Precisely a year ago we became a member of the trustworthy FENIX network which purpose is to protect verified operators in the Czech internet against consequences of DDoS attacks. A condition to become a member of FENIX is a concentrated control of our network security which also provides interesting statistics: The biggest lure for attackers are SIP servers providing internet telephony.
The FENIX project tries to create a secured section of the domestic internet, resistant against massive DDoS attacks. It was created in the Czech peering point, NIX.CZ, in 2013 in response to the strong attacks against both Czech internet infrastructure and important Czech media, banks and operators in March 2013. The purpose of FENIX is to maintain internet services availability of involved subjects at least, i.e. also our services, in case of a DDoS attack.
One of the conditions to become a member of FENIX is the presence of a qualified team to detect and solve CSIRT security threats and, in turn, monitor one’s own network. We have enhanced this activity even more and in September 2015 we deployed our own scrubbing center, i.e. a point in the network that cleans the incoming communication of a vast range of various attacks, both known and heuristically detected.
The scrubbing center produces interesting statistics: A very popular target of cybercrime are servers running SIP services, i.e. internet telephony, such as private branch exchanges and similar devices.
These are attacks known as “friendly scanning” which in fact are not friendly at all. In fact, the attacker tries to use a brute force to break credentials of a SIP server, listening mostly on port 5060. This activity puts the server under excessive load which causes failures of service or aggravation of quality of call. Moreover, if the attacker makes one of the existing accounts available by testing random combinations, he/she can use the server to make expensive international calls and cause the owner a significant financial damage.
Attacks which are focusing on weak spots in web applications or database servers and try to use them to get access to sensitive data in the databases, don´t stay behind. This method is called SQL injection. It is an attempt to send a command to the database server which creates a response the attacker intended to create (and, of course, undesirable for the provider), which can be, for example, a list of private data of the server users, replacing data in the database or its corruption.
It´s interesting that almost after two years many DDoS attacks appear in network, which try to use the well-known Heartbleed vulnerability in OpenSSL library encryption.
In general, these attacks are very well targeted. If the attacker detects a vulnerability in a server, he immediately uses it the corresponding way. Our scrubbing center in our network uses Radware DefensePro network devices which create a grey zone the attacker, simply put, does not see into. This way, we can cut probability of misusing a security weak point of a customer server; nevertheless, it definitely does not mean you, the customers, can take less care of your server security.
More information about our Scrubbing center you find at https://www.coolhousing.net/en/scrubbing-center.
Author: Jirka Dvořák