June 11, 2017June 11, 2017 Javed

Choosing datacentre colocation: glossary & terms

Sydney Colocation Glossary

Sometimes the terminology used to describe datacentres seems just as complicated as the facilities themselves. Frustratingly, datacentres are very difficult to compare without delving into technical, jargon and acronym-heavy spec sheets. This guide aims to distill some of the main concepts that will help you to choose the best facility for your business.

Power

UPS – an Uninterruptible Power Supply (UPS) is a large battery (or sometimes fly-wheel) power source that provides emergency electricity to the datacentre if mains power fails. It activates nearly instantaneously, and powers the facility for a limited amount of time until standby power sources (such as diesel generators) are activated.

Power density – the amount of electricity that can be used in each rack. This is usually determined both by the facility’s access to mains power grids, backup systems and its cooling technology. Most facilities can accommodate up to ~ 5 kVA without issues; higher densities may be possible with extra cooling, but multiple racks with a lower power density may be cheaper.

Standby power – an emergency source of power, usually generators, that will ensure uninterrupted power to all components inside a datacentre. Since generators can take a few minutes to start up and carry a full load, standby power sources are often bridged with UPS units (defined above) for uninterrupted power.

N+1 redundancy – parallel redundancy, with a N+1 system including a primary system in addition to a redundant system (+1). N+2 redundancy would indicate 2 independent backup systems, in addition to the primary system.

PDU – Power Distribution Units (PDUs) – unsurprisingly – distribute power to your equipment. They are best thought of as power boards that are mounted to the side of your rack. Rather than household outlets, PDUs usually have 20-24 IEC “kettle cord” style outlets.

Amps / kW / kVA – these are all measurements of power draw. Many facilities measure power usage in different scientific units, so it’s best to double check. Make sure you purchase and plan for sufficient power – it’s a good idea to have at least 25% of unallocated power to allow for growth and higher loads.

Cooling

CRAC unit – Computer Room Air Conditioning (CRAC) units are cooling devices used to monitor and maintain temperature, humidity and air distribution in technical areas of a datacentre. CRAC units are a standard feature of modern datacentres, ensuring the efficient operation of servers and equipment.

IDEC unit – Indirect Evaporative Cooling provides low-humidity air-conditioning into a datacentre using a method that cools fresh outside air without adding any humidity before entering the building. IDEC is a more effective cooling system due to this process, and is also more energy-efficient. It is not (yet) common in Australian datacentres, but is used in Sydney’s Equinix SY4.

VESDA – Very Early Smoke Detection Apparatus works by continuously sampling air to detect any sign of smoke. This is based on laser based smoke detection and consists of a network of pipes that covers the datacentre ceiling.

Pre-action dry pipe sprinklers – a sprinkler system in which water is withheld from the pipes until an actual fire is detected. This means that pipes cannot leak in water-sensitive environments, keeping your equipment nice and dry (unless there really is a fire).

N+x% redundancy – similar to N+1, with a primary system (N) and an additional indicated number of redundant systems (+x).

Interconnection

Cross connect – a physicalcable – usually fibre – that connects one datacentre network to another. For instance, if you plan to operate your own routers and connect to several IP transit providers, you would need a cross connect for each. Cross connects are low-latency, dedicated point-to-point links within a facility or campus.

Internet exchange / peering – a network where telcos, ISPs and major companies exchange internet traffic. Internet exchanges are usually offer lower cost, and faster connectivity, but only to selected networks that have subscribed and connected to the exchange. For instance, Intergrid connects to NSW-IX in Sydney where more than 190 networks exchange traffic.

IP transit – best thought of as an internet service in the datacentre; like your internet at home, but delivered to your datacentre rack. There are differences, though; IP transit is often more expensive than a household internet service, but may have enterprise-grade uptime guarantees. It may also support BGP (Border Gateway Protocol) for route management.

Facility & services

Technical space – data halls, where racks are located. Technical space does not include foyers, meeting rooms, etcetera.

Private cage – A private, enclosed area within a datacentre’s colocation space, secured with mesh walls on all sides and a locking metal door as it’s point of entry. Only the cage owners have and can provide access to their own cage.

Biometric access – physical two-factor authentication for entry into secure areas of a facility. In datacentres, this usually involves scanning an access card against a RFID reader, and then electronic fingerprint verification. In addition to confirming fingerprints, these readers often also check the temperature of your finger… to make sure it’s alive.

Remote hands – staff available for performing physical tasks under specific instructions; for example, removing a disk or power cycling a server. Usually attracts ad-hoc fees, but is useful for remote sites or emergency situations.

Sundries – generic spare components – such as cage nuts or patch leads – that are available on-site for purchase. Vendor specific components are rarely available.

August 22, 2016August 20, 2016 Javed

New Linux trojan turns servers into Bitcoin miners

Doctor Web, a Russian anti-malware company, has reported on a new self-spreading Trojan that is labelled “Linux.Lady”. Cybercriminals are using it to hijack servers and computers, take control and utilise their processing power in order to mine cryptocurrency.

Linux.Lady is able to run a mining program on targeted computers that have been infected. It is written with Google-developed language Go, and uses numerous libraries that are found on GitHub. According to Startlr.com, “Go was developed as a system programming language to create highly effective programs that run on modern distributed systems, and multi-core processors”.

The use of Go for malicious intent is not a new idea – it was first used as such in 2012, despite the fact that it isn’t a widely adopted feature in the vxer (creators of computer viruses) community.

Linux.Lady uses a smaller Trojan called Linux.Downloader.196 in order to infect the system and acquire basic information (including the Linux OS version and the number of CPUs) to send to the command and control (C&C) server. The C&C server then provides a file for downloading and running a cryptocurrency mining utility.

Linux.Lady targets Redis NoSQL database systems that are unsecure in order to infect further computer systems. Consequently, up to 30,000 Redis servers that were not password protected have been left vulnerable due to administration negligence.

Doctor Web also observed the sample of Linux.Lady that was mining a cryptocurrency entitled Monroe. Other Linux malware such as Encoder ransomware and Ekoms malware were also exposed by the anti-virus company.

August 21, 2016August 20, 2016 Javed

Uncovering Netflix’s distribution network

Netflix is the world’s leading online video-streaming service with 83 million subscribers world-wide. It has accounted for up to 37% of internet traffic this year, accompanying similar consistent figures from previous years.

There has been a vast amount of speculation around Netflix’s unbelievable efficiency and impressive statistics for quite some time, which sparked researchers from Queen Mary University of London (QMUL)’s interest in mapping out the location of their servers. They performed a study which is believed to have produced the first map created of Netflix’s physical servers.

233 locations across six continents were mapped

As expected, most of the servers were reported to be situated in the USA – where studies have shown is the main source of traffic generated by Netflix. (47 million of Netflix’s 83 million subscribers are said to come from the US.) The servers became fewer and more spread out towards areas where subscription numbers are less. The USA was surprisingly followed by Mexico, Canada, Brazil and the UK in having the most number of servers. In Australia, content servers were found in Sydney, with ISP caching servers in the remaining state capital cities. Surprisingly, a content server was also found in Guam – perhaps due to its location close to the South Cross cable.

The researchers at QMUL acquired the locations of the servers by mirroring the global film request processes and observing the outcomes. They requested videos from university computers and localised them using web extensions. A particular reliance on Internet eXchange Points (IXPs) and Internet Service Providers (ISPs) was noted.

One of the researchers stated, “The study is important as it provides an insight into how today’s internet works, the different deployment strategies observed are caused by inherent regional differences, forcing Netflix to adapt its strategy to ensure low movie start-up times and to avoid video stalling during playback.”

The study shows that Netflix’s secretive efficiency is enhanced by placing servers in carefully-chosen locations, and is an interesting case study for effective distributing content world-wide.

August 20, 2016August 20, 2016 Javed

The Internet of Things: a new era for cyberattacks?

The Internet of Things, also known as IoT, is the concept of setting up everyday appliances, objects and wearable devices with an Internet connection to allow the exchange of data and information. Thing of washing machines that send you a text when the load is done, or air conditioning you can turn on from an app on your phone. The technology has gained a lot of favourable attention and is becoming increasingly popular.

It is estimated by Gartner that 20.8 billion IoT devices will be in operation by the year 2020, with much of this growth predicted to be majorly in business and enterprise activity. It has therefore become particularly attractive to cybercriminals who have shown a growing interest in targeting IoT devices, or leveraging the growing ubiquity of IoT devices in order to facilitate attacks.

The sky-rocketing popularity of IoT offers a concrete platform on which cybercriminals can attack, as the majority of IoT devices contain outdated connection protocols and operating systems. Examples of this may include: remotely controlled lightbulbs and Wifi-enabled In-vehicle infotainment systems (IVIs), which are most commonly run through Linux and are created in C language, where safe complier actions are overlooked. Dated connection protocols, such as TCP/IP (1989, RFC 1122), ZigBee (2004 specification) and CAN 2.0 (1991), are used, and can cause the device to allow unauthorized access when exploited.

Additionally, man-in-the-middle attacks (where a third party secretly relays and possibly hinders messages between two unsuspecting parties, and will therefore gain access to their devices) can be caused when a TCP/IP protocol is exploited.

Gaining access to IoT devices involves several stages: Investigation and Proof of Concept (PoC), Taking Control of the Device and ensuring that Maximum Damage is caused.

Investigation and Proof of Concept (PoC)

Programmers can concentrate on investigating around a target device, searching for vulnerabilities and considering PoCs from which they can discover exploits to use against the target. Cases of these PoCs incorporate weaknesses and vulnerabilities that can be found on Digital Audio Broadcasting radio collectors that are coordinated in IVIs, as well as further validation imperfections in associated lights which can give information a chance to be stolen – even from networks that are air-gapped.

Taking Control of the Device

It is at this stage that cybercriminals work on:

Locating their default and/or embedded authentication
Using fuzz tools with the purpose of exploiting protocol bugs
Finding input validation bugs such as buffer overflow and SQL injection.

Github, a web-based code hosting services, holds many open source research tools (such as Modbus, Fuzzer, the CANard tool) that are vulnerable to misuse by hackers to cut time on this step.

In order to take control of the device, hackers can use attack vectors – some of which include:

Utilizing exploits or the default username/password to get to the device, and finding an inside system from which they can lead parallel movement.
Implanting, and thereby building a botnet, and creating a network for the bot to allow further control.
Initiating a Distributed Denial of Service attack. IoT devices produce an ideal environment in which DDoS may attack as it needs a vast amount of data to act effectively. For example, thousands of compromised CCTVs which formed a botnet was recently used as a source of network traffic, which was needed to perform a DDoS attack.
Implanting a bitcoin-mining program. An individual IoT device has low CPU power; however, when many of them are infected, a vast amount of processing power is initiated. This huge amount of power is used to mine for bitcoins.

DVRs, which were used for security camera video-recording, were infected with a similar form of malware in April 2014.

Ensuring Maximum Damage

The hacker then has the ability to cause as much distress to the victim as possible. This may range from changing items on people’s automated grocery list to locking their car’s brakes and steering functionality. This will have a huge impact on the daily lives of millions and will cause major disruptions and safety threats.

IoT device security is largely forgotten about by vendors who are more concerned about their functionality and performance. Search engines such as Shodan and ZoomEye contribute to worsening the situation by providing archives of potentially vulnerable connected devices and systems. It is predicted that 25% of observed cyber-attacks on businesses will have IoT involvement by 2020.

The growing popularity in the use of IoT devices means that IoT device security is quickly gaining interest – so quickly in fact, that world-wide spending on IoT security has been predicted to reach $547 million in 2018. Tesla and Fiat Chrysler are but a few of those that looked at IoT device security by developing bug bounty programs for the purpose of protecting their connected cars.

The Automotive Information Sharing and Analysis Centre (Auto-ISAC) in the US, has worked with 15 automobile manufacturers in creating a list of most effective methods for their vehicle security against cyber-attacks.

Although threats such as cyber extortion and ransomware is technically possible in IoT, it is unlikely to be in effect within the coming years. The process of hacking IoT devices requires specifically dedicated time and resources. It also involves tailoring the attacks to specific victims and organizations through which they can proceed to make money on their attacks through extortion.

Furthermore, it is not a feasible option, specifically for malefactors such as ransomware operators, whose fast-paced systems work by attempting to establish quick ROI from as many targets as possible.

In spite of this, the growing interest and demand for IoT devices, along with the seemingly easy method of defying their security measures (or lack thereof), and the financial benefits of the extraction of money of their owners, are a dangerous blend.

Although there is no specific method for ensuring total security of the devices, counteractions such as the use of a security audit when designing IoT hardware and software, the implementation of security gateways, the introduction of endpoint monitoring and real-time log inspection, play a key role in reducing these risks.

August 19, 2016 Javed

APAC DDoS Report – Q2 2016

Intergrid’s DDoS mitigation partner, NexusGuard, has recently updated its quarterly statistics for DDoS attacks targeting the Australia Pacific region. NexusGuard observes and collecting data about threats which globally target enterprise and service-provider networks, such as ours.

The methodology of this monitoring involves analysis of events through honeypots (a type of online trap that is used to deflect and mislead programs that are attempting to gain unauthorized access to information systems) as well as through a vulnerable network of devices that are connected to the internet. Threats which target unknown vulnerabilities in software are often first seen on NexusGuard’s global research network.

The company’s quarterly report saw an 83% worldwide increase in attacks. The Asia-Pacific region, by contrast, has seen slightly more than half the global total increase at 43%. The country that was most targeted is China, where attacks rose by 50%. It was found that this was the result of a target who was hosting malware in the area within the last two years. The largest increase of attacks was that of Hong Kong with a huge 57%. There were however, minor decreases in a few countries – which is an incredible feat when dealing with DDoS. Japan was the lucky winner of a 4% decrease in attacks.

Another notable increase was the act of using ransomware, where an unauthorized program restricts access of the computer until a sum of money is paid. NexusGuard reported a few public attacks, such as the one on Pokémon Go, which was launched by a new group called Poodle Corp. More attacks from this group are predicted as they attempt to gain visibility and offer their services to other groups and industries to perform DDoS attacks.

The Chinese websites Chinanet and Alibaba stand first and second as the most attacked networks that were observed in the second quarter. Australian internet service provider Telstra and Kixs (Korean site) dropped down a few positions from the first quarter on the top ten list of sites that were attacked.

In the Asia-Pacific region, NTP (Network Time Protocol) attacks accounted for 90% of all attacks. This is a notable difference compared to the 46% accountability of NTP attacks on the rest of the world. It was further seen that many of the attack tools are scripted and are set to perform for a specific amount of time. It has been determined that NTP attacks are not only more popular in the Asia- Pacific region, but also tend to last longer compared to world-wide durations.

Intergrid has partnered to offer all customers with DDoS protection up to 50Gbps. To find out more about how Intergrid and NexusGuard can keep your organisation DDoS threat-free, visit https://www.nexusguard.com/

August 11, 2016August 8, 2016 Javed

Do you need DDoS protection? A commercial perspective.

I often get asked where the value lies in DDoS protection, and whether such a service is a wise commercial investment. There’s a lot of analysts and indeed, DDoS protection providers, which will answer this question with a resounding “yes”. But is that strictly true?

DDoS protection is a bit like insurance. For the most part, you’ll be paying for the service without making any claims, but when disaster does strike it can be an invaluable resource. DDoS protection is not a necessity for operating a business online, despite what some companies may argue in their extensive sales copy. Instead, it comes down to a simple cost-benefit analysis:

If your business is brought offline because of an attack, how much money will you lose? Is that amount more, or less, than what you would pay for DDoS protection?

Of course, if you run a popular online store, a single outage could put you at risk of losing tens of thousands of dollars. But, if you’re just running a small blog, or an auxiliary website for a bricks-and-mortar business, website continuity during a malicious attack might not be as essential. For these sorts of websites, I would generally consider DDoS protection as a nice-to-have, but non-essential service.

The main premise of this article is to establish whether DDoS protection presents sufficient value for a business. That said, the good thing is that this decision is becoming less relevant; many reputable hosting providers are now including DDoS protection as standard in their service. For instance, Intergrid includes 50Gbps of DDoS mitigation with all services as standard.

August 8, 2016August 8, 2016 Javed

Received a DDoS threat? Here’s what to do.

As the online space becomes increasingly vital for businesses both in Australia and abroad, hacking groups and extortionists are leveraging this dependence to bring businesses to their knees. From the start of the year, cybercriminals have been sending emails to online businesses threatening denial of service attacks unless the attackers are paid in Bitcoin.

There are a variety of different groups sending out these emails, but the premise is the same. Here’s an example that one of our customers received.

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

http://lmgtfy.com/?q=Armada+Collective

Your network will be DDoS-ed starting ____ if you don’t pay protection fee – 10 Bitcoins @ ____.

If you don’t pay by ____, attack will start, yours service going down permanently price to stop will increase to 20 BTC and will go up 10 BTC for every day of attack.

This is not a joke.

Our attacks are extremely powerful – sometimes over 1 Tbps per second. And we pass CloudFlare and others remote protections! So, no cheap protection will help.

Prevent it all with just 10 BTC @ ____

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

Bitcoin is anonymous, nobody will ever know you cooperated.

Interestingly, in many cases these threats appear to be little more than that – a threat. There’s two main reasons for this:

Attackers appear to reuse Bitcoin addresses. This means that there’s no way for the attacker to differentiate between the targets that have or haven’t paid the ransom.
Threats are sent out in bulk. This adds to the suggestion that the attackers cannot determine who has sent a payment, but also reinforces the fact that a an extraordinary amount of network capacity would be required in order to attack every target.
The ransom amount is unclear. The email refers to both 10 and 20 Bitcoins.

There are several articles doing the rounds that suggest that these extortion attempts are entirely a facade and should not be treated seriously. In our experience, although the majority of the emails are merely empty threats, we have seen the extortionists follow through with a few attacks. From a limited dataset, it appears that threats against medium sized websites are more likely to be followed through; small enough that they are unlikely to have extensive DDoS mitigation in place, and large enough that a DDoS attack would have a significant effect on their bottom line.

Despite the slim possibility of a follow through, some website owners still pay the ransom, which can soar as high as $30,000 AUD. Don’t pay the ransom – that money can be much better spent investing in DDoS protection which works.

Here’s what to do if you receive a threat:

Do not pay the ransom. I cannot stress this enough. If you pay the ransom, you set a precedent for future threats, and the attack will likely happen either way.
Do not reply to the email. This should be fairly obvious, but there’s not much point antagonising the person with a (potentially) loaded gun to your head.
Call your hosting provider. Tell them what has happened. Here’s the questions you should ask:
1. Do you have any protection or countermeasures in place for DDoS attacks?
2. If so, what type?
  1. A blackhole/nullroute will simply drop all traffic to your website – which is essentially the same as an effective DDoS.
  2. Scrubbing or traffic analysis is the best option here – any malicious traffic should be detected and dropped, while legitimate traffic is allowed through to your site.
3. Are there any additional costs for this mitigation?
4. Is the mitigation always-on or only enabled once an attack is detected? If it is not always-on, ask your hosting provider to place your IP address into a 48 hour scrub so that all traffic is analysed.
5. Can DDoS scrubbing filters be customised for your individual needs? If so, tell your hosting provider where clean traffic is found (eg port 80 for websites). That way, unnecessary traffic on other ports can be blocked upstream.
Otherwise, invest in a DDoS protected hosting service. If your website is important to your business, keeping it safe should be a no-brainer. There are quite a few hosting companies which specialise in DDoS protected services – for instance, all Intergrid services are protected for attacks up to 50Gbps as standard. Selecting a company that specialises in DDoS protected services is a must, as the technology is only as good as the team configuring it.

But why should you pay for DDoS mitigation if most of these extortion emails are empty threats? For me, the answer is simple: it’s only a matter of time until you are targeted by a genuine attack. Be it another cybercrime organisation with more willpower, a disgruntled customer or a questionable competitor, you should always be prepared.