against these financial institutions. And so, you know, you might say, Oh, they took it satellite. What was their motivation behind that? It was literally nothing.

Mike: Right

Richard: There was no motivation behind that. Right. But just sometimes it's really hard to get into the motivation of these bands, but more often than not as tied to financial reasons. Whereas previously. maybe like five, six years ago, a lot of those hacktivism demonstration and that's certainly still happens. In fact, those protests, I think it was telegram messaging services, right? There's a protest and a lot of the processes were using this platform to communicate back and forth, you know, to, to get around and like police barricades and stuff like that. And actually there was a attack against that much messaging platform from a foreign government. That's a good down.

Mike: Right

Richard: and so like a disruptive telegram, and I think we've got some communication about that on our website, but yeah. so there, there is still some of that kind of hacktivism type thing or suppression. but by and large, most of it is revolving around, some sort of monetary gain for themselves or some sort of personal gain for themselves. So maybe we have a political libels in different countries and they have a polling site and they want to take that polling site down because they'll launch details against that. So no longer are we just in the hacktivism type realm now, our motivations are more core geared towards what can I gain.

Mike: What about for like the homeowner and the IOT devices. They're like, if like, what am I worrying about? Like, so what if somebody breaks into my light bulb? You know.

Richard: so I think the biggest thing that you're going to have to worry about there, especially if you're talking about in the, in the sense of DDoSs right, is being part of the DDoS attacks, right?

Mike: Right

Richard: Because if you are, and there's a large attack going on, your network is going to get really saturated, really slow. You might not be able to stream them. We might have connection issues. Maybe I'm trying to get into my banking account for something critical. Right.

Mike: Right

Richard: So you might see your internet capability diminished greatly. Right. and the, and the cool thing is that with a lot of these ISPs like that other doesn't last very long, at least not in terms of DDoS attacks.

Mike: Right

Richard: So, but, but there is that possibility, right. Or if you're constantly involved in these types of things, you, you might risk having some internet connection issues.

Mike: So, Do ISPs ever monitor and reach out like, Hey, homeowner, we've, we've continued to see or detect problems coming from.

Richard: There are some, in fact, I was actually playing around with my own Google WiFi router, and I started logging in, actually even my neck here, one did it if I recall correctly, but if you actually log into the admin panel, depending on what ISP you have. I have Verizon, they're actually pretty good about this. So when I actually logged in, I could actually see messages for the type of traffic that was coming across my network. So there is possibility, but I don't think they're going to just like find your email and email you, right?

Mike: Right

Richard: So unless you're tech savvy and you can log into your, your home router or your, your, what, a modem, whatever you're using, chances are, you're never going to see this and you might experience some noticeable lag if something is ongoing like that. So, I mean, it's definitely worth. understanding and learning how to do this, just to secure your own things. Right? Because if the adversary managed to install a system, say Marai, to be part of these what's to say they couldn't install something else and affect the rest of your home network, right.

Mike: Right

Richard: If it's just being used as like a reflection amplification back there, I mean, there's not a whole lot you can do unless you know how to patch your devices or all your IoT devices or sufficiently put it behind a firewall that it's not gonna respond to certain requests. That gets a little bit more complicated and not really the responsibility lies on the manufacturers to figure out how they secure devices better.

Mike: Yeah, absolutely. Also thinking back to the whole, if Verizon were to call me, I'd probably just think it was another phishing attack. Can you log in to your router?

Richard: Yes. I tell you that there's, there's so much of that going around. In fact, I was just on some calls, I'm looking at kind of this pandemic thing and like the, just the sheer volume of spam messaging going around right now for like the pandemic theme stuff and Covid, is just, it's insane.

Mike: Yeah, absolutely. I'm actually pretty impressed with our vendor. That's doing our anti-phishing empty spear fishing. because they've also included like banners for like, Hey, this mentions COVID-19 like be really extra special careful.

Richard: Exactly. I mean, we, we definitely try to monitor stuff like that here, too. So as much as we're a DDoS shop, where all of our stuff pays the bills. We also have a feed of indicators. And those indicators are fed by examine malware and spam campaigns and exploitation, different links and things like that. So we actually extract all those IOCs needs and we push those to our customers for protection. So. We're securing you against DDoSs we have mitigation capabilities. We have countermeasures and obviously we have this huge list of IOCs for the latest and greatest threats. because we understand like, right, DDoS, isn't the only thing attacking you as an organization.

Mike: Right

Richard: and so a lot of the devices where our indicators go kind of sit on that perimeter edge of a enterprises environment. yeah. And so it's not, sometimes we say it's the last line of defense. Maybe, maybe it isn't. but organizations often have like IDs and IPS, so they have some sort of firewall with different rules and IOC sped in. but you'd be surprised even, even sitting there as far out on the boundary of people's networks, as we are. We still see a ton of malicious traffic going back and forth. And so we try to block all those command controls because, it's, it's a very real threat and that's, you know, part of the research that we've done, is along those lines as well. But again, like I said, predominantly DDoS is what we focus on.

Mike: That's great. Makes a lot of sense. Anything else? Any other things you want to cover or.

Richard: You know, I was just going through my notes here to see if there's anything else that I left off. And I think we've pretty much covered most things. there was one kind of, Little anecdote that I was going to pull in one was related to MRI and the other one was related to, so I mentioned before we examine these different DDoS factors, right. and we look at how many servers are being used in an attack and here's this here's just like a theoretical approach to this. Right? So, cl DAP has anywhere between 10 to 20,000 servers that we know about it. whereas DNS how's like one to 8 million co-op might have like five or 6 million. and we started looking at the utilization aspect, in, in a single CL depth attack, actually a single largest CL depth attack that we observed. We had X number of, of IP addresses as like being part of that attack. Which translated to less than 0.5% of the available devices they could have used. And yet the sizes that attack was still greater than 300 gigabits per second. And so, I mean, we're talking like a very, very minuscule portion of the available reflectors for co-op that we're using an attack and a still had tremendous volume. now what happens when an attacker utilizes the entire spectrum on these, right? Is there even a tool that can do that today? So there's, there's some kind of theoretical applications here. when we look at cl dap, cl dap is one of the top three vectors that we continually see that one has very high utilization and it's a very effective way for attackers to, to go after things. And so we'll see as high as 85% utilization, but again, only talking tens of thousands of servers versus millions. and so it's, it's just a very interesting kind of, when you think about this and what it means with more and more artsy devices, going online.

Mike: Yeah. I mean the, the whole notion of, I mean, I think it sounds like attackers have taken sort of what, on the other side of the equation has always been defense in depth. It sounds like, well, we're going to use attack in depth. We're going to go with multiple different. Vectors, across lots of different devices.

Richard: And that's just that right. A defender house has so much footprint they have to mitigate and protect against. An attack only needs one end.

Mike: Right

Richard: So they can, they can launch the entire kitchen sink at somebody until they find a gap in the Amish somewhere.

Mike: Right

Richard: the defender only has to slip up once. it's it's a very difficult job as a defender, for sure.

Mike: Yes, definitely. Asymmetric.

Richard: For sure. And then the other thing I wanted them to mention. I tell you something about Marai so, so we also partner with, reversing labs, which is a very big kind of like virus total. they have tons of like billions and billions of miles of samples. and one of the things that they do for us is they look, they help us look at kind of the history of Mars and they do some machine learning to figure out like what's a variant, what's a code branch. How different is it from another? And so we set a certain threshold and we want to figure out like, because what does it look like in the wilds, from Marai. And every single year, it feels a 2017, 18, 19. We saw exponential increases in the number of Marai samples in the wild. and I think we saw, from 2018 to 2019, it was a 57% increase in the number of samples circulating a lot. These are number of unique samples, right?

Mike: Right

Richard: In terms of like 220,000 unique Marai samples floating around. and that's not like the other code branches like Satori or echo bot or some of these other ones that come in online. In fact, echo bot was a relatively new one and that one piece of our alone had seven 70 different exploitation attempts built in. That would automatically try to propagate itself. Right.

Mike: Right

Richard: and then another thing that we saw as is increasing in brute force attempts and increasing exploitation attempts, 51%, I think for brute forcing an 87% for exploitation.

Mike: Do you think the brute forcing is because computational power is just increasing and so therefore brute force attacks are actually more viable. Maybe I, well, they've always been viable, so we're like, great. Marai's always relied on this brute forcing mechanism. And the sad part is because there's no IOT security, it works.

Mike: Right

Richard: And you can literally log onto manufacturer's website and figure out what the default credentials are for one of their devices. And let me just add that to a dictionary that I'm going to distribute with Marai automatic propagating thing, that's going to be wildly successful. and so, yeah, so when we actually compare the brute forcing attempts for exploitation through forcing is still keen and it has been ever since Marai came on scene with the diamond tax back in 2016. and so, yeah, so we just continue to see this, this astronomical shift and worse Marai has been ported to over 16 different OS architectures.

Mike: Right

Richard: And so it doesn't really matter what kind of device you're running. there's probably a version of Maraia out there for it, right?

Mike: Probably more than one more than one.

Richard: Yeah. So again, like I said, this goes back to IOT and this is the biggest concern. So if I, if I left you with nothing else during this podcast, IoT is a concerning aspect and it should be definitely taking it seriously.

Mike: Right. I think if nothing else go and change your default username and password on your IOT devices

Richard: a hundred percent.

Mike: Right Which, I mean, if you think back to, The old router days, right? The router of the Verizon ship to me used to have default username password. Now at least they have a, they put it on there and it's randomized and specific to the device.

Richard: Well, you know, the sad part is, is you can still find those online. You can find some of them. Yeah. Because they're there. Specific to a model. They might be an alphanumeric, special characters randomize. There's still like print it on the device itself.

Mike: Right

Richard: So at one point or another, then some of those make it online. yeah. Still go in and change your password.

Mike: Yeah, definitely. All right. Well, thank you very much. I really enjoyed speaking with you.

Richard: Thank you for having me, Mike. It's been pleasure.

Mike: Yep, A pleasure. Alright. Take care.

Richard: Take care.