CERTs warn on botnets, kernel bugs
- By Derek B. Johnson, Mark Rockwell
- Mar 03, 2018
Cybersecurity experts in the public and private sector are sounding the alarm about super-powered botnets, thanks to a new amplification attack vector that can exponentially increase the power of botnets and Distributed Denial of Service attacks.
A Feb. 27 alert by U.S. Computer Emergency Readiness Team flagged a new vulnerability that exploits the power of infected computers to spoof IP addresses of victimized computers and devices. US-CERT, based at the Department of Homeland Security, warns that a single query can generate a response between 10 and 100 times the original bandwidth back to the victim. This can have effect of exponentially increasing the power of botnets and DDoS attacks.
In the days leading up the US-CERT notice, private-sector companies like Cloudflare and Arbor Networks observed a "significant increase" in the use of such amplification attacks, mostly concentrated in North America and Europe. Qrator Labs, a European-based firm that specializes in DDoS mitigation, claim to have seen a similar spike across Europe between Feb. 23 and Feb. 26, 2018.
In a Feb. 27 blog post, Marek Majkowski, a security engineer for Cloudflare, called the new attack vector significant.
"Obscure amplification attacks happen all the time," wrote Majkowski. "A discovery of a new amplification vector though, allowing very great amplification, happens rarely."
The National Telecommunications and Information Administration put a draft report on botnet mitigation strategies out for public comment in January 2018, and is expected to provide an update later this year. Additionally, the National Institute for Standards and Technology announced Feb. 28 that it would tackle IoT security and give a briefing on its DDoS report at its March public meeting. Congress has also weighed in, introducing several bills designed to shore up security practices for connected devices.
Separately, the Industrial Control Systems CERT at DHS added seven vendors to list of those reporting vulnerability to the Meltdown and Spectre microprocessor bugs, bringing the total to 19.
The two bugs both allow for side-channel exploitations of kernel memory, potentially allowing someone to steal data from a device as it is being processed.
It's unclear to what extent these vulnerabilities are being exploited. In a statement in early January, DHS said it was not aware of any instances where the bugs have been used in attacks. White House cybersecurity point man Rob Joyce, formerly of the National Security Agency, said the two vulnerabilities were not known to or exploited by the NSA in advance of their disclosure.
Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.
Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.
Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at email@example.com, or follow him on Twitter @derekdoestech.
Click here for previous articles by Johnson.
Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.
Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.
Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.
Click here for previous articles by Rockwell.
Contact him at firstname.lastname@example.org or follow him on Twitter at @MRockwell4.