Holy Hash!

#security on software development security and web security, security best practices and discussions, break-ins and countermeasures. Everything you ever wanted to know about software security but were afraid to ask, for fear of not understanding the answer!

Heartbleed? That’s nothing. Here comes Microsoft SChannel!

microsoft_securityThe lot of hype around the so-called “Heartbleed” vulnerability in open-source cryptographic library OpenSSL was not really justified. Yes, many servers were affected but the vulnerability was quickly patched and it was only an information disclosure vulnerability. It could not be used to break into the servers directly.

Now we have Microsoft Secure Channel library vulnerability (“SChannel attack”) that allows an attacker to easily own MS servers:

This security update resolves a privately reported vulnerability in the Microsoft Secure Channel (Schannel) security package in Windows. The vulnerability could allow remote code execution if an attacker sends specially crafted packets to a Windows server.

This vulnerability in Microsoft TLS is much more serious as it allows to take over the control of any vulnerable server remotely by basically simply sending packets with commands. Microsoft admits that there are no mitigating factors and no workarounds, meaning if you did not install the patch, your server is defenseless against the attack. Windows Server 2012, Windows Server 2008 R2 and Windows Server 2003, as well as workstations running Vista, Windows 7 and Windows 8 are all vulnerable.

This is as critical as it gets.

Visualization of world’s largest data breaches

I stumbled upon a very interesting infographic that portrays some of the world’s biggest data breaches in a running bubble diagram. Entertaining and potentially useful in presentations Have a look.

visual-data-breaches-2014-11-11

Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone)

android-devilAn excellent article by Sven Tuerpe argues that we pay excessive attention to the problems of encryption and insufficient – to the problems of system security. I wholeheartedly agree with that statement. Read the original article: Crypto Wars 2.0: Let the Trolling Commence (and don’t trust your phone).

Security cannot be based solely on the encryption and encryption only. The system must be built to withstand attacks from outside and from within to be secure. There is a lot of expertise in building secure devices and creating secure software but none of that is used at all in the mobile devices of today. Whether those smartphones and tablets provide encryption or not is simply besides the point in most attack scenarios and for most kinds of usage. We have to get the devices secured in the first place before the discussion of encryption on them would begin to make sense.

Facebook “joins” Tor – good-bye, privacy!

Multiple publications are touting the announcement by Facebook of a Tor-enabled version of the social networking website as nothing short of a breakthrough for anonymous access from “repressed nations”. They think that the people around the world who wish their identity and activity online to remain hidden will now have a great time of using Facebook through Tor.

In my point of view, the result is just the opposite. The users of Facebook sign in and are tracked across a multitude of collaborating sites. Using Facebook through Tor will actually disclose completely the identity and the activity of the person using it. This information will become available across several user-tracking websites. The user will completely lose the anonymity they so strongly desired.

Mozilla Firefox Lightroom-578-80

Lightbeam for Firefox shows tracking of the user through different websites and tracking networks and how they share information with each other.

Facebook previously denied access to its social network through the Tor network citing security concerns. Surely, you do not think they decided to provide Tor access because they decided to be nice to those few who use Tor? Facebook is a commercial company under control of United States government and don’t you forget it. The move to bring in a few thousand Tor users is unlikely to have any positive impact on their business but will require to provide additional infrastructure. Therefore, Facebook is acting selflessly and causing themselves trouble for no commercial gain. I view such a move as extremely suspicious. Most likely, the company’s network will be used in online operations to unmask the identity of Tor users.

Of course, the proper way to keep your privacy online is to never use any social networks of any kind and discard every session after a short period and when switching activities. Searching for movie tickets? Use a session and discard it when done. Looking up the hospital’s admission hours? Discard when done. In any other case, the network of tracking sites will connect the dots on you. If you are to use the Facebook in the same session, your identity is revealed instantly and all of that activity will be linked to the real you.

We released too much of our privacy to the Internet companies already. They are now slowly dismantling the last bastions, one of which is the Tor network, under the pretense of fighting online crime. Facebook, having a history of abusing its customers, should not be trusted on these matters. Their interest is not in protecting your privacy, they will betray you for money, rest assured.

Three roads to product security

three-roadsI mentioned previously that there are three ways to secure a product from the point of view of a product manufacturing company. Here is a little more detailed explanation. This is my personal approach to classifying product security and you do not have to stick to this but I find it useful when creating or upgrading company’s security. I call these broad categories the “certification”, “product security” and “process security” approach. Bear in mind that my definition of security is also much broader than conventional.

The first approach is the simplest. You outsource your product security to another company. That external company, usually a security laboratory, will check your product’s security including as many aspects as necessary for a set target level of security assurance and will vouch for your product to your clients. This does not have to be as complicated and formal as the famous Common Criteria certification. This certification may be completely informal but it will provide a level of security assurance to your clients based on the following parameters: in how far the customers trust the lab, what was the target security level set for the audit and how well the product has fared. Some financial institutions will easily recognize the scheme because they often use a trusted security consultancy to look into the security of products supplied to them.

Now, this approach is fine and it allows you to keep the security outside with the specialists. There are of course a few problems with this approach too. Main problems are that it may be very costly, especially when trying to scale up, and it usually does not improve the security inside the company that makes the product.

So, if the company desires to build security awareness and plans to provide more than a single secure product, it is recommended that a more in-house security approach is chosen. Again, the actual expertise may come from outside, but the company in the following two approaches actually changes internally to provide a higher degree of security awareness.

One way is to use what I call “product security”. This is when you take a product and try to make it as secure as required without actually looking at the rest of the company. You only change those parts of the production process that directly impact the security and leave alone everything else. This approach is very well described by the “Common Criteria” standard. We usually use the Common Criteria for security evaluations and certifications but this is not required. You may simply use the standard as a guideline to your own implementation of the security in your products according to your own ideas of the level of security you wish to achieve. However, Common Criteria is an excellent guide that builds on the experience of many security professionals and can be safely named the only definitive guide to product security in the current world.

Anyway, in the “product security” approach you will only be changing things that relate directly to the product you are trying to secure. That means that there will be little to no impact on the security of other products but you will have one secure product in the end. Should you wish to make a second secure product, you will apply the same.

Now, of course, if you want to make all products secure it makes sense to apply something else, what I call “process security”. You would go and set up a security program that makes sure that certain processes are correctly executed, certain checks are performed, certain rules are respected and all of that together will give you an increase in security of all of your products across the company. Here we are seeing an orthogonal approach where you will not necessarily reach the required level of security very fast but you will be improving the security of everything gradually and equally.

This “process security” approach is well defined in the OpenSAMM methodology that could be used as a basis for the implementation of security inside the company. Again, OpenSAMM can be used for audits and certifications but you may use it as a guide to your own implementation. Take the parts that you think you need and adapt to your own situation.

The “process security” takes the broad approach and increases the security gradually across the board while the “product security” will deliver you quickly a single secure product with improvements to other products being incidental. A mix of the two is also possible, depending on priorities.

process-product-security

Secure the future – have a change of mind!

guard_cat_on_dutyThe future of the enterprise can be secured provided that it is properly organized and operated with full understanding of its economics. The current concentration on “profit here and now” is extremely harmful to the survival of the economy of the world as a whole and every given enterprise in particular.

Why is that? There are two parts to the problem. The first part has to do with the short-sightedness of the typical management of the companies and the second part – with the isolation of company parts from each other and the requirement that everything brings profit by itself. Under these conditions the security becomes an unwanted “fifth leg” that brings nothing but unjustifiable costs to the company. I tried to find a solution within this extremely limited view and there ain’t any. However, the situation looks completely different if you take a long-term systemic view of the enterprise.

In the long term, we absolutely need security as we need quality and many other things besides money to ensure that the enterprise survives. Once we understand that, we shall realize that we already have the knowledge, technology and tools to actually secure our products and we will apply the research where we see them lacking.

To illustrate, let’s look at how the simple economic model of the well-known game “Civilization” operates.

“Civilization” is a strategic game with a simplified economic model of cities, countries and the world. In this highly simplified model of the economy, describing the behavior of an entire civilization, the parameter “money” is not the only one that leads to success but rather it is used to serve other areas of society. For example, when you build a library you go to the cashier and convert money to scientific knowledge. The theater is also not built for profit but for spending money on the culture. Almost all of the buildings that do not bear a direct destination “hack loot” represent a direct loss: football stadiums, churches, and tank factories – those just consume money, not make profit, but instead they produce something else: contentment for people, culture, or the tanks.

civ-v-screen

In principle, you can try to concentrate everything in the world on getting more money – but experienced players will tell you that this option is only meaningful on the finishing spurt – when there is a race to win, when you are actually in the military conditions “it’s either us or them.” At other times, you can not ignore any sections of public life – it is necessary to make sure that the culture is taken care of and the science is at a level not far behind (so that foreign tanks don’t overwhelm your chariots), and your production facilities allow you to produce anything you might need, and that the cash account allows to support the whole caboodle.

Once again, it is important to note that most of the objects in Civilization are obviously unprofitable and that’s fine – they give non-monetary income and in most cases they determine the success or downfall of the player. You build a theater, a library or a tank, pay for them and don’t complain that they need money. Money is produced by special objects replenishing the treasury – they are important, of course, as an integral part of society but their main role in the game is to support the work of other objects – let the society work and move forward the progress, culture, carry the flag of the country. Only in a single case it makes sense to be “in the money” – when you want to win politics through buying of votes from neutral city-states. In all other cases, a large cash balance, on the contrary, is rather an indication that you are doing something wrong.

civ-attack

So, why are we talking about that? Money in Civilization is a tool and that what it should be in real life, at least in theory. Therefore, if you have excess money, it is best to invest immediately into something that moves forward some real aspects of life – culture pushes the boundaries of your country, science is discovering all the new electric cars, cavalry and navy are bringing the light of truth to infidels. Since everything around is continually evolving, then the funds should be regularly put into circulation – not in the sense of “revolve in the bank” but through investments in the real sector – because conventional 100 coins in the ancient world is not the same as even in the era of feudalism, even in the absence of inflation. Just to save money has no special meaning – it means that you could invest it in any business but did not – for example, you could mount an expedition to another continent but instead you are wasting away over your gold. Yes, the money can be useful to respond to changes in the situation in a rush – but that usually does not come with a huge effectiveness; for example, you can immediately buy up a bunch of soldiers in the case of the Mongol invasion; but if you act wisely, it is much more effective – including in monetary terms – to prepare them in advance; albeit soldiers are all loss and no profit, yes.

In the real world, it is much more complicated. Yet, somehow it turns out that in a simplified toy world simulator “father of the nation” the different effects of a particular aspect of human activity are taken into account, while in our advanced and such a diverse modern society, it all comes down to one parameter – money. Look at what is happening in the world or in your company – the terms are reductions of this and that, because of the “inefficiency”.

In purely totalitarian economies societies somehow engage in culture, science and other things, and only in our purely “liberal” economy and culture, we force the culture, science, and almost the military … to make money. But, after all, this is nonsense in terms of governance!

There seem to be two important aspects at work:

1) The atomization of society and the economy also applies to the enterprise. In a singular society and company things can be divided into “earning” parts and “wasters” of money, as was done in the traditional family – husband works in the field, a wife at home on the farm, and that’s fine. Under the conditions of atomization one is forced to survive as best one can. The science and culture in the society and security and quality in the company are forced to earn profits, losing their original essence. Every single part is required to perform, basically, all of the elements of the whole without any regard to its original purpose to survive. The security department now has to “sell” its services, engage in marketing campaigns and calculate its “efficiencies”.

2) Extremely short time horizon has become the norm. Where the top management was supposed to keep a very long-term perspective and support the activities that would cause the company to exist in the distant future, now we are dealing with a non-stop pressure to deliver everything today.

In general, the reduction of all aspects of life and work to make a profit in the monetary sense immediately leads to many fun things.

There are many aspects to our work as a software company producing and selling software products but if we simplify the model we can say that there are a few factors that are involved in long term survival and prosperity of the company. One of the factors is the features of the software. That is your “money production” part, the thing that gets software sold and brings in the money. Too much concentration on this part is dangerous, however.

There are other important parts. We will live aside many of them for the purposes of simplicity. Let’s look at the quality. Ensuring the software quality is pure cost, it does not sell as such, it does not bring money. Should we stop spending money on quality? You would be right to assume that we will not. But why? Because the quality of our product influences the future sales, it is not here-and-now but in the future that we will see indirect benefits, often not quantifiable. Still most of us understand that destroying the product quality will lead to deterioration of the market sales, company image, decline of revenues and eventual crumble of the company. So somehow over the years we realized that a completely non-profitable activity is necessary for the enterprise survival.

The same applies to security. Most companies ignore security nowadays. Security is nothing but cost and costs even more than quality. Security is even less visible and its impact is even further in the future. Many managers show short-sightedness and ignore security to concentrate on what brings money in today and tomorrow. But is that a good idea? Security is like your army in “Civilization” – it is pure cost and you may never actually use it directly but it is a good idea to have it unless you want to see your cities overrun by the American war chariots. Security is a cost that an enterprise must take on to ensure its long-term survival. It is as necessary as other costly things – quality, specialist training, research etc.

So when a company puts the security in a position where the security department has to justify its existence by proving with numbers in hand that they are somehow “profitable” – that’s pure lunacy on the part of top management. This concentration on the “money aspect” is going to pay off in the short term but will learn to a crash in the long term. The balance is as essential to a healthy company as it is essential to an empire in the game of “Civilization”. One cannot ignore the money aspect and risk running out of money at an unfortunate moment. One cannot concentrate on money and ignore everything else either. We must accept that security is one of the realities of life and it is necessary to have because otherwise “their tanks will crash our chariots”.

I hope we are clear on that now.

You may only need a sword once but you must carry it every day.
– Japanese proverb

Kinkakuji_Temple_Kyoto_Japan

More on WordPress xmlrpc denial of service attacks

disable-xmlrpcThe attacks on WordPress using xmlrpc.php service are rather common. I already mentioned that you could filter out unwanted user-agents using the redirect capability of Apache. That would, however, take care only of obvious cases, where you see that this particular user-agent could not possibly be your reader. What do we do if the user-agent looks normal?

Well, if you do not need your xmlrpc services, you could block it off completely with mod_rewrite for all access:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteRule .* - [F,L]
 </IfModule>

This will return a 403 for all requests. It is basically equivalent to what you did with “files” directive where you specify “Deny all” for a file path. This will block all access to xmlrpc completely though, for all purposes, so you will not be able to use the service at all. Which is not always acceptable.

But the good news is that the set of rules is extensible with other conditions and you could block only the requests with particular user-agent again now. For example:

<IfModule mod_rewrite.c>
 RewriteEngine On
 RewriteBase /
 RewriteCond %{REQUEST_URI} ^/xmlrpc.php.*$
 RewriteCond %{HTTP_USER_AGENT} ^.*NET\ CLR.*$ [OR]
 RewriteCond %{HTTP_USER_AGENT} ^.*Mozilla/5\.0.*Windows.*NT.*6.*$
 RewriteRule .* - [F,L]
 </IfModule>

And so this becomes an extensible list of rules. You check your logs, see suspicious requests and add them to the list of rules. Stack the additional rules with [OR] flag at the end of the condition line.

Now we have a set of rules that blocks some of the accesses to the xmlrpc based on the user-agent reported by the attacker. We could also add filtering by referrer or IP ranges and so on. The arms race, you get the picture.

Dark alleys of cybersecurity

polar-bear-facepalmThe security of the so-called “cyberspace” has deteriorated beyond belief. Some people tell me that my stories are far-fetched and that I view the security and computer industry with some sort of a depressing negativism. I disagree. The problem is, I am trying to stay positive and optimistic. My tales rarely go to the full extent of what is happening. The reality is much worse and scarier. Why do we tend to think then that Internet reality is all cheerful and pink? Because our judgement is severely distorted by our perception of the Internet world.

When you walk around town, you come across various parts and you are usually able to assess the dangers in a valid way. You walk on a wide street, there are sufficiently many people around but not too many to invade your personal space. The street is well lit or it’s day time. There is a policeman on the corner… What do you feel like? Your body tells you it is all safe. Your image recognition and other parameters are assessed automatically and provide a relaxing feeling of “it’s all right.”

Now imagine you are walking at night through a dark part of town. Small streets, poorly lit, the people are scarce. You are approaching a dark alley, it smells funny, there are some indistinct shadows moving ahead. A police siren wails in a distance… How do you feel? You tense up, ready your “fight or flight” reflex you inherited from stone age that keeps you alive in situations like this. Your body sends a clear signal: this place is dangerous. You have assessed your situation correctly.

dark alleyLet’s now go onto the Internet. We can do it from various places with various devices but let’s stay traditional for the this example. You sit at home, at your desk, wearing comfortable home clothes, your slippers are on, the evening is outside but inside it is all warm and cozy, you have your cup of coffee at your elbow and you visit a website. A bad one. One from the dark alleys of the Internet.

What do your senses tell you about the website you are visiting? Or even about the state of your own computer? Well, basically, nothing. Your standard human senses are dealing with the standard stone age parameters: you are at home, in safety, it’s warm, you feel protected, there is food, no danger. The body is sending you the signal to relax. However, that signal has nothing to do with what you are doing at the moment. You assessment of the situation may be completely wrong.

And therein lies the problem. We are not equipped to recognize the dangers of the Internet. Whatever we do at the computer screen, our feelings of comfort and safety are not influenced at all by our actions. Therefore, we cannot rely on those most basic instincts of whether something is safe to do or not anymore. Not when we are in cyberspace.

The only way to assess adequately the dangers of the Internet is to learn to think about them logically. To perform a logical assessment of the danger of entering a website you must intentionally exclude the cozy bodily feeling from your equations. The equations will also require education and practice. You must learn logically what a good behavior is, what a bad site might look like, what a suspicious activity is and so on. Just the way you learn to drive a car. It takes knowledge, training and cool logical thinking to drive the car without causing accidents all the time. Training and education will over time result in a new kind of situational awareness that will allow you to assess your situation and your actions on the Internet correctly.

Failing that, think of the Internet as a dark alley full of indistinct but dangerous looking shadows. It might help. Or, better, ask someone who knows to help.

Strategy towards more IT security: the road paved with misconceptions

The strategy towards more IT security in the “Internet of Things” is based a little more than entirely on misconceptions and ignorance. The policy makers simply reinforce each other’s “ideas” without any awareness of where the road they follow is leading.

As I listened on in the K-ITS 2014 conference, it became painfully obvious that most speakers should not be speaking at all. They should be listening. The conference is supposed to discuss the strategies towards more IT security in the future industry that will have both factories and cars connected to the Internet. That future isn’t bright, far from. We are fighting battles on the internet for the web servers, personal computers and mobile phones now. We will be fighting battles for refrigerators, nuclear power plants and medical implants in the near future. We definitely need to have some better ideas for those battle plans. Instead, we hear, if anything, the ideas on improving the attitudes of buyers, i.e. “how can we convince the customers that our security is okay and they should pay more?”

I detail here five different misconceptions that were very obvious and widespread in the conference. Even security management at the top level shares this, though they should know better. And the worst part is, they all seem to believe that it will be all right if they throw some important sounding names and acronyms at it.

iot-140113.bigdata

Divide security into “levels”

A prominent theme is the division of the industrial landscape into various “areas” of differing security requirements. There is nothing wrong with the concept itself, of course, except that it is applied in a context where it will do more harm than good.

The policy makers seem to think that they can divide the industry into ‘critical infrastructure’, ‘things that need security’, and ‘things that do not need security’. Right, for the sake of an argument, assume we can. Then what? And then, they say, we will invest in security where it matters most. That, on the surface, looks like a sound plan.

The problems start when you try to apply the said concept to the software development. How do we distinguish between software written for ‘secure’ and ‘insecure’ applications? How do we make authors of libraries and tools to write their software to the highest standards to satisfy the ‘most secure’ part of the industry? What about the operating systems they use? What about people that wander from one company to another, bringing not only expertise but mistakes and security holes with them?

Once you start thinking about this approach in practical terms, it quickly becomes untenable.

The only way to improve the security of any software is to improve the security level of the whole software industry. The software not written specifically for a high security environment will end up there whether we want it or not. Developers not skilled and not trained for writing secure software will. It’s unavoidable.

But that is only one side of the problem. Why have the division in the first place? Yes, critical infrastructure is critical, but that stupid mirror with a network interface will also end up in a secure facility and how do we know what the next attack path will look like? The noncritical infrastructure will be used to attack critical infrastructure, isn’t it obvious? All infrastructure, all consumer devices need protection if we want to have a secure Internet of Things.

The software for all purposes is written by the same underpaid people that never had proper security education everywhere. The general tendency for software quality and security is, unfortunately, to get worse. As it gets worse everywhere it does, of course, get worse for the critical infrastructure as well as for consumer electronics.

Investment should be done into the state of software in general, not into the state of some particular software. Otherwise, it won’t work.

Security should not prevent innovation

Says who? Not that I am against innovation but security must sometimes prevent certain innovation, like tweaking of cryptographic algorithms that would break security. There is such thing as bad or ill-conceived innovation from the point of view of security (and, actually, from every other point of view, too). Wait, it gets worse.

‘Innovation’ has become the cornerstone of the industry, the false god that receives all our prayers. There is nothing wrong with innovation per se but it must not take over the industry. The innovation is there to serve us, not the other way around. We took it too far, we pray to innovation in places where it would not matter or be even harmful. Innovation by itself, without a purpose, is useless.

iot-construction-c13-3We know that this single-minded focus will result in security being ignored time and again. There is too much emphasis on short-term success and quick development resulting not only in low security but low quality overall.

Finding ways of doing things properly is the real innovation. Compare to civil engineering, building houses, bridges, nuclear power stations. What would happen if the construction industry was bent on innovation and innovation only, on delivering constructions now, without any regard to proper planning and execution? Well, examples are easy to find and the results are disastrous.

What makes the big difference? We can notice the bridge collapsing or a building falling down, we do not need to be experts in construction for that. Unfortunately, collapsing applications on the Internet are not that obvious. But they are there. We really need to slow down and finally put things in order. Or do we wait for things to collapse first?

Convince the customer

iot-fridgeWe are bent on convincing the customer that things are secure. Not making things secure but convincing everyone around that we are fine. Engaging in plays of smoke and mirrors that is. Instead of actually making things better we announce that pretending things are better will somehow make them better. And we try and succeed to convince ourselves that this is okay somehow.

Well, it is not okay. We all understand the desire of commercial companies to avoid security publicity. We know that eventually people do catch up anyway. There is such a rush to convince everyone and their grandma that things are going to be better precisely because people will be catching up on this foul play soon.

The market will shrink if people think that there are security problems but the market will crash when people find out they were lied to and your words are not worth the electrons they use to come across the internet. The deception of ourselves will lead to a disaster and we have no way of controlling that. This is simply a fast track to security by obscurity.

Secure components mean secure systems

There is a commonly shared misconception that using secure components will somehow automatically lead to secure systems. When confronted with this question directly, people usually quickly realise their folly and will likely fervently deny such thinking but it is sufficient to listen to a presentation to realise that that is exactly the assumption behind many plans.

Secure components are never secure unconditionally. They are what we call conditionally secure. They are secure as long as a certain set of assumptions remains valid. Once an assumption is broken, not met, the component is not any longer secure. Who checks for those assumptions? Who verifies whether the developers upheld all of the assumptions that the developers of underlying components specified? Who checks what assumptions remained undocumented?

When we combine the components together we create a new problem, the problem of composition. This is not an easy problem at all. By having two secure components put together, you don’t automatically obtain a secure system. It may well be. Or it may be not.

This problem of secure composition is well known to the developers and auditors of smart cards. And they do not claim to have a solution. And here we are, developers of systems orders of magnitude more complex, dismissing the problem out of our minds like if it’s not even worth our consideration. That’s a folly.

We need those things on the internet

Who said that factories need to be on the internet? Who said that every single small piece of electronics or an electric device really needs to be on the internet? Why do we think that having all of those things “talk” to each other would make us all suddenly happy?

The industry and the governments do not want to deal with any of the real problems plaguing the societies world over. Instead, they want to produce more and more useless stuff that allows them to appear like if they do something useful. They will earn lots of money and waste a lot more resources in the progress. Should they be worried?

iot_talking_carsTake “smart cars”, for example, cars that communicate to each other over some wireless protocol to tell about accidents, road condition, traffic jams. Think about it. A car cannot communicate very far away. On a highway, by the time you get news of a traffic jam from your neighbour cars, you will be standing in it. In the city, this information will be equally useless, because you will see the traffic jam and do what you always did: turn around and go look for another street around the block. What of accidents? Again, that information is not much use to you in the city, where you basically don’t need it. They say, cars will inform each other of the accidents but this information cannot be transmitted too far away. By the time your car has information about an accident on the highway ahead, displays it and you read it, you will be staring at it. The civil engineers are not that stupid, you know. They make highways so that you have enough time to see what is around the corner and react. Extra information would only distract the driver there. So this whole idea is completely useless from the point of view of driving but it will require enormous resources and some genius security solutions to artificially created problems.

And all of it is like that. We don’t need an “internet of things” in the first place. We should restrict what gets on the internet, not encourage the uncontrollable proliferation of devices arbitrarily connected to the network simply to show off. Yes, we can. But should we?

Mitigating Denial of Service attacks to WordPress xmlrpc

Distributed Denial of Service attackI have attracted attention, apparently. My website is under a Distributed Denial of Service (DDOS) attack by a botnet for the last week. I am flattered, of course, but I could live without a DDOS, frankly.

The requests go to xmlrpc.php every second or two from a different IP address from around the world:

POST /xmlrpc.php HTTP/1.1

At first I could not understand what was going on but it turns out that that request can be really expensive and the database basically gets overloaded with requests bringing the database server to a screeching halt after a while.

After trying to blackhole the IP addresses and finding out that the botnet is fairly large, I simply denied all access to xmlrpc.php. That is a simple and effective solution but it breaks some functionality that is expected of a WordPress site. I don’t like that. So I was looking for a way to block the attackers without crippling the site.

I noticed that all of the requests have a particular HTTP request user agent:

"Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)"

So I redirect the requests with that user agent in .htaccess all back to themselves (you could also redirect it to 127.0.0.1 with the same effect):

# Block attackers by agents
 <IfModule mod_rewrite.c>
 RewriteCond %{HTTP_USER_AGENT} ^.*WinHttp\.WinHttpRequest\.5.*$
 RewriteRule .* http://%{REMOTE_ADDR}/ [R,L]
 </IfModule>

It seems to have mitigated the attacks by that particular botnet software while allowing access from all other browsers and sites. I hope it stays that way. I don’t think my site is really worthy of this kind of attention anyway.

Post Navigation

Follow

Get every new post delivered to your Inbox.

Join 118 other followers

%d bloggers like this: