How Earth Day could save both the planet... and the internet

Filed Under: Botnet, Denial of Service, Law & order, Security threats

Earth DayEarth Day really did make a difference - at least in the world of internet security.

That's one of the conclusions revealed in a paper presented today at the Virus Bulletin (VB2012) conference in Dallas, Texas.

On 22 April 2012, more than a billion people around the world are thought to have done their bit to preserve the environment, with many choosing to turn off their computers to reduce energy consumption.

And what happened? Well, I can't tell you if the planet has a rosier future, but it's certainly the case that denial-of-service attacks plummeted according to researchers.

DDoS attack traffic in 2012

Internet attacks dropped on Earth Day (22nd April), as they also did on 29th May (Memorial Day weekend) and 28th June (just before US Independence Day celebrations).

Although it's very tricky to prove a connection, there were plenty of theories presented at VB2012 as to why other dates showed a massive slump in DDoS attack traffic.

Could the drop on 30th January be due to Chinese families travelling in the run-up to the Chinese New Year celebrations? And were attackers recovering from St Patrick's Day on March 20th?

My suspicion is that the Earth Day effect could be real: home botnet computers were turned off and botnet-based attacks declined. If everyone turned off their computers each night, it might not just be good for the environment because of the lower levels of energy being consumed.. it could also mean a reduction in botnet attacks.

Did you just get hit by a DDoS attack from Mars?

Malicious hackers and extortionists are frequently in the headlines for launching denial-of-service attacks against all manner of internet sites - including gambling websites, blogs, businesses, and media organisations critical of governments.

Victims in the recent past have included the Azerbaijan-hosted Eurovision Song Contest, sites connected with elections in Russia and Mexico.

The motivations for such attacks may be financial, or political, or ideological. However, while an inaccessible website being bombarded with unwanted traffic can be highly visible and obvious, what is seldom discussed is the impact such malicious traffic is having on the net as a whole.

VB2012CloudFlare's John Graham-Cumming attempted to paint a picture of the internet's malicious traffic for delegates at the Virus Bulletin conference in Dallas today. Internet traffic that is "ever present, but difficult to see".

CloudFlare, a San Francisco-based firm that protects websites from security threats, handles some 64 billion page views every month - giving it the opportunity to track large numbers of attempted attacks against its clients.

Aside from his "Earth Day" revelations, Graham-Cumming described the constant barrage of attacks which occur against CloudFlare's network around the clock, every day of the week, in an attempt to disrupt their customers' websites. Attacks, he explained, tend to peak mid-week but hardly ever stop.

Some denial-of-service attacks, however, shoot themselves in the foot somewhat by being far too easy to filter.

According to Graham-Cumming's paper, the largest source of attacks (23%) comes from Martian IP addresses (that is IP addresses that can legitimately appear on a corporate network or home environment, like 10.0.0.0 or 192.168.0.0 to 192.168.255.255) but are not valid on the public internet.

In one swoop, almost a quarter of attack traffic can be instantly disregarded as it is clearly being spoofed.

The other networks which appear to be serving up the most traffic (it's hard to be definitive as the originating network can be spoofed) are China Telecom with 3.45%, China Unicom with 2.13% and Comcast and Dreamhost with 1.74% and 1.45% respectively.

CloudFlare's clash with UGNazi hackers

UGNaziOf course, being in the business of protecting the web presence of so many organisations does make CloudFlare something of a target itself. John Graham-Cumming's paper acknowledges this, detailing an attack by the UGNazi hacking collective against his company in June 2012.

The UGNazi attack had the 4Chan message board in its sights, and managed to successfully redirect users hoping to visit the anarchic website towards UGNazi's Twitter page instead.

Although CloudFlare isn't entirely blameless, a contributing factor in the attack was a flaw in Google's two factor authentication, intended to secure access to CloudFlare's online accounts:

[UGNazi] succeeded in taking over the personal and work email of CloudFlare's CEO and using that to gain access to the DNS settings of one of our customers. They used that to redirect that particular site.

The attack involved four key vulnerabilities that, when put together, allowed the hackers in:

1. AT&T was tricked into redirecting the CEO’s voicemail to a fraudulent voicemail box;

2. Google's account recovery process was tricked by the fraudulent voicemail box and left an account recovery PIN code that allowed his personal Gmail account to be reset;

3. A flaw in Google’s Enterprise Apps account recovery process allowed the hacker to bypass two-factor authentication on his CloudFlare.com address;

4. CloudFlare BCC-ing transactional emails to some administrative accounts allowed the hacker to reset the password of a customer once the hacker had gained access to the administrative email account.

Sadly, it seems that the trend for denial-of-service attacks is rising. But some hackers are becoming aware of the methods that firms are using to deflect them.

The fear must be that hackers who previously launched DDoS attacks might switch to using other attack methods (such as breaking into websites) which could potentially be much more damaging to an organisation.

, , , , , ,

You might like

2 Responses to How Earth Day could save both the planet... and the internet

  1. Dubinky · 573 days ago

    The sickest part is that if AT&T hadn't fallen prey to the social engineering that started the whole chain of events. I fully agree that safeguarding the technology is important, but how many attacks only succeed because of some unnamed individual at a company you should be able to trust.

  2. Nigel · 573 days ago

    I agree that it's very tricky to make connections that don't confuse correlation with causation. Nevertheless, if the data reveal a causative link, then the kind of people who believe that turning off their computers on Earth Day actually does anything to "save the planet" are also the kind of people whose computers are otherwise available for the bad guys to use in DDoS attacks.

    The implications are fascinating. And there's not a little irony in the fact that a computer that serves as a zombie agent in DDoS attacks reflects an inability of its owner to "think globally, act locally", as the popular enviro-mantra preaches.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

About the author

Graham Cluley is an award-winning security blogger, and veteran of the anti-virus industry having worked for a number of security companies since the early 1990s. Now an independent security analyst, he regularly makes media appearances and gives computer security presentations. Send Graham an email, subscribe to his updates on Facebook, follow him on Twitter and App.net, and circle him on Google Plus for regular updates.