Topic: McAfee Cyber Defense Center Zooms In on Middle East

[Pez]

McAfee Cyber Defense Center Zooms In on Middle East

From McAfee’s first Cyber Defense Center (CDC) in Dubai, we closely monitor threats and activities in Europe and the Middle East. Since the Center’s official launch in September 2013, we have seen  quite a few interesting trends, especially in the Persian Gulf region.



Many of the activities spotted are related to hacktivism, cybercrime, or regional conflicts. The following table gives an overview of the top-five countries that are under attack, the top-five verticals, and the top-five types of attack that are used in the various incidents and campaigns targeting these countries and industries.



In this region it is safer to launch a protest from behind a desk than to actually go out on the streets and participate in a demonstration.

Tools and quick-setup sites for participating in a distributed denial of service (DDoS) campaign are divided among the participants. It can be as easy as clicking on a short link, which opens a web page containing an application with a front end prefilled with the victim’s details. By clicking on the launch button, the commands are sent to a list of “booter” servers that commence the DDoS attack. An attacker can easily execute an exploit from a computer as well as a smartphone.

One type of DDoS attack scenarios we are monitoring from the CDC are “DNS-amplifying-DDoS” attacks. This scenario allows the actors to boost DNS responses by a factor of 40 or more per DNS request. Either the attackers scan for vulnerable DNS servers or set up their own network of DNS servers. Tutorials, tools, and code are freely available on the Internet to launch these kinds of attacks. Since September 2013, we have seen that most of these attacks were launched against Turkey, with Saudi Arabia and the United Arab Emirates in second and third place, respectively.



Prevention

  • Make sure that DNS recursion is permitted only for the networks that need to use DNS; block recursion for all other networks.

  • In case of BIND, use the new feature DNS Rate Response Limiting (RRL). https://kb.isc.org/article/AA-01000/0/A-Quick-Introduction-to-Response-Rate-Limiting.html

  • A Secure DNS template for BIND is available from Team Cymru. http://www.cymru.com/Documents/secure-bind-template.html

  • Harden NTP servers using SNMP on routers. The NTP and SNMP protocols are commonly used to amplify attacks.


Original article: By Christiaan Beek on Mar 05, 2014