CERTs warn on botnets, kernel bugs

Cybersecurity experts in the public and private sector are sounding the alarm about super-powered botnets, thanks to a new amplification attack vector that can exponentially increase the power of botnets and Distributed Denial of Service attacks.

A Feb. 27 alert by U.S. Computer Emergency Readiness Team flagged a new vulnerability that exploits the power of infected computers to spoof IP addresses of victimized computers and devices. US-CERT, based at the Department of Homeland Security, warns that a single query can generate a response between 10 and 100 times the original bandwidth back to the victim. This can have effect of exponentially increasing the power of botnets and DDoS attacks.

In the days leading up the US-CERT notice, private-sector companies like Cloudflare and Arbor Networks observed a "significant increase" in the use of such amplification attacks, mostly concentrated in North America and Europe. Qrator Labs, a European-based firm that specializes in DDoS mitigation, claim to have seen a similar spike across Europe between Feb. 23 and Feb. 26, 2018.

In a Feb. 27 blog post, Marek Majkowski, a security engineer for Cloudflare, called the new attack vector significant.

"Obscure amplification attacks happen all the time," wrote Majkowski. "A discovery of a new amplification vector though, allowing very great amplification, happens rarely."

The National Telecommunications and Information Administration put a draft report on botnet mitigation strategies out for public comment in January 2018, and is expected to provide an update later this year. Additionally, the National Institute for Standards and Technology announced Feb. 28 that it would tackle IoT security and give a briefing on its DDoS report at its March public meeting. Congress has also weighed in, introducing several bills designed to shore up security practices for connected devices.

Separately, the Industrial Control Systems CERT at DHS added seven vendors to list of those reporting vulnerability to the Meltdown and Spectre microprocessor bugs, bringing the total to 19.

The two bugs both allow for side-channel exploitations of kernel memory, potentially allowing someone to steal data from a device as it is being processed.

It's unclear to what extent these vulnerabilities are being exploited. In a statement in early January, DHS said it was not aware of any instances where the bugs have been used in attacks. White House cybersecurity point man Rob Joyce, formerly of the National Security Agency, said the two vulnerabilities were not known to or exploited by the NSA in advance of their disclosure.