新冠肺炎在全球肆虐,令企业的运作及市民的生活方式明显地作出改变。组织和商业 机构也相应地利用科技将员工的工作模式转至遥距 在家工作
网络净化
新冠肺炎在全球肆虐,令企业的运作及市民的生活方式明显地作出改变。组织和商业机构也相应地利用科技将员工的工作模式转至遥距在家工作。因此,网络犯罪集团也伺机看准这些机会,透过系统的安全漏洞,使用不同的方法,如钓鱼网站、加密劫持及透过感染的计算机(称为殭尸网络)和滥用配置错误的设备来发起分布式阻断服务攻击(DDoS)及窃取数据来图利。
因此,香港警务处网络安全及科技罪案调查科发起了新一轮的网络净化行动,以提高组织和商业机构的系统安全及健康,以免网络犯罪集团有机可乘。
- 更改出厂帐户密码
- 定期更新靱体
- 请关闭所有不常用或不必要的服务(如文件传输、虚拟私人网络或遥距管理服务)
- 不要安装开放源码组织所提供的靱体
- 留意所用产品的相关保安警告
- 应使用有生产商提供支持服务的型号
- 如有需要经互联网存取装置,请使用虚拟专用网
- 请修改默认的管理员密码或建立一个新的管理员账户
- 请不要安装或开启不必要的附加功能
- 定期进行文件备份
- 请保持设备的系统更新
- 留意所用产品的相关保安警告
- 应使用有生产商提供支持服务的型号
- 透过官方渠道购买网络摄影机
- 更改出厂默认密码
- 密码应定期更改并符合复杂要求
- 切勿在公共网络中连接网络摄影机
- 仅从官方应用商店下载相关手机应用程序
- 定期检查网络摄影机的设定
- 更新靱体至最新版本
- 切勿将网络摄影机设置在私人或敏感区域
- 不使用时请关闭网络摄影机
- 无论使用任何连接方式,都应启用认证功能
- 留意所用产品的相关保安警告
- 应使用有生产商提供支持服务的型号
| S/N | Types of Misconfiguration | Amplification Ratio | Involved Port | Methods for Blocking Each Type of Amplified Reflection Attack |
|---|---|---|---|---|
|
1 |
Accessible Apple Remote Desktop |
35.5 |
3283 |
Turn off the Remote Management in Setting |
|
2 |
Accessible CoAP |
50 |
5683 |
Device whitelisting |
|
3 |
Accessible Ubiquiti Service Discovery |
35 |
10001 |
Block source port |
|
4 |
Open Chargen |
358.8 |
19 |
Block source port |
|
5 |
DNS Open Resolvers |
54 |
53 |
1) Disable recursion / Limit recursion to trusted clients 2) Response Rate Limiting (RRL) |
|
6 |
Open Netbios |
3.8 |
137 |
Block source port |
|
7 |
NTP Monitor |
556.9 |
123 |
1) Upgrade to Version 4.2.7 or above; or 2) Block external request (including "monlist" function) |
|
8 |
NTP Version |
40 |
123 |
Block external request |
|
9 |
Open LDAP Services |
55 |
389 |
Block source port |
|
10 |
Open mDNS Servers |
10 |
5353 |
Block source port |
|
11 |
Open MS-SQL Server Resolution Service |
25 |
1434 |
Block source port |
|
12 |
Open Portmapper |
28 |
111 |
Block source port |
|
13 |
Open TFTP Servers |
60 |
69 |
Block source port |
|
14 |
Open QOTD |
140.3 |
17 |
Block source port |
|
15 |
Open SNMP |
6.3 |
161 |
Block source port |
|
16 |
Open SSDP |
30.8 |
1900 |
Block source port |
Description: The attackers are leveraging the Apple Remote Management Service (ARMS) that is a part of the Apple Remote Desktop (ARD) feature.
When users enable the Remote Desktop capability on their macOS systems, the ARMS service starts on port 3283 and listens for incoming commands meant for the remote Mac.
Security Advice:
In macOS — > Setting — >Sharing — > Remote Management — > Turn off the Management
Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.
Also found that many of these CoAP services can leak information (including authorization credentials to services, such as wifi networks). For certain devices, in some cases, it may even be possible to issue remote instructions using CoAP.
Security Advice:
At the very least CoAP instances should therefore be either firewalled to only communicate with necessary devices.
Description: One of the main threats associated with exposed CoAP services is their possible usage as reflectors for DDoS amplification attacks.
Description: These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. In addition, they expose a large amount of information about the system running the service
Security Advice:
Blocking incoming connections to relate port on firewall. (Ubiquiti Service Discovery commonly used port 10001)
Description: CHARGEN is a debugging and measurement tool and a character generator service. It can make use of UDP port for traffic. Attack via CHARGEN was first addressed in 1996
Security Advice:
A) Setting for Chargen service enabled Server (Linux)
Method 1:
Blocking incoming connections to relate port on firewall (Chargen services commonly used Port 19)
Method 2:
In Linux Terminal, execute the following commands for disable the chargen service:
cd /etc/xinetd.d/
nano chargen
In nano, found service chargen and type “disable = yes”
B) Setting for Chargen service enabled Server (Windows)
Modify the Registry and set the values of the following two entries to 0
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableTcpChargen
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SimpTCP\Parameters\EnableUdpChargen
C) Best Practice for Managing the Chargen service enabled Servers
Use a firewall to restrict access to the Chargen service.
Description: Identify DNS servers that will send a reply to any IP address for domains that the DNS server is not authoritative for and report them back to the network owners for remediation.
Security Advice:
A) Setting to disable recursion or limit recursion to trusted clients in the DNS server
Bind 9
options {
allow-query-cache { none; };
recursion no; };
Windows
In the Microsoft DNS console tool:
- Right-click the DNS server and click Properties.
- Click the Advanced tab.
- In Server options, select the “Disable recursion” check box, and then click OK.
B) Limiting Recursion to Authorized Clients
Bind 9
acl corpnets { 192.168.1.0/24; 192.168.2.0/24; };
options {
allow-query { any; };
allow-recursion { corpnets; };
};
Windows
It is not currently possible to restrict recursive DNS requests to a particular client address range in Microsoft DNS Server. To approximate the functionality of the BIND access control lists in Microsoft’s DNS Server, a different caching-only name server should be set up internally to provide recursive resolution. A firewall rule should be created to block incoming access to the caching-only server from outside the organization’s network. The authoritative name server functionality would then need to be hosted on a separate server, but configured to disable recursion as previously described.
C) Setting Response Rate Limiting (RRL)
Bind 9
rate-limit {
responses-per-second 5;
window 5;
};
Windows
Set-DnsServerResponseRateLimiting -WindowInSec 7 -LeakRate 4 -TruncateRate 3 -ErrorsPerSec 8 -ResponsesPerSec 8
D) Best Practice for Managing the Open DNS Servers
Reduce the total number of open DNS resolvers
An essential component of DNS amplification attacks is access to open DNS resolvers. By having poorly configured DNS resolvers exposed to the Internet, all an attacker needs to do to utilize a DNS resolver is to discover it. Ideally, DNS resolvers should only provide their services to devices that originate within a trusted domain. In the case of reflection based attacks, the open DNS resolvers will respond to queries from anywhere on the Internet, allowing the potential for exploitation. Restricting a DNS resolver so that it will only respond to queries from trusted sources makes the server a poor vehicle for any type of amplification attack.
Source IP verification – stop spoofed packets leaving network
Because the UDP requests being sent by the attacker’s botnet must have a source IP address spoofed to the victim’s IP address, a key component in reducing the effectiveness of UDP-based amplification attacks is for Internet service providers (ISPs) to reject any internal traffic with spoofed IP addresses. If a packet is being sent from inside the network with a source address that makes it appear like it originated outside the network, it’s likely a spoofed packet and can be dropped.
Description: NetBIOS defines a software interface and a naming convention. The NetBIOS name service uses port 137/udp.
Openly accessible NetBIOS name services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.
Security Advice: Blocking incoming connections to relate port on firewall. (Netbios services commonly used Port 137)
Description: NTP is short for Network Time Protocol. It is one of the standards for time synchronization in the Internet. Its purpose is to synchronize the clock of the computer to the international standard time, and the machine connected to the Internet will calibrate the time through the protocol.
NTP includes a monlist function, also known as MON_GETLIST, which is mainly used to monitor NTP servers. The monlist function has a security vulnerability. After the NTP server responds to the monlist, it returns the IPs of the last 600 clients that have performed time synchronization with the NTP server; the response packages are split every 6 IPs, and there will be up to 100 response packets eventually.
Security Advice:
A) Setting for NTP Server (Linux)
Method 1:
- Upgrade the NTP Server to 4.2.7 or above
Method 2:
- In Linux NTP Server, in a Terminal window, and execute these commands:
- nano /etc/ntp.conf
- In nano, scroll down a page or two to find the two "restrict" lines highlighted below, and remove # signs to comment them out:
B) Setting for NTP Server (Windows)
This misconfiguration is not available on Windows Server.
C) Best Practice for Managing the Open NTP Servers
Use Multiple NTP Servers
The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.
This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.
Monitor Servers From The Client’s Perspective
Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.
Use NTP Encryption Options
The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.
Description: NTP servers that have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks.
The NTP version command is a Mode 6 query for READVAR.
Security Advice:
A) Setting for NTP Server (Linux)
- In a Terminal window, and execute these commands:
- nano /etc/ntp.conf
- In nano, scroll down a page or two to find the two "restrict" lines highlighted below, and remove # signs to comment them out:
B) Setting for NTP Server (Windows)
This misconfiguration is not available on Windows Server.
C) Best Practice for Managing the Open NTP Servers
Use Multiple NTP Servers
The easiest thing for a network operator to do is simply configure their clients to use multiple NTP servers on the network.
This NTP configuration can process multiple time sources at the same time and discard one if it disagrees with the rest. This makes an attacker’s job harder, because they will need to attack the NTP traffic from a majority of the servers to impact the NTP clients.
Monitor Servers From The Client’s Perspective
Another Best Practice is to have NTP client nodes devoted to monitoring the health of the NTP servers on the network. Monitoring an NTP server directly is important, but it will only tell you if there is a problem with that particular server. If you monitor it from the client side, you can look at the time transfer process from the client’s perspective and see whether there is anything suspicious happening after the packets leave the server.
Use NTP Encryption Options
The NTP peering packets (as well as the mode 6 “ntpq”-style queries) contain sensitive information that can be used in an attack. When using these services, operators are advised to either use NTP encryption options (such as symmetric keys) or use other means (such as access control lists) to control who can access these NTP queries. This will prevent this information from leaking out to unauthorized parties who could use them in a cyberattack.
Description: The Lightweight Directory Access Protocol (LDAP) is a networking protocol for accessing and maintaining distributed directory information services.
Openly accessible LDAP servers can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.
Security Advice:
Blocking incoming connections to relate port on firewall. (LDAP services commonly used Port 389)
Description: Multicast DNS (mDNS) is used for resolving host names to IP addresses within small networks that do not include a local DNS server. mDNS uses port 5353/udp.
Openly accessible mDNS services can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the system or network the service is running on for preparation of further attacks.
Security Advice:
Blocking incoming connections to relate port on firewall. (mDNS commonly used Port 5353)
Description: This report identifies hosts that have the MS-SQL Server Resolution Service running and accessible on the Internet.
These services have the potential to expose information about a client’s network on which this service is accessible and the service itself can be used in UDP amplification attacks.
Security Advice:
Blocking incoming connections to relate port on firewall. (MS-SQL Server Resolution Service commonly used Port 1434)
Description: The Portmapper (portmap, rpcbind) is required for mapping RPC requests (remote procedure calls) to a network service. It is needed e. g. for mounting network shares using the Network File System (NFS).
Openly accessible Portmapper services can be abused for DDoS reflection attacks against third parties.
Security Advice:
Method 1:
Blocking incoming connections to relate port on firewall. (Portmapper commonly used Port 111)
Method 2:
The portmapper service can be disabled using the following command:
systemctl disable rpcbind
systemctl disable rpcbind.socket
systemctl stop rpcbind
systemctl stop rpcbind.socket
Method 3:
The portmapper service can be removed using the following command:
# apt-get remove rpcbin
Description: This report identifies hosts that have the TFTP service running and accessible on the Internet. Our probe tests to see if the TFTP service is accessible and will either return the file that we are asking for or return an error code. Note, we are not testing to see if file upload is enabled.
Security Advice:
Blocking incoming connections to relate port on firewall. (TFTP commonly used Port 69)
Description: This report identifies hosts that have the Quote of the Day (QOTD) service running and accessible on the Internet.
These services have the potential to be used in amplification attacks by criminals that wish to perform denial of service attacks. The service is tested by sending a UDP packet containing a single carriage return to UDP port 17.
Security Advice:
Blocking incoming connections to relate port on firewall. (QOTD commonly used Port 17)
Description: The Simple Network Management Protocol (SNMP) is a networking protocol for device management and monitoring.
Openly accessible SNMP servers using the default ‘public’ community can be abused for DDoS reflection attacks against third parties. Furthermore, they allow potential attackers to gather information on the server or network for preparation of further attacks.
Security Advice:
Blocking incoming connections to relate port on firewall. (SNMP commonly used Port 161)
Description: SSDP is used by some consumer-level equipment for network discovery. It does not have any real use on public servers and is used for reflection DDoS attacks on dedicated servers.
Security Advice:
Method 1:
Blocking incoming connections to relate port on firewall. (SSDP commonly used Port 1900)
Method 2:
If the SSDP server is not required, disable or deinstall it.
User following command: iptables -I INPUT 1 -p udp -m udp –dport 1900 -j DROP
Method 3:
The portmapper service can be removed using the following command:
# apt-get remove rpcbin
你可能感興趣
漏洞披露計劃旨在鼓勵網絡安全研究人員負責任地報告潛在軟件或系統漏洞,此計…
疑似诈骗/网络陷阱?…
我們聯同以下軟件公司提供免費掃毒及清洗工具,若你想防止電腦設備受到網絡威脅…
恢复短语是首次设置加密资产钱包(如MetaMask)时,系统自动产生的多组词语。…
防火牆可为电脑或网络阻截恶意或不必要的网络通讯,有助防范网络攻击及数据外泄…
坊间有不少专家认为苹果使用封闭式系统设计,每个app都在独立的虚空间运行,严…
要防止从计算机硬磁盘复原已删除的数据,坊间一般会用低阶格式化、覆写、消磁、…
很多公众地方,例如政府公共设施、商场、酒店或餐厅等,都会提供免费Wi-Fi,方便…
社交媒体及即时通讯软件已成为日常社交及沟通不可缺少的工具,当中有个人用户和…
多重验证(MFA)是指透过两种或以上元素来验证身份,加强保安。多重验证技术其实…
2022年尾,有虚拟私人网络服务供应商公布最常用密码排行榜,排名第1的密码是…
