A reflection attack works when an attacker can send a packet with a forged source IP address. The attacker sends a packet apparently from the intended victim to some server on the Internet that will reply immediately. Because the source IP address is forged, the remote Internet server replies and sends data to the victim.
That has two effects: the actual source of the attack is hidden and is very hard to trace, and, if many Internet servers are used, an attack can consist of an overwhelming number of packets hitting a victim from all over the world.
But what makes reflection attacks really powerful is when they are also amplified: when a small forged packet elicits a large reply from the server (or servers). In that case, an attacker can send a small packet “from” a forged source IP address and have the server (or servers) send large replies to the victim.
Amplification attacks like that result in an attacker turning a small amount of bandwidth coming from a small number of machines into a massive traffic load hitting a victim from around the Internet. Until recently the most popular protocol for amplification attacks was DNS: a small DNS query looking up the IP address of a domain name would result in a large reply.
For DNS the amplification factor (how much larger a reply is than a request) is 8x. So an attacker can generate an attack 8x larger than the bandwidth they themselves have access to. For example, an attacker controlling 10 machines with 1Gbps could generate an 80Gbps DNS amplification attack.
In the past, we’ve seen one attack that used SNMP for amplification: it has a factor of 650x! Luckily, there are few open SNMP servers on the Internet and SNMP usually requires authentication (although many are poorly secured). That makes SNMP attacks relatively rare.
Throw any suspicious file at it and in a matter of seconds Cuckoo will provide you back some detailed results outlining what such file did when executed inside an isolated environment.
Cuckoo is free Open Source software.
Why does this matter?
Malware is the swiss-army knife of cybercriminals and any other adversary to your corporation or organization.
In these evolving times, detecting and removing malware artifacts is not enough: it’s vitally important to understand how they work and what they would do/did on your systems when deployed and understand the context, the motivations and the goals of a breach.
In this way you are able to more effectively understand the incident, respond to it and protect yourself for the future.
There are infinite other contexts where you might need to deploy a sandbox internally, from analyzing an internal breach to proactively scouting wildly distributed threats, collect actionable data and analyzing the ones actively targeting your infrastructure or products.
In any of these cases you’ll find Cuckoo to be perfectly suitable, incredibly customizable and well… free!
I’ve seen this a few times, and it’s a hack worth to share.
Many times, we found ourselves owning a car with a CD player, but no AUX-IN. Who uses CD’s these days, anyway? Noah decided to un-crapify his car audio on a 2001 Ford Focus.
The hack itself is pretty simple. Open up the unit, and you’ll find two separate modules: CD player, and radio/amplifier unit. Both are connected through a flex cable.
Noah was fortunate, since he had taps for each pin, so he didn’t had to solder directly on the plug’s pins. So, he identified ROUT, LOUT and a ground connection, soldered the pins, and he’s ready to go.
Since he tapped on the CD player’s pins, a CD must be inserted in order to trigger the input.
Easy as recording an audio CD without any tunes in int: plain old silence.