Dear PenTest Readers,
In the current issue we would like to take a closer look at the DDoS attacks - their history, mechanics, vectors used, mitigation and prevention methods. Even though this type of attacks has been a part of infosecurity landscape for more than twenty years, DDoS attacks still are considered one of the most notorious cyber threats by organizations around the world. Moreover, the damage caused by these attacks can be irreversible and impossible to recover from. Hundreds of DDoS attacks take place every day. The topic still needs to be researched and examined, as the DDoS threat landscape constantly evolves.
Our contributors provide you with great articles, presenting DDoS attack from various perspectives. Andy Shoemaker brings a great piece of 5 most common DDoS misconceptions. Raphael Maunier presents a brilliant article on the crucial need for evolution of mitigation techniques against this type of attack. Dinesh Sharma, our regular contributor, presents very informative case scenarios on DDoS attacks, covering a prevention mechanism as well. Jalasutram Sai Praveen Kumar discusses the role of botnets an IoT in DDoS attacks, and argues how threat intelligence can bridge the security gap in this context.
What’s more, our contributors cover also other interesting IT Security topics. German Namestnikov presents you with an attacker’s view on advanced threat protection in his article about breaking through a sandbox. Geoff Hill emphasizes the importance of Agile-based Rapid Threat Modeling, Hitoshi Kokumai has written about the interdependence of episodic memory and digital identity in the security context. Bohdan Ethics presents a comprehensive analysis of the attacks on the network and MITM in WiFi/LAN. There is also a very valuable article by Huy Kha about Active Directory and its (in)security. Last but not least, Himanshu Dote writes about the Shellshock.
We are convinced that you will find a lot of precious cybersecurity knowledge in this issue. Be safe from the DDoS and other threats!
Special thanks to every contributor and reviewer who helped in the creation of this issue.
Without further ado,
Enjoy the content!
PenTest Magazine’s Editorial Team.
Table of Contents
5 Common DDoS Misconceptions
by Andrew Shoemaker
At the heart of a DDoS attack is the notion of impacting availability, but the mechanism for doing so is a bit arbitrary. At the highest level, DDoS attacks tend to be separated into three major categories; volumetric, protocol, and layer-7. Within each category there may be thousands of individual attack vectors. The classic image of the full Internet circuit is the volumetric attack category, where the sole purpose of the attack is to overwhelm the organizations circuits. However, layer-7 and protocol attacks don't follow this model.
From a Centralized Security to a Distributed Edge Security
by Raphaël Maunier
The ISP’s job was to build a few scrubbing centers with a few boxes, most of the time, one box per country. The issue was a higher latency. For example, one of the leaders of the industry had his biggest scrubbing center on the US East coast. If you are a customer in the middle of the US, your traffic can come from the West coast, go all over the continent, and then get back to you in the middle. Then at some point we realized, D in DDoS stand for Distributed – so your infrastructure needs to be distributed as well.
DDoS Attack, Case scenarios and Prevention Mechanisms
by Dinesh Sharma
[FULL ARTICLE AVAILABLE IN THE FREE PREVIEW]
We are not authorized to perform any kind of DoS or DDoS on any system as it is strictly illegal. But we can create our own small lab to perform a simple SYN flooding DoS that can be converted into a DDoS attack with multiple machines. We just need two virtual machines in our lab. One machine will act as a victim machine, the other will act as the attacker's machine. One machine will be Kali Linux, that is our attacker's machine, and the other one can be any machine with any OS. Make sure they are in the same network.
Preemptive and Proactive Protection from DDoS through Threat Intelligence
by Jalasutram Sai Praveen Kumar
Botnets are the sole of DDoS attacks. Botnets and DDoS attacks are interrelated when it comes to causing disruption to its victims. Threat actors create their own botnet networks by compromising multiple systems (bots/zombies) at various locations and coordinate them accordingly to divert enormous amounts of data packets towards their target, rapidly increasing the target’s bandwidth criteria and disrupting its normal operations.
Breaking Through Sandbox: An Attacker’s View on Advanced Threat Protection
by German Namestnikov
WildFire and FortiSandbox ATPs implement a Defense in Depth strategy on different Cyber Kill Chain steps. For example, FortiSandbox makes the "Delivery" stage harder, unlike the WildFire ATP that makes mostly the "Installation" and "Command & Control" steps harder. At the beginning of my work, we had strong and stable installations of both of them and I decided to consider these two solutions regardless of their place in the scope. Therefore, during my work, I used the same payloads for both ATPs.
Focus Your Pentest Activities with Agilebased Rapid Threat Modeling
by Geoff Hill
In many cases where I have gone to help, management has decided that the security team is responsible for all threat modeling, which would be slightly ok, except this boils down usually to ONE person doing threat models for the entire group/product/ organization. This is not a good use of the security professional's time and it produces sub-optimal threat models… if they get produced at all. The security professional knows security but generally does not have intimate knowledge of the system to be modeled. This is why threat modeling should be a group activity with the security professional as one of the stakeholders.
Episodic Memory and Digital Identity
by Hitoshi Kokumai
Digital currencies naturally attract criminals like a strong magnet, whether captioned with 'crypto' or not. The digital currencies operated with a fragile digital identity would be the most attractive cash cow for criminals. Moreover, where the fragile digital identity is shared for digital currencies and for privacy and personal data of the same people, criminals and despots would see their paradise. The subject of this article is a fragile digital identity built with a weak password, which makes a grave choke point of the cyber age.
Attacks on the Network and Man in the Middle in WIFI / LAN
by Bohdan Ethics
In this article, I want to divide the MITM and the path to MITM into categories and distribute them on different chains. We all understand that with the MITM attacks we have different situations in which we can use something, there is something not and we pursue different goals - a mass attack, an individual (point) attack. Need to get access to a PC or read traffic? Can you be aggressive online or not?
(In)security of Active Directory
by Huy Kha
How often do you see that legacy protocols like LLMNR & WPAD have been disabled on all the endpoints of an organization? Probably not very often. In addition, what about rotating the (empty) password of the built-in administrator account for every domain joined computer. Seems very rare to me that someone does this, and let's not forget about the 1000+ OU's and 2000+ groups an organization has, where insecure delegation of rights and permission has been set (in the past) that can provide escalation paths to AD admin.
Shellshock and Finding a Way to Talk to Bash
by Himanshu Dhote
Shellshock is the most interesting and common vulnerability that gets skipped nowadays during web application testing because it’s found somewhere inside the cooperation between web segments. Shellshock is the vulnerability that mainly affects the Bourne Again Shell (Bash), which makes Linux, Unix and Mac OS X vulnerable to RCE (Remote Code Execution). An adversary uses their own crafted payload to exploit the vulnerability present in Bash, which allows the adversary to remotely execute their code and take out most of the sensitive information for their benefit.