Blog entry by Les Bell

Les Bell
by Les Bell - Wednesday, 11 October 2023, 9:39 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


US Agencies Release Guidance on Open Source in OT and ICS Environments

The US Cybersecurity and Infrastructure Security Agency, along with the FBI, NSA and Department of the Treasury, has released a new fact sheet enttitled Improving Security of Open Source Software in Operational Technology and Industrial Control Systems. This new guide is one of the priority initiatives of the JCDC (Joint Cyber Defense Collaborative) 2023 Planning Agenda, which focuses on systemic risk, collective response and high-risk communities related to critical infrastructure.

Since its distant origins, free and open source software has grown in significance, to the extent that almost every major software system - including those from former staunch advocates of proprietary code - includes several open source components. This includes operational technology (OT), which this fact sheet defines as "the hardware, software, and firmware components of a system used to detect or cause changes in physical processes through the direct control and monitoring of industrial equipment, assets, processes, and events." In this sense, industrial control systems (ICS) are a subset of OT in which networked systems control processes such as manufacturing, product handling, production and distribution.

The report identifies three challenges which OT/ICS shares with other software systems

  • Dependency vulnerabilities
  • Lack of commercial support
  • Inadequate documentation

Dependency vulnerabilities are a common concern in software supply chains generally, but the lack of commercial support can be an obstacle for commercial customers who rely on proactive support from vendors and who do not have processes to connect into the open source community's approach to software maintenance. And I can certainly relate to the last point; I have often discovered a peculiarly-named package in a system I'm working on, wondered what it was, and tracked down the project web site only to discover no explanation of what the package actually is. Greybeard readers may remember the "Real Programmer" jokes, including "Real programmers don't write documentation. You've got the source code - what more do you need?". It's not as funny as it once was.

A related problem is the differing maintenance mindsets between the wider IT software world, which views software as highly mutable and capable of frequent patching and updates after deployment (c.f. the CI/CD pipeline so popular in cloud enviroments). Engineers running complex systems like refineries and mineral-processing plants would be horrified; these systems are subject to stringent change management policies and safety regulations, and even shutting them down for maintenance can bring huge costs.

Increasing interconnection of OT/ICS systems to conventional business IT networks brings a whole new set of risks to this world, requiring an even stronger defensive posture for the business systems.

The fact sheet makes a number of detailed recommendations for improving security of open source in OT/ICS, starting at the senior leadership level and working down. They encompass:

The guide also provides an extensive listing of resources and references.

CISA, Securing Open Source Software in Operational Technology, fact sheet, 10 October 2023. Available online at https://www.cisa.gov/topics/partnerships-and-collaboration/joint-cyber-defense-collaborative/Securing-Open-Source-software-in-operational-technology. Direct PDF download at https://www.cisa.gov/sites/default/files/2023-10/Fact_Sheet_Improving_OSS_in_OT_ICS_508c.pdf.

Massive Layer Seven DDoS Attack Uses HTTP/2

From Google comes analysis of a massive distributed denial of service attack on a number of the company's cloud services and their customers. The August attack, which was delivered at layer 7 (the ISO/OSI model application layer) over the HTTP/2 protocol, was significantly larger than any previous layer 7 attack, peaking at 398 million requests per second.

The attack, which Google dubbed "Rapid Reset", was largely stopped at the edge of Google's network by its global load balancing infrastructure, with minimal impact and no outages.

Unlike the classic HTTP/1.1 protocol, which MIME-encodes binary data, bloating it into text, HTTP/2 is a much more efficient binary protocol. And where HTTP/1.1 opens a TCP connection for each object within a page, with a consequent three-way SYN/SYN-ACK/ACK handshake (and a four-way handshake when the connection ends), HTTP/2 multiplexes multiple bidirectional "streams" within a single TCP connection. This also economizes on server CPU, not to mention sockes and ports, which would constrain the number of connections between client and server. It also allows processing concurrent requests, rather than dealing with them serially, as HTTP/1.1 would do, with up to almost 100 times higher utilization of each connection.

This attack exploits a feature of the stream capabilities in HTTP/2, which allows clients to signal the server, cancelling a stream by sending a RST_STREAM frame. This can be done unilaterally, and the client may also assume that the server will cancel the stream immediately, before processing any other data from that TCP connection. The Rapid Reset attack works like this: the client opens a large number of streams at once, but rather than waiting for a response to each request stream from the server (or an intermediate proxy), it simply cancels each request immediately. According to Google's researchers:

The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth.

In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client.

So the attack is cheap - in terms of network bandwidth - for the attacker by expensive for the server.

Since the original attack, Google has seen some variants on the Rapid Reset attack which are not as efficient, but probably still more efficient than standard HTTP/2 attacks. One variant, for example, does not cancel streams at once, but instead waits for some time, in order to bypass mitigations which monitor the rate of inbound RST_STREAM frames. A second variant simply tries to overwhelm the server with more streams than it can handle.

Google has deployed a number of mitigations for the Rapid Reset attack variants and is working on others, in conjunction with industry partners. It has reserved CVE-2023-4487 to track the fixes to the various HTTP/2 implementations.

It seems unlikely that Rapid Reset will work against HTTP/3, which uses Google's QUIC protocol, with UDP rather than TCP as the transport. Nonetheless the firm recommends proactive implementation of some similar mechanisms to limit the amount of work done by a single transport connection.

Snellman, Juho and Daniele Iamartino, How it works: The novel HTTP/2 ‘Rapid Reset’ DDoS attack, blog post, 11 October 2022. Available online at https://cloud.google.com/blog/products/identity-security/how-it-works-the-novel-http2-rapid-reset-ddos-attack.

'Son of Mirai' Adds More Exploits

Speaking of distributed denial of service attacks, remember the heady days when the Mirai IoT botnet set new records? Mirai itself is long gone, but its DNA (code, really) lives on in descendants such as IZ1H9, which has recently updated its arsenal of exploits, with payloads for D-Link, Netis, Sunhillo, Geutebruck, Yealink, Zyxel, TP-Link, Korenix and TOTOLINK devices in a variant recently sighted by Fortiguard Labs researchers.

Their blog post is littered with CVE's, indicating the number of exploits in this new, rapidly-evolving variant. It has attacked tens of thousands of consumer-level devices, primarily through remote code execution exploits, amassing a large botnet.

The full report from Fortiguard Labs Threat Research provides a detailed analysis of the various exploits, along with IOC's and an offer of free training to protect against phishing attacks.

Lin, Cara, IZ1H9 Campaign Enhances Its Arsenal with Scores of Exploits, blog post, 9 October 2023. Available online at https://www.fortinet.com/blog/threat-research/Iz1h9-campaign-enhances-arsenal-with-scores-of-exploits.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: