網絡淨化|守網者Cyber Defender

香港警務處網絡安全及科技罪案調查科發起了新一輪的網絡淨化行動,以提高組織和 商業機構的系統安全及健康

網絡淨化

新冠肺炎在全球肆虐,令企業的運作及市民的生活方式明顯地作出改變。組織和商業機構也相應地利用科技將員工的工作模式轉至遙距在家工作。因此,網絡犯罪集團也伺機看準這些機會,透過系統的安全漏洞,使用不同的方法,如釣魚網站、加密劫持及透過感染的電腦(稱為殭屍網絡)和濫用配置錯誤的設備來發起分散式阻斷服務攻擊(DDoS)及竊取數據來圖利。

因此,香港警務處網絡安全及科技罪案調查科發起了新一輪的網絡淨化行動,以提高組織和商業機構的系統安全及健康,以免網絡犯罪集團有機可乘。

網絡安全小貼士|守網者Cyber Defender
S/N Types of Misconfiguration Amplification Ratio Involved Port Methods for Blocking Each Type of Amplified Reflection Attack
1
Accessible Apple Remote Desktop
35.5
3283
Turn off the Remote Management in Setting
2
Accessible CoAP
50
5683
Device whitelisting
3
Accessible Ubiquiti Service Discovery
35
10001
Block source port
4
Open Chargen
358.8
19
Block source port
5
DNS Open Resolvers
54
53
1) Disable recursion / Limit recursion to trusted clients
2) Response Rate Limiting (RRL)
6
Open Netbios
3.8
137
Block source port
7
NTP Monitor
556.9
123
1) Upgrade to Version 4.2.7 or above; or
2) Block external request (including "monlist" function)
8
NTP Version
40
123
Block external request
9
Open LDAP Services
55
389
Block source port
10
Open mDNS Servers
10
5353
Block source port
11
Open MS-SQL Server Resolution Service
25
1434
Block source port
12
Open Portmapper
28
111
Block source port
13
Open TFTP Servers
60
69
Block source port
14
Open QOTD
140.3
17
Block source port
15
Open SNMP
6.3
161
Block source port
16
Open SSDP
30.8
1900
Block source port

Description: The attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.

When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.

Security Advice:

In macOS — > Setting — >Sharing — > Remote Management — > Turn off the Management

Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.

Also found that many of these CoAP services can leak information (including authorization credentials to services, such as wifi networks). For certain devices, in some cases, it may even be possible to issue remote instructions using CoAP.

Security Advice:

At the very least CoAP instances should therefore be either firewalled to only communicate with necessary devices.

Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.

Description: These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. In addition, they expose a large amount of information about the system running the service

Security Advice:

Blocking incoming connections to relate port on firewall. (Ubiquiti Service Discovery commonly used port 10001)

Description: CHARGEN is a debugging and measurement tool and a character generator service. It can make use of UDP port for traffic. Attack via CHARGEN was first addressed in 1996

Security Advice:

A) Setting for Chargen service enabled Server (Linux)

Method 1:

Blocking incoming connections to relate port on firewall (Chargen services commonly used Port 19)

Method 2:

In Linux Terminal, execute the following commands for disable the chargen service:
cd /etc/xinetd.d/
nano chargen
In nano, found service chargen and type “disable = yes”

B) Setting for Chargen service enabled Server (Windows)

Modify the Registry and set the values of the following two entries to 0

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen

C) Best Practice for Managing the Chargen service enabled Servers

Use a firewall to restrict access to the Chargen service.

Description: Identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.

Security Advice:

A) Setting to disable recursion or limit recursion to trusted clients in the DNS server

Bind 9

Add the following to the global options:
options {
                    allow-query-cache { none; };
                    recursion no; };

Windows

In the Microsoft DNS console tool:

B) Limiting Recursion to Authorized Clients

Bind 9

In the global options, include the following:
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
        allow-query { any; };
        allow-recursion { corpnets; };
};

Windows

It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server. To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.

C) Setting Response Rate Limiting (RRL)

Bind 9

On BIND9 implementation running the RRL patches, include the following lines to the options block of the authoritative views:
rate-limit {
                  responses-per-second 5;
                  window 5;
};

Windows

Set RRL parameters on a DNS server using PowerShell:
Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8

D) Best Practice for Managing the Open DNS Servers

Reduce the total number of open DNS resolvers

An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.

Source IP verification – stop spoofed packets leaving network

Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped.

Description: NetBIOS defines a software interface and a naming convention. The NetBIOS name service uses port 137/udp.

Openly accessible NetBIOS name services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice: Blocking incoming connections to relate port on firewall. (Netbios services commonly used Port 137)

Description: NTP is short for Network Time Protocol. It is one of the standards for time synchronization in the Internet. Its purpose is to synchronize the clock of the computer to the international standard time, and the machine connected to the Internet will calibrate the time through the protocol.

NTP includes a monlist function, also known as MON_GETLIST, which is mainly used to monitor NTP servers. The monlist function has a security vulnerability. After the NTP server responds to the monlist, it returns the IPs of the last 600 clients that have performed time synchronization with the NTP server; the response packages are split every 6 IPs, and there will be up to 100 response packets eventually.

Security Advice:

A) Setting for NTP Server (Linux)

Method 1:

Method 2:

編碼|守網者Cyber Defender

B) Setting for NTP Server (Windows)

This misconfiguration is not available on Windows Server.

C) Best Practice for Managing the Open NTP Servers

Use Multiple NTP Servers

The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.

This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.

Monitor Servers From The Client’s Perspective

Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.

Use NTP Encryption Options

The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.

Description: NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.
The NTP version command is a Mode 6 query for READVAR.

Security Advice:

A) Setting for NTP Server (Linux)

編碼|守網者Cyber Defender

B) Setting for NTP Server (Windows)

This misconfiguration is not available on Windows Server.

C) Best Practice for Managing the Open NTP Servers

Use Multiple NTP Servers

The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.

This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.

Monitor Servers From The Client’s Perspective

Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.

Use NTP Encryption Options

The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.

Description: The Lightweight Directory Access Protocol (LDAP) is a networking protocol for accessing and maintaining distributed directory information services.
Openly accessible LDAP servers can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (LDAP services commonly used Port 389)

Description: Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. mDNS uses port 5353/udp.

Openly accessible mDNS services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the system or network the service is running on for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (mDNS commonly used Port 5353)

Description: This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.

These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (MS-SQL Server Resolution Service commonly used Port 1434)

Description: The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).

Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.

Security Advice:

Method 1:

Blocking incoming connections to relate port on firewall. (Portmapper commonly used Port 111)

Method 2:

The portmapper service can be disabled using the following command:
systemctl disable rpcbind
systemctl disable rpcbind.socket
systemctl stop rpcbind
systemctl stop rpcbind.socket

Method 3:

The portmapper service can be removed using the following command:
# apt-get remove rpcbin

Description: This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. Note, we are not testing to see if file upload is enabled.

Security Advice:

Blocking incoming connections to relate port on firewall. (TFTP commonly used Port 69)

Description: This report identifies hosts that have the Quote of the Day (QOTD) service running and accessible on the Internet.

These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The service is tested by sending a UDP packet containing a single carriage return to UDP port 17.

Security Advice:

Blocking incoming connections to relate port on firewall. (QOTD commonly used Port 17)

Description: The Simple Network Management Protocol (SNMP) is a networking protocol for device management and monitoring.

Openly accessible SNMP servers using the default ‘public’ community can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.

Security Advice:

Blocking incoming connections to relate port on firewall. (SNMP commonly used Port 161)

Description: SSDP is used by some consumer-level equipment for network discovery. It does not have any real use on public servers and is used for reflection DDoS attacks on dedicated servers.

Security Advice:

Method 1:

Blocking incoming connections to relate port on firewall. (SSDP commonly used Port 1900)

Method 2:

If the SSDP server is not required, disable or deinstall it.
User following command: iptables -I INPUT 1 -p udp -m udp –dport 1900 -j DROP

Method 3:

The portmapper service can be removed using the following command:
# apt-get remove rpcbin

你可能感興趣

線上賬戶| 守網者 Cyber Defender

早在2014年,已經出現戶口騎劫案件。當時,即時通訊軟件LINE由於有系統漏洞 …

VDP| 守網者 Cyber Defender

漏洞披露計劃旨在鼓勵網絡安全研究人員負責任地報告潛在軟件或系統漏洞,此計…

保護|守網者Cyber Defender

我們聯同以下軟件公司提供免費掃毒及清洗工具,若你想防止電腦設備受到網絡威脅…

比特幣|守網者Cyber Defender

恢復短語是首次設置加密資產錢包時,系統自動產生的多組詞語。技術上,它是錢包…

防火墻|守網者Cyber Defender

防火牆可為電腦或網絡阻截惡意或不必要的網絡通訊,有助防範網絡攻擊及數據外泄…

fake wifi|守網者Cyber Defender

很多公眾地方,例如政府公共設施、商場、酒店或餐廳等,都會提供免費Wi-Fi,方便公…

network|守網者Cyber Defender

社交媒體及即時通訊軟件已成為日常社交及溝通不可缺少的工具,當中有個人用戶和…

人面認證|守網者Cyber Defender

多重驗證是指透過兩種或以上元素來驗證身份,加強保安。多重驗證技術其實早已不…

守網者|守網者Cyber Defender

歡迎訂閱守網者

填寫表格前,請先細閱我們的《私隱政策》。如有查詢,請發電郵至[email protected]

同意聲明
閣下提供之個人資料(包括姓名、聯絡電話和電郵地址)將會用 於接受守網者的最新發展、活動及資訊。

* 必須填寫

incloud|守網者Cyber Defender

Sign up for web hosting today!

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

Sign up for web hosting today!

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Ut elit tellus, luctus nec ullamcorper mattis, pulvinar dapibus leo.

smile|守網者Cyber Defender

閣下已成功訂閲
請檢查您的郵箱