Welcome!

Microservices Expo Authors: Pat Romanski, Elizabeth White, Stackify Blog, Liz McMillan, Yeshim Deniz

Related Topics: Microservices Expo, Cloud Security

Microservices Expo: Blog Feed Post

Turning the Pushdo Bot into the Push-oh-no-you-don’t Bot

Options to put a stop to the latest mutation of the Pushdo trojan

Options to put a stop to the latest mutation of the Pushdo trojan

image The Pushdo bot is a malevolent little beast that is nothing new to Infosec professionals. What might be new, however, is that it recently changed its code and now creates junk SSL connections. Lots of them.

blockquote I mean you are likely seeing an unexpected increase in traffic by several million hits spread out across several hundred thousand IP addresses. No you didn't read that wrong that is millions of hits and hundreds of thousands of IP addresses. This might be a big deal if you're used to only getting a few hundred or thousands of hits a day or you don't have unlimited bandwidth. -- ShadowServer 01/29/2010

Pushdo is usually classified as a "downloader" trojan - meaning its true purpose is to download and install additional malicious software. (SecureWorks, Analysis of a Modern Malware Distribution System) That’s something you definitely don’t want to let loose inside your network, right? So the trick is to recognize its new behavior, somehow, and kick it in the derriere before it can do any real damage or consume resources or leave little bot droppings that might clog up the network pipes.

Luckily, Pushdo has a recognizable pattern: it sends malformed SSL HELLO requests after the TCP connection is established. This means we have several options for dealing with this new variant.


STOPPING PUSHDO

First, you could ignore it. That’s probably asking for trouble but it is an option. The target server will respond to the request with an error because the client hello portion of the SSL handshake is malformed. There’s very little danger in that, it’s expected behavior. However, there’s a distinct possibility that the pattern will change again, potentially by correcting the “malformed” hello so that it is valid and thus making a connection and delivering itself. Having been lulled into ignoring it, it might even succeed. Yes, it could be a social engineering attempt to make you complacent in preparation for a real attack. Miscreants are evil like that, you know, you just can’t trust them.

blockquote The most aggressive pushdo infected hosts appear to establish a connection about once a minute. We identified about 10k host attacking www.sans.org. According to some reports, Pushdo will also just establish a TCP connection, and then just sit without actually sending the SSL Helo message.
ISC SANS Diary

Because the new behavior of Pushdo now has it basically acting like a (fairly ineffective in most cases) DoS, it’s also not a good idea to let the requests get to the server because, well, that means the DoS is successful. If the server is busy responding to Pushdo requests it can’t respond to legitimate requests. In a public cloud computing environment, of course, the consequences can likely be pushdocounted in hard dollars as instances of applications may be launched or continue to remain active throughout the duration of the attack, even though second, third or more instances may not be required for availability at the time. For all the good things about elastic on-demand scalability, this one will continue to be a downside until security services are available that can detect and reject attacks at the “edge” of the cloud provider’s environment.

Second, you could terminate SSL connections on a capable Load balancer or application delivery controller. Most modern solutions of this ilk will recognize the malformed hello and refuse to accept them. This is not much different than the server responding with an error except that offloading the task of dealing with SSL and the miscreant traffic means the server can still respond easily to legitimate requests. If you have some other component terminating SSL, check if it’s capable of recognizing the malformed headers. If not, and you have a network-side scripting capable component downstream from it, you can always use the third option to intercept the requests, inspect them, and instruct the component to reject it if it contains malformed data.
Think SSL DoS Not Dangerous?

Back in the days when I was still putting products to the test I often evaluated SSL-terminating solutions like appliances and specialized hardware on PCI cards. To test capacity we basically created the equivalent of a DoS attack.

In one test we generated enough load to fry the PCI slot on a Sun Sparc server. Fried electronics is not a pleasant smell, especially in a confined space. In another test, a now long defunct product would continually reboot itself when load reached a specific point, effectively disrupting service completely for all servers behind it.

Many SSL-terminating solutions require licensing for a specific TPS rate, and a DoS can easily surpass that rate. When SSL is handled by the servers themselves, the additional strain from processing high amounts of SSL can effectively reduce the ability of the server to handle other legitimate requests to zero, consuming all available resources in a relatively short period of time. Even if an SSL DoS won’t fry your circuitry, it can certainly be a Bad Thing for your applications and infrastructure and cause performance degradations and, if you’re in ‘the cloud’, possibly additional charges.

The third option is to put into place a filter or network-side script that examines the request and determines whether it is legitimate or not.

The fourth option is to put in place IDS/IPS (such as Snort) filters to handle the requests.

So you’ve got options, you just need to decide which one will best serve your needs. I, of course, heavily recommend any option that detects and rejects as close to the perimeter as possible so as to avoid needless resource consumption, but more important than that is simply stopping the attack.

Read the original blog entry...

More Stories By Lori MacVittie

Lori MacVittie is responsible for education and evangelism of application services available across F5’s entire product suite. Her role includes authorship of technical materials and participation in a number of community-based forums and industry standards organizations, among other efforts. MacVittie has extensive programming experience as an application architect, as well as network and systems development and administration expertise. Prior to joining F5, MacVittie was an award-winning Senior Technology Editor at Network Computing Magazine, where she conducted product research and evaluation focused on integration with application and network architectures, and authored articles on a variety of topics aimed at IT professionals. Her most recent area of focus included SOA-related products and architectures. She holds a B.S. in Information and Computing Science from the University of Wisconsin at Green Bay, and an M.S. in Computer Science from Nova Southeastern University.

@MicroservicesExpo Stories
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
SYS-CON Events announced today that CollabNet, a global leader in enterprise software development, release automation and DevOps solutions, will be a Bronze Sponsor of SYS-CON's 20th International Cloud Expo®, taking place from June 6-8, 2017, at the Javits Center in New York City, NY. CollabNet offers a broad range of solutions with the mission of helping modern organizations deliver quality software at speed. The company’s latest innovation, the DevOps Lifecycle Manager (DLM), supports Value S...
Cloud promises the agility required by today’s digital businesses. As organizations adopt cloud based infrastructures and services, their IT resources become increasingly dynamic and hybrid in nature. Managing these require modern IT operations and tools. In his session at 20th Cloud Expo, Raj Sundaram, Senior Principal Product Manager at CA Technologies, will discuss how to modernize your IT operations in order to proactively manage your hybrid cloud and IT environments. He will be sharing bes...
SYS-CON Events announced today that Peak 10, Inc., a national IT infrastructure and cloud services provider, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Peak 10 provides reliable, tailored data center and network services, cloud and managed services. Its solutions are designed to scale and adapt to customers’ changing business needs, enabling them to lower costs, improve performance and focus intern...
There are two main reasons for infrastructure automation. First, system administrators, IT professionals and DevOps engineers need to automate as many routine tasks as possible. That’s why we build tools at Stackify to help developers automate processes like application performance management, error monitoring, and log management; automation means you have more time for mission-critical tasks. Second, automation makes the management of complex, diverse environments possible and allows rapid scal...
This talk centers around how to automate best practices in a multi-/hybrid-cloud world based on our work with customers like GE, Discovery Communications and Fannie Mae. Today’s enterprises are reaping the benefits of cloud computing, but also discovering many risks and challenges. In the age of DevOps and the decentralization of IT, it’s easy to over-provision resources, forget that instances are running, or unintentionally expose vulnerabilities.
DevOps is often described as a combination of technology and culture. Without both, DevOps isn't complete. However, applying the culture to outdated technology is a recipe for disaster; as response times grow and connections between teams are delayed by technology, the culture will die. A Nutanix Enterprise Cloud has many benefits that provide the needed base for a true DevOps paradigm. In his Day 3 Keynote at 20th Cloud Expo, Chris Brown, a Solutions Marketing Manager at Nutanix, will explore t...
It has never been a better time to be a developer! Thanks to cloud computing, deploying our applications is much easier than it used to be. How we deploy our apps continues to evolve thanks to cloud hosting, Platform-as-a-Service (PaaS), and now Function-as-a-Service. FaaS is the concept of serverless computing via serverless architectures. Software developers can leverage this to deploy an individual "function", action, or piece of business logic. They are expected to start within milliseconds...
One of the biggest challenges with adopting a DevOps mentality is: new applications are easily adapted to cloud-native, microservice-based, or containerized architectures - they can be built for them - but old applications need complex refactoring. On the other hand, these new technologies can require relearning or adapting new, oftentimes more complex, methodologies and tools to be ready for production. In his general session at @DevOpsSummit at 20th Cloud Expo, Chris Brown, Solutions Marketi...
We all know that end users experience the internet primarily with mobile devices. From an app development perspective, we know that successfully responding to the needs of mobile customers depends on rapid DevOps – failing fast, in short, until the right solution evolves in your customers' relationship to your business. Whether you’re decomposing an SOA monolith, or developing a new application cloud natively, it’s not a question of using microservices - not doing so will be a path to eventual ...
Most DevOps journeys involve several phases of maturity. Research shows that the inflection point where organizations begin to see maximum value is when they implement tight integration deploying their code to their infrastructure. Success at this level is the last barrier to at-will deployment. Storage, for instance, is more capable than where we read and write data. In his session at @DevOpsSummit at 20th Cloud Expo, Josh Atwell, a Developer Advocate for NetApp, will discuss the role and valu...
SYS-CON Events announced today that Linux Academy, the foremost online Linux and cloud training platform and community, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Linux Academy was founded on the belief that providing high-quality, in-depth training should be available at an affordable price. Industry leaders in quality training, provided services, and student certification passes, its goal is to c...
SYS-CON Events announced today that Fusion, a leading provider of cloud services, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Fusion, a leading provider of integrated cloud solutions to small, medium and large businesses, is the industry’s single source for the cloud. Fusion’s advanced, proprietary cloud service platform enables the integration of leading edge solutions in the cloud, including cloud...
SYS-CON Events announced today that HTBase will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. HTBase (Gartner 2016 Cool Vendor) delivers a Composable IT infrastructure solution architected for agility and increased efficiency. It turns compute, storage, and fabric into fluid pools of resources that are easily composed and re-composed to meet each application’s needs. With HTBase, companies can quickly prov...
@DevOpsSummit at Cloud taking place June 6-8, 2017, at Javits Center, New York City, is co-located with the 20th International Cloud Expo and will feature technical sessions from a rock star conference faculty and the leading industry players in the world. The widespread success of cloud computing is driving the DevOps revolution in enterprise IT. Now as never before, development teams must communicate and collaborate in a dynamic, 24/7/365 environment. There is no time to wait for long developm...
With 10 simultaneous tracks, keynotes, general sessions and targeted breakout classes, Cloud Expo and @ThingsExpo are two of the most important technology events of the year. Since its launch over eight years ago, Cloud Expo and @ThingsExpo have presented a rock star faculty as well as showcased hundreds of sponsors and exhibitors! In this blog post, I provide 7 tips on how, as part of our world-class faculty, you can deliver one of the most popular sessions at our events. But before reading the...
The purpose of this article is draw attention to key SaaS services that are commonly overlooked during contact signing that are essential to ensuring they meet the expectations and requirements of the organization and provide guidance and recommendations for process and controls necessary for achieving quality SaaS contractual agreements.
SYS-CON Events announced today that OpsGenie will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2012, OpsGenie is an alerting and on-call management solution for dev and ops teams. OpsGenie provides the tools needed to design actionable alerts, manage on-call schedules and escalations, and ensure that the right people are notified at the right time, using multiple notification methods.
The first step to solving a problem is recognizing that it actually exists. And whether you've realized it or not, cloud services are a problem for your IT department. Even if you feel like you have a solid grasp of cloud technology and the nuances of making a cloud purchase, business leaders don't share the same confidence. Nearly 80% feel that IT lacks the skills necessary to help with cloud purchases-and they're looking to cloud brokers for help instead. It's time to admit we have a cloud s...
According to a recent Gartner study, by 2020, it will be unlikelythat any enterprise will have a “no cloud” policy, and hybrid will be the most common use of the cloud. While the benefits of leveraging public cloud infrastructures are well understood, the desire to keep critical workloads and data on-premise in the private data center still remains. For enterprises, the hybrid cloud provides a best of both worlds solution. However, the leading factor that determines the preference to the hybrid ...