Amazon’s Route 53 was subject to a massive Distributed Denial of Service (DDoS)
On October 24, 2019, Amazon informed its customers that Route53 was subject to a Distributed Denial of Service (DDoS) attack and that there was a disruption in the name resolution process. In more detail, the attack affected mainly the naming system of the S3 buckets.
This situation could fall into the category of Slow Drip attacks. In this kind of attacks, a malicious actor continuously sends queries to the authoritative nameservers of the domain that they are targeting. The queries contain mainly non-existing pseudo-random subdomains. A direct result of this flood of queries is that the resources of the victim’s nameservers are depleted and eventually they stop answering even to legitimate requests.
Some indicative queries that were found in the traffic of the recent attack confirm this pattern:
Whalebone identified the attack
In the case of Amazon, Whalebone was successful in timelyidentifying this attack and informing their affected customers.
Some early indication of the upcoming events can be traced back on October 19 when there was a spike in the DNS requests on Amazon’s domains. This could be considered as a testing cycle before the final outbreak.
Get protected with DNSSEC
A possible defence against this kind of attacks could be the introduction of aggressive usage of DNSSEC-validated cached answers. According to this specification, NSEC/NSEC3 resource records could be used to cryptographically prove the inexistence of a domain (or subdomain in this case).
By taking advantage of this, the compatible resolvers that are performing DNSSEC validation can deduce an answer to a query directly by their cache and thus drastically decrease the number of requests to the authoritative servers.
Whalebone’s security-enhanced resolvers are based on Knot resolver’s technology that, since version 2.0.0, supports this approach and guarantees resilience when facing this kind of attacks.
DNSSEC has to be configured properly
Unfortunately, Amazon’s DNS zones are not cryptographically signed (as can be seen below), and thus the cache-based inexistence proof could not be applied during the recent attack.
It is worth mentioning that even though Whalebone’s resolvers could not protect Amazon’s servers, they were not affected by the Increased malicious workload and the customers’ quality of service remained consistent.
For Whalebone, getting fresh information on current threats is crucial. One source of such information is Twitter accounts of threat experts who post threats that they have come across. These tweets usually identify current threats, which makes their contents extremely valuable. Crucially, the data is neither structured nor harmonized, meaning one must use heuristic reasoning (“decode” them back to proper form) to be able to extract it.
In this article, we aim to describe how we went about extracting the data while showing different challenges we faced during the implementation. Besides, we will show how useful this data is in protecting the network.
There are two ways in which tweeters (Twitter users from the security community) share threat intelligence data, so called “indicators of compromise” (later on referred as “IOCs”). In our case, IOCs are malicious web addresses, posted either in a link to pastebin.com or in the body of the tweet itself, in which case they are usually protected against opening as described below.
How do tweeters share data about threats?
The former could easily reduced to the latter. We implemented a function that connects to those links and extracts e-text, from which IOCs can then be extracted by similar methods as from the main body of the text, but with the simplification that obfuscation usually doesn’t take place. At the end of the day, however, not all tweeters post URLs on pastebin and some post hashes and other information about threats. To take care of such cases, we follow URLs only for specified Twitter accounts.
Extracting data from the tweet body seemed like a formidable task, since there is no straightforward way of telling which URL is a true IOC and which is just a legitimate address that the tweeter could have posted. Fortunately, IOCs are marked by an important feature – they are obfuscated, so that Twitter doesn’t convert them into clickable links and people do not accidentally end up on malicious websites.
This feature of IOCs enabled us to filter out legitimate links – simply exclude all the links that are clickable (which is done by blacklisting t.co domain, as twitter sends all links through its servers).
Having ignored the t.co domain, all that is left in a raw tweet are obfuscated IOCs. The obfuscation methods vary, but there are not too many and most work by direct substitution. Common examples include ‘abd[.]com’ and ‘hxxp://el_karls.com’:
The first example contains the most common substitution: ‘.’ for ‘[.]’. Such obfuscation can be undone by simply substituting ‘[.]’ for ‘.’, leaving valid URLs which can then be parsed.
The second example contains another common method: the replacement of http by hxxp. Dealing with such cases is even easier – we simply ignore the protocol in the later stages of parsing the text.
It turns out that for most tweeters, we could simply revert the substitutions made during obfuscation by a mere substitute command. This makes it really simple to start parsing a new twitter feed – plainly collect the tweets from that tweet and add the substitutions required to revert obfuscation to a list in the config file.
After performing substitutions, we have URLs matching a URL regex ignoring the protocol (to account for ‘hxxp’). Matching against this regex and then checking with get_tld whether the matched text is indeed a valid domain is all that is left to do.
In a production environment, we implemented this algorithm with a configuration file containing 30 tweeters and 6 substitutions. Pastebin was followed in about 10 of them.
This results in about 2500 IOCs weekly flowing into our system, and since deployment in April, we have already recorded 3000 incidents involving these IOCs.
While useful, this model is still rather crude and doesn’t make use of all the information available in the tweets. For example, most tweeters also include the classification of the shared IOCs in their tweets (see example tweets, which both include this information), which is a useful bit of information and future challenge for us to get it into Whalebone.
Happy to be selected by the European Cyber Security Organisation (ECSO) and EIT Digital as one of the most promising Scaleups. These awards have enabled us to present themselves to an international audience at the Polytechnic School in Milan (Politecnico di Milano) and to present the benefits of our solutions for Internet providers, telecommunications, banks and corporations.
Whalebone won the Seedstars Prague competition, where competed ten best seed stage startups from the Czech Republic and surrounding countries. Winning means Whalebone’s progress to the global finale.
The top ten startups have measured their strengths before the jury in the Seedstars Prague competition, the biggest seed start competition for developing markets. Whalebone has qualified for the competition as a wild card for the victory in the DEXIC Accelerator. The five-member jury selected the best startup not only from Czech companies. In Prague, for example, a company from Denmark also competed. Whalebone, as the winner, will represent our region in the fight for the Seedstars Global Winner title at the Seedstars global summit in Switzerland.
Our representative, Petr Soukeník, had, like all the other contestants, three minutes to convincing the jury with his presentation. The next five minutes belonged to the jurors who asked questions and were already at the contestants how to deal with these questions.
Many great ideas but win could only one
From ten interesting startups, including Yieldigo, SmartGuide, Data & More, Mutumut, MyTimi, Lafluence, Retailys.com, Amio and Vistag, was our company selected by the jury and declared the best seed stage in the region.
“Within three short minutes, it was not easy to say everything and convince the jury that we are the best. In addition, the competition was great because there were ten great startups. I’m so glad that foreign colleagues from Whalebone also came to support me. I think our six nationalities were the most diverse representation of competing companies,” Petr Soukeník said.
Not only the quality and interesting presentation, but also our practical results and the vision we want to pursue with Whalebone not only in terms of technology, but also in terms of expansion of the company to other countries and new markets. “There was a break just after the Whalebone pitch. With the interest of investors who had begun speak with us before the announcement, it was possible to feel that it could do well. The tension before the announcement was enormous, “Petr Soukeník described the waiting for the announcement.
As the winner of Seedstars Prague Whalebone advances to the world finals, where we will match the strengths with six dozen startups from around the world. This challenge, which will take place in April next year, is being carefully prepared and we believe it will be a great experience for our entire society.
Our anti-malware tool was launched by AERO Vodochody AEROSPACE. The customer, who is the world’s largest manufacturer of military jet training airplanes, was particularly interested in a simple concept that allows you to protect a wide range of endpoint types without the need for a complex configuration.
Blocking started to work quickly. „Several incidents were blocked in two weeks of testing and there was no false blocking. Nothing prevents the transition to full operation,“ said Whalebone´s CTO Robert Šefr.
The leader of ICT AERO Vodochody AEROSPACE Milos Vodička was satisfied too. „For the first time in my career, I have experienced a quick and seamless integration of security technology into the whole network.“
Whalebone DNS was chosen as one of the top five finalists in the second edition of the International Elevator Lab SK. The main goal of this acceleration program from Raiffeisen Bank International, launched in Slovakia by Tatra banka, is to find the startup solution with the greatest potential for utilization in banking services. CEO of Tatra Banka Michal Liday said in his closing note that the rules of the competition have just changed and instead of one startup winning an opportunity to work together with Tatra Banka, all five finalists are winning the ticket.
Polish and British markets are among the goals of Whalebone DNS expansion in 2019. Market surveys have begun, and representatives of our company have taken the first steps to promote Whalebone in these countries in recent months. We presented the solution of our company at the Wolves Summit event at the Polish Embassy in Prague, and to British investors at the UK Tech Night at the British Embassy in Vienna.
Whalebone won at this year’s DEXIC Boot Camp defeating many startups across the Czech Republic. Whalebone CEO Richard Malovich was able to explain in four minutes what our company is doing and at the same time to persuade the jury, who were potential investors, to fund our project. Whalebone gained new contacts, advices from experienced mentors and has been given the opportunity to take part in a three-week accelerator.
We have only last few hours left in 2017, and we would like to sum up what this year meantfor the Whalebone team.
We are pleased to say that a few days ago, we broke the magical limit of 100,000 protected homes! We are also growing in the corporate segment, where we are protecting dozens of thousands of employees.
In addition to expanding our customer portfolio, we strive to be as innovative as possible in detecting threats of attackers. In addition to collaborating and integrating countless threat vendors, we also continue shared research with the Czech Technical University in Prague (Machine Learning on Domain Generation algorithms). We have managed to bring this research into commercial use this year and the developed neural network is deployed. In similar research projects this is not commonplace.
In the summer, we joined the technology incubator of the Austrian operator A1, part of the Telekom Austria Group, where we jointly improve Whalebone to meet the demands of the major national telecoms.
During the year 2017, we participated in the largest ISP conferences in the Czech Republic and Slovakia, we also presented events in Germany, Austria and Hungary.
We believe that year 2017 was just as successful for you.
The entire Whalebone team wishes you all the best in 2018!
Privacy & Cookies Policy
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.