Thursday, July 31, 2014

Why you can't mitgate volumetric floods in a true DDoS ( with local gear )

In this blog, I will discuss some of the reasons why cloud based mitigation is always superior to local mitigation.

In a large scaled  DoS event and where the attack(s) has many sources attacking your servers, you are a big disadvantage. Take this 1st drawing;



You web sever comes under a severe intense attack. In these 2above  types of attacks ( L4 and L7 ), we are at at mercy of the number of sources, duration of the attacks and the capabilities of our local  mitigation gear, which is typically limited to an exterior IPS and or UTM-firewall. None of which are true DoS mitigation devices btw.

note: Even if you could afford to buy mitigation gear ( fortiddos, radware, f5, Arbor, etc....) you probably will be under staffed and lack experience with mitigation concepts & concepts. DDoS mitigation, requires full time monitoring & analysis.

Okay sounds good so far, right ?

We have mitigation gear, but what happens in reality. As you stumble around trying to fight back the attacking sources that are spoof'd or non-spoof'd , your WAN uplink(s) are saturated.

What this means at the end of the day, you might block the attacks ( score 1 for you ) but the attack depletes your wan uplink capacity with junk  traffic ( score one for the attackers ), so even if they didn't take down the web farm for example, just the meer flooding of your wan uplinks prevents legit clients from accessing your website & in a reasonable and responsive time.

In almost of all of these attacks that I've seen over the course of 7 years, they always resulted in higher latency/response times, with link saturation and spikes.  While your IPS sensor are trying to mitigate, your client's are not getting thru  or exhibiting slower page load times.

Now in a cloud based DoS protection, we have the ability to redirect traffic into the provider cloud first, and apply some  type of mitigation gear and strategy. This allows for the provider to take the punches, kicks,  and blows and they will pass only legit clean traffic to your web server.

See drawing #2 of a cloud based mitigation


The same attacks are under way,  but  now with a cloud provider, and redirection into the provider space, we can now let them mitigate the attacks.

Okay the advantages of this approach are;

  • the provider typically has more bandwidth then your own uplinks
  • they have specialized and trained staff & just  for mitigation
  • they have better mitigation gear to include ;  IPS, WAF,  trafficdirector, SSL offloading, AV/MAL detection, etc.....
  • the DDoS provider also runs 24x7x365 and never sleeps

Here's a superior DDoS provider using the latest strategies and methods for cloud based protection.

http://www.securitydam.com/

Cloud based mitigation is the only way to ensure both higher availability and with a greater percentage of success.

Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( % % )=
      @
      /   \


Wednesday, July 30, 2014

Using a USB drive with a cisco ISR

In this blog we will demo how to use a usb thumb drive with a ISR3825 running;

Cisco IOS Software, 3800 Software (C3825-SPSERVICESK9-M), Version 12.4(15)T5, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2008 by Cisco Systems, Inc.
Compiled Wed 30-Apr-08 19:37 by prod_rel_team

ROM: System Bootstrap, Version 12.4(13r)T, RELEASE SOFTWARE (fc1)


Using a USB drive as a file storage can come in handy when you need to;

1: back up the existing  images or running-config & in a rush or hurry

2: need to transfer a image from one router to anothe and you don't have a tftp server program

3: or you only have console access-only and no network access


Okay 1st,

You need to plug in  your USB drive device. If the device is not recognized, you will see an error in your logs;


Next, you will need to  format the  device if the above presents. I found some  devices like my patriot 8gb memory stick will not format cleanly and presents errors.


( patriot stick with error after format )



( a usb tick of unknown origin from the DDoS vendor Prolexic )




Now that the device is format, you can use it like any ole flash ;)



This makes for a simple  storage that's cheap and easy to use.




 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( *   * )=
      o 
     /  \

You don't need a terminal program for accessing a cisco usb management port on MACOSX ( unix screen )

In this short post, I will show you a method for access a cisco usb management port like what's found on the cisco 2960S and other cisco devices.


First you need to search in your MACOSX /dev directory for your "usb" port name AFTER YOU CONNECTED YOUR USB CABLE. 



Here's what we found on my macbook air 10.8.5 after I connected to my cisco usb-management port.

( device tty.usbmodem1411 )


Next we use the integral macosx  screen program  and specify the full  device path. ( see the cmd above & the highlighted blue part  )

After execution, you will now have access to your cisco devices console. Alternative,  you could  have a free terminal program such as Zterm.

NOTE: If you suspect the port is not operative use the macosx  "system_profiler SPUSBDataType"  it will show the USB port #.

( output shorten )


Key points to take away

  • search and list the usb device name after connecting the usb cable
  • you don't need a usb-2-serial dongle any more
  • screen by default and when used with a tty devices, defaults to 9600 8 n 1

  • you can't use the RJ45 console at the same time


 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

    ^      ^
=( &   & )=
        o 
       /  \

Monday, July 28, 2014

Getting free IPv6 experience by using a ipv6 tunnel-broker

In this post,  we will look at how easy for setuping a ipv6 connection by using a tunnel-broker such as ; Hurricane Electric.
 
ASN 6427
Hurricane Electric, LLC
760 Mission Court
Fremont, California 94539 
USA


Hurricane Electric is the leader for tunnel-broker access and the easiest to apply and for creating a tunnel. You have a few others that you can google but  YMMV with ease and quickness of reply. A few with NOT allow you access out of the region of operation if your  have a RIPE/ARIN/etc... end-point.  Also HE is the quickest broker to apply and for creation of an IPv6 tunnel. They are by far the quickest for BGP peering and advertising  setup imho.

Here's a  listing of brokers;  http://en.wikipedia.org/wiki/List_of_IPv6_tunnel_brokers   YMMV

1st you need to create a free account and activate the account. You can do this online at the following url. http://www.tunnelbroker.net



Once you have an account the next steps are select your tunnel preferences. After creation of the ipv6 tunnel type. The 1st timer will most likely use "regular" tunnel type.




You have  numerous choices from;  the name that  you give for your tunnel, HE peer'd tunnel server end-point address/location, etc...




Upon final completion you can have them provide you a based configuration, by selecting the example configuration tab. The below is a based cisco-ios configuration.


And here's a  Fortigate;


 NOTE: you can get configurations examples for  BSD, juniper, quite a few others;




Once you have the tunnel you can confirm via ping and or traceroute to a devices on  the Ipv6 BackBone for validation like one of Google Public ipv6 dns-servers.



note: if a cisco device, make sure you use the ping  ipv6 command specify the source address of the tunnel ipv6 addressing;

If you have your own ipv6 prefix assignment,  you can ask and request for routing for that assignment. You will need a LOA issued via the provider & a few other documents that you must present to hurricane-electric.

With a free tunnel-brokers like HE, you have no excuse for testing and trying the ipv6 & backbone b4 you migrate forward  with ipv6.


 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( !   ! )=
       o 
      /  \

Tip: How to query usb devices on a fortigate

The  cli  fnsysctl cmd will allow you to read the proc filesystem devices. Here's a quick means for querying the usb-bus if you should run into problems with mounted devices.

( example query the bus on a  FortiGate 100A )


( example query the bus on a  FortiGate  100A  w/8gig  memory stick insert into a usb port )




NOTE:  If you run into issues with  connectivity over the  USB ports, please user the cat command within the proc filesystem.


 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( !   ! )=
       o 
      /  \

Saturday, July 26, 2014

MACOSX desktop security summary AV scanner

In this blog I 'm referencing one the most popular MACOSX security firm "Intego". You can follow their blog at ;   http://www.intego.com/mac-security-blog/

Intego has been around for probably 7+ years now  and have been in the lime light for finding MACOSX specific threats. MACOSX is probably one of the most secured OSes, but it's not 100%  protected from AV/Trojan/Malware.

Also MACs with no AV/MALWARE detection software, can mistakenly transmit  a infected files to other OSes via everyday contact. ( emails, file-sharing, downloading unapproved applications, etc....). Just like with HIV,  you should check yourself to ensure your machine is not infecting others.

So it's best practices to install and maintain a AV/Malware protection program. Here's a list of a few vendors that supports  MACOSX


clamxav  http://www.clamav.net
McAfee http://www.mcafee.com/us/products/virusscan-for-mac.aspx
fortinet  http://www.forticlient.com/
intego http://www.intego.com/landing
sopho  http://www.sophos.com/en-us/products/free-tools/sophos-antivirus-for-mac-home-edition.aspx


Key points to think about;



  •  macosx can be effective
  •  AV program should be installed
  •  you should keep you AV definitions up to date
  •  regular scans of folder, drives to include remote drives and disk/thumb-drives should be taken
  • there's no excuse for not having a AntiVirus installed 
  • you have few choices for free AV from trusted sources




Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( % % )=
      @
      /   \


Friday, July 25, 2014

How to dump memory on Linux systems

In this blog,  we will look at a ways for memory dumping. This can come in handy when you want construct forensic or hacking around. This is also  a key part of incident handling when you suspect a system has been compromised.

The utilities that will be used are easily obtain or already installed. The old school method was to use the simple diskdupe aka "dd".   http://en.wikipedia.org/wiki/Dd_%28Unix%29

With this method, you will use the linux-device /dev/mem as the input file,  and write the output  to where ever you specify.


note: Just make sure the target has enough space on BIG memory systems. All examples require root permission for reading the /dev/mem  device

A simple dump  example1 using  the unix dd command;



A simple dump  example2 , with the unix dd,  example2 and setting blocksizes



Next we will use the memdump command, this is a simple tool to use. It requires just execution and you can redirect the output to your file of choice.



This is ideal for the users who don't want to mess with the  unix dd. It's just plain out simple & a one-liner command. I could teach my mother how to use this,  and she's not technical by any means with a computer.Now that you have 2 ways for dumping memory.

Now what can we do with these dumps? The dumps can now  be analyze  by memory collection tools or forensic. You can use programs like "strings" to look or trace for user details  within the dumps.

One more useful tool that can come in handy. The utility "gcore" does the same , but by using a proc-id. let's dump my  mysql pid and write out the  memory usage by that pid and the pid = 940 .



You can compare the size of output to the unix top command;


NOTE: VIRT column is your total memory, should be near the file size of the dump we made.  1.024x 327m=  334,848,000


And my last tip;



to be stealth,you can conduct these commands against the remote serer and dump the output locally using ssh great if you don't want to leave any traces.



Example execution on a remote server and saving the output locally using first  memdump and then dd.



and







 Ken Felix
 Freelance Network & Security Engineer
 kfelix -a--t- socpuppets ---d--o--t--- com

   ^      ^
=( *   * )=
      o 
     /  \

Monday, July 21, 2014

FAP28C followup

This is a followup on  the image upgrades within fortinet support site and the earlier identified  FAP28C problem




http://socpuppet.blogspot.com/2014/07/fortiap-was-bricked-by-upgrading-to-52.html

After playing around with this upgrade using  the fortiexplorer application, I figure heck why not try via the WebGUI. I quickly found out the following;

  1. The upgrade is rejected with a "invalid image" via the WebGUI
  2. The image was compared by checksum and matches the md5 hash
  3.  I re-downloaded the image a few times just for the heck of it
  4. a factoryreset made no difference

Here's some screen shots of this activities;

( The  md5 hash  comparison )




( FAP main page  WebGUI )



( the start of the upgrade )


( immediate error )


note:  The above upgrade process was done , both before and after a factory reset with no improvements

So it would seem like the  FortiEplorer is not corrupting file during the upgrade. I have a  email into fortinet support and a post on the support forum.

We will sit back and see what comes up. But using two methods for upgrading,  all ends in a disaster.  I have a few non-FAP28C models at some in-production site and  I'm very hesitate to upgrade these.

My FAP28C is in a demo lab btw, so these problems don't really effect me.




Ken Felix
Freelance Network/Security Engineer
kfelix  -----a----t---- socpuppets ---dot---com

    ^    ^
=( % % )=
      @
      /   \