The most elegant solution to Denial of Service (DoS) attacks I’ve ever seen

OMG. This is network security poetry. It is the most exquisitely beautiful solution to Denial of Service (DoS) attacks I’ve ever seen. If excessive connections are made to select ports in a certain timeframe, the source IP is added to an escalated list of iptables rules which eventually lock that IP out for over a month!

Initially I blocked attacks on an IP-by-IP basis, but this resulted in hundreds of separate iptables rules which as you can imagine became unwieldy quickly. Next, I implemented iptables rules using the iptables recent module (ipt_recent), which stopped attacks in a certain timeframe but did not prevent the same IP address from starting a new attack a short time later, scot free. The solution below keeps a long-term memory of offending IPs and thus really punishes attackers by putting their zombie hosts on the sidelines for a long time. It is also better than the IP-by-IP way I used to do it because after the longest ban (monthlong or whatever) expires, the IP is trimmed from the list.

Brilliant! I will soon adapt my rules to implement these clever ideas.

I have previously written a bit about using IPTables to limit brute-force attacks. For the past month, that system has been working quite well. The typical attack pattern resembled that in [graph 1, graph2]. A few days ago, however, an attack was implemented which ‘fell under the radar’, so to speak – instead of being a short-lived, high volume (60/min for 5 min) attack, this one was a slow and prolonged attack (1/2 min for 11 hrs) [graph 3, graph 4].

Improvements

Due to this, I have decided to augment my IPTables ruleset somewhat. There are a couple of points I found lacking in the previous revision. Firstly, repeat offenders did not have any extra consequences – whether you attacked for the first time or the tenth time, you were treated equally. Secondly, a slow attack was not effectively dealt with. Thirdly, the nature of the attack (quick vs slow) was not considered in the consequence. Finally, I wasn’t that pleased with the logging implementation – the log file was not exclusive, and no log rotation was setup. All of the above are addressed in this revision.

Source: Escalating Consequences with IPTables « That’s Geeky

Script kiddie fail

Watch out, we've got a badass over here.

Watch out, we’ve got a badass over here.


Some bored kid out there has taken to brute force attacking my webserver in the early morning. I just noticed this referrer entry on the URL:

[Redacted IP] – – [19/Jan/2016:03:33:28 -0500] “POST /wp-login.php HTTP/1.1” 200 3416 “-” “–user-agent=Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:39.0) Gecko/20100101 Firefox/39.0”

Catch that? Whatever script Dr. Evil is trying to run here sets the referrer value by using –user-agent= as an argument. Instead, our boy genius is passing…

–user-agent=”–user-agent …”

Brilliant. Simply brilliant.

Adaptive firewall rules with the react module

I’ve been fighting off hackers to MT.Net for several years now. My traditional way of doing this has been to manually flag the IP address of the attacker and add it to a block list. This used to be very effective, but then attackers began enlisting bot networks with dozens of IPs per attack. It because impossible to block them all without making it a full-time job.

About three years ago I implemented adaptive firewall rules which will track URL requests and only allow a certain number of those requests before blocking further ones. I blogged about their success and then … promptly stopped using it for some reason!

Today I noticed I was no longer using these amazing rules and promptly put them back into place. Like magic, the huge load I had seen on my webserver promptly disappeared. Now it doesn’t matter how many IPs an attack originates from, it will be blocked! That IP will not be able to launch any further attacks for 5 more minutes.

I love using smart approaches to problems. Just wish I remembered to keep them around next time!

The 19th Century plug that’s still being used – BBC News

The BEEB covers Apple’s rumored plans to kill off the phono plug. The story includes a quote from an Apple analyst:

“It feels painful because you’ve got hundreds of millions of devices out there that are using the old standard,” says Horace Dediu, a technology analyst with in-depth knowledge of Apple.

… and …

“Studying Moore’s Law and the history of technology, it’s clear we’re not going to stick around with something analogue for long,” he says. “It’s almost puzzling that it’s taken so long.”

Maybe because analog phone jack technology Just Works? Any guesses why an Apple stock analyst might like this move?

The Sum of Us petition is here, if you care to sign it.
Continue reading

Phone-crazed audiences and fed-up musicians? Yondr is on the case – CNET

A startup called Yondr is trying to sell concert venues on the idea of taking away their customers’ smartphones during shows. The company’s product is a bag that locks over the audience member’s phone, blocking it from being used unless taken to an “unlocking station.”

This idea is all kinds of wrong. As the reporter below describes, putting your phone into a bag will now make you obsess over the phone. Did it vibrate? If so, what was it? Guess what? Now I’m the distracted one, not the person who might have seen my phone’s display. And this happens to everyone else whose smartphone has been held hostage.

What if a desperate phone call comes in from the babysitter at home, but because my phone is kidnapped inside a Guantanamo-worthy hood I don’t hear/feel the call come in? Or what if I do but I can’t push the stoner metalheads out of the way to get to the “unlock station” in time to take the call? What if it’s a call to tell me my house is burning down? Can you say “lawsuit?”
Continue reading

Time Warner Cable advises 320,000 customers of possible hack

Rut roh.

Time Warner Cable has sent notices to 320,000 of its customers throughout the U.S., advising them to change the password to their email account out of concern that someone may have gained unauthorized access to that information. The telecommunication company said it was notified of the vulnerability by the FBI, but there’s no evidence to suggest that there was an actual breach.

Source: Time Warner Cable advises 320,000 customers of possible hack

Great job available for a sharp DevOps admin

The company I work for is seeking a sharp sysadmin to fill an Infrastructure Engineer role in Raleigh. We need people who have experience with DevOps tools for managing large production environments (Chef, AWS, Git, Docker, Puppet, etc.).

Here’s the job description and a link for applying. Please share!

We are seeking an experienced, self-motivated, and passionate Infrastructure Engineer to join our team. Are you someone who loves to solve big problems and who doesn’t settle for the status quo? We believe in finding the right tool, hardware, or software for the job, we don’t care if it’s open source or proprietary.

If it makes our systems faster, more secure, and scalable we want to hear about it. Because we are an Agile company you won’t be working in a silo. We need you to have broad experience in system administration, network operations, some coding experience, build and release engineering, performance engineering and site operations. We don’t expect anyone to know everything, we just need people who are quick studies that aren’t afraid to jump in with both feet and learn by doing.

An entrepreneurial fast paced mentality is critical for success in this position: a passionate can-do attitude, exceptional communication skills, and the ability to collaborate while acting as a thought leader in your area of expertise will serve you well at Rally Software. Does this sound like a challenge you’re ready for?

Once hired, here’s what we’ll need you to do:
Continue reading

Apple should kill the headphone jack – Tech Insider

Tech Insider columnist and apple fanboy Alex Heath advocates for Apple’s reported nixing of a headphone jack on it’s upcoming iPhone 7. Says Heath:

The audio jack in the iPhone is based on technology intended for telephone switchboards in the 19th century. It’s an ancient port, and while it’s a common standard now, its days are numbered.

Well, yeah. We’ve been using audio through analog wires for over a hundred years. Know what? We’ve pretty-much got it perfected. Is it the best audio available? Not anymore, but it’s cheap and ubiquitous. Don’t count out cheap and ubiquitous.

Then Mr. Heath hints at why Apple might consider this move:

The main downside of Lightning-equipped headphones right now is price. Apple recently started selling a $800 pair of Lightning headphones from Audeze in its store, which only the most serious audiophile would even consider buying. Only a few companies have committed to Lightning so far, and their headphones generally run for at least $200.

Eight hundred bucks for a pair of headphones and $200 for the cheapies. Meanwhile, standard phono-jack phones are so cheap that they’re practically given away.

Oh, and there’s also this:

Lightning is also a proprietary connector that Apple owns…

Do you see where this is going? “Cheap and ubiquitous” is the last thing Apple wants. Apple can’t claim to be saving space by its switch from a phono plug to Lightning. What it really wants is to get the millions of Apple-loving drones out there used to shelling out $100+ for Apple-proprietary accessories that could otherwise be had for mere dollars through the wonders of mass-market standardization.

I once railed against Microsoft’s “embrace and extend” way of sabotaging standards. Apple has taken a play from the Redmond playbook. Apple’s refusal to play nice with the rest of the world rubs this advocate of open source and open standards the wrong way.

Remember the collective outrage when Apple removed the optical CD drive in the Mac? Or how about when Apple chose to not let the iPhone’s browser support Adobe Flash, the horrible and insecure web standard that was nearly ubiquitous at the time and basically extinct now?

They were all big changes that may have caused inconvenience and raised eyebrows at the time. But looking back, they seem like obvious steps forward.

Source: Apple should kill the headphone jack – Tech Insider

Highlights of 2015: CERT lives again

Oakwood CERT members learn basic firefighting

Oakwood CERT members learn basic firefighting


I’ve blogged here before about how much fun I’ve had participating in the CERT program, the Community Emergency Response Team training. I think it is important to get people trained to help themselves when the need arises. In cases of trauma, every minute counts. Medical experts talk about the Golden Hour, when the odds of saving a victim of traumatic injury are greatest. One doesn’t have to be a doctor, but anything that can patch a person up until medical professionals can get there will go a long way towards saving them.

As you know, the first CERT program folded. I had heard rumblings of a new program being bootstrapped in the Oakwood neighborhood. A year passed and I wondered if the effort would succeed. Then in August I got an invite to the training class for the Oakwood CERT team – it was actually happening! About twenty of my neighbors took the training with me and we had great support from Samantha Royster from the North Carolina Department of Public Safety (NCDPS). Everyone left that weekend with some hands-on emergency training as well as a full CERT kit paid for through a generous federal grant.

What’s more, my classmates immediately elected me … president. While I wasn’t in the room, of course. Heh.

Fast forward to mid-December. My company’s foundation looks for non-profits that attract the passion of its employees and those employees are invited to submit grant requests. On the last day of the grant program, I put in a request to fund the Oakwood CERT team and was pleased to learn it was fully granted! It’s a modest grant but it’s one I hope to build on.
Continue reading

Highlights of 2015: Google Fiber

fiber_house
Also around February, Raleigh got the official word from Google that Google Fiber was coming to the Triangle.

This announcement was really exciting to me after doing what I could over the years to promote broadband competition in North Carolina. For years I maintained the “Bring Google Fiber to Raleigh” Facebook page, posting updates when I got them. I met with city and state officials to keep up with their broadband plans (NC NGN). I took time off of work to attend the Google Fiber announcement and schmoozed with Google Fiber executives at an invitation-only community meet-and-greet.

I was hoping to become a part of the Google Fiber team here but it was not to be. It would’ve been one hell of a gig, so to speak: promoting something I am passionate about and putting to use all the people and political skills I’ve honed over the years. Google had their own ideas of what they wanted, though, and I was super bummed to miss out on the opportunity. It’s probably for the better, in hindsight. I can honestly say that Google hit a home run with the hire of Tia MacLauren as its Raleigh Community Manager, and I am getting crankier in my old age and thus more apt to say what I’m thinking!

Google Fiber trucks haven’t begun rolling in earnest around Raleigh yet but they soon will. No matter what, though, broadband competition has finally come to North Carolina’s cities, and this in itself is a beautiful thing.