Blog entry by Les Bell

Les Bell
by Les Bell - Thursday, October 12, 2023, 10:22 AM
Anyone in the world

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories


More Shoes Drop on HTTP/2 Rapid Reset

A number of other stakeholders have now provided responses to the massive 'Rapid Reset' DDoS attack on the streams feature of HTTP/2 which we reported on yesterday. Google was obviously not the only large service provider affected by the attack; both Cloudflare and Amazon observed it, too, and have published their own analyses.

For Cloudflare, the attack peaked at just over 201 million requests per second - nearly three times more than their biggest previous attack. The attack was generated by a botnet of just 20,000 machines, which is much smaller than many other botnets, which can number up to millions of machines. This raises the prospect of a single attack delivering as much traffic as the entire web - around one to three billion requests per second - against a small group of targets.

Like Google - with whom both Cloudflare and Amazon collaborated - the firm was able to absorb the initial attacks and then introduce mitigations to limit the impact on their systems. One difficulty is that this attack effectively has no ramp-up period, meaning that for a few seconds, the network infrastructure has absorb the traffic before the client IP address can be quarantined in Cloudflare's 'IP Jail' system. To overcome this, the firm expanded the 'IP Jail' system to block such IP's from using HTTP/2 to connect to any domain on Cloudflare for some time. This will limit the attack, while any legitimate client on the same IP will see only a small performance decrease during that time.

Amazon Web Services has also implemented mitigations, and has also recommended that customers operating their own web servers running HTTP/2 should apply relevant patches as soon as possible. The company has also blogged with advice on building DDoS-resistant architectures using AWS edge services such as Amazon CloudFront, AWS Shield, Amazon Route 53 and Route 53 Application Recovery Controller.

On the server side, NGINX has blogged with advice on how to configure that web server to minimize its attack surface and has released a patch for the server's ngx_http_v2_module which imposes a limit on the number of new streams that can be introduced within one event loop. The developers are continuing to experiment with mitigation strategies.

There seems to be no word on Rapid Reset from the Apache project, but according to online forums, a few admins have disabled HTTP/2 as a precaution.

Pardue, Lucas and Julien Desgats, HTTP/2 Rapid Reset: deconstructing the record-breaking attack, blog post, 10 October 2023. Available online at https://blog.cloudflare.com/technical-breakdown-http2-rapid-reset-ddos-attack/.

Scholl, Tom and Mark Ryland, How AWS protects customers from DDoS events, blog post, 10 October 2023. Available online at https://aws.amazon.com/blogs/security/how-aws-protects-customers-from-ddos-events/.

Vernik, Michael and Nina Forsyth, HTTP/2 Rapid Reset Attack Impacting NGINX Products, blog post, 10 October 2023. Available online at https://www.nginx.com/blog/http-2-rapid-reset-attack-impacting-f5-nginx-products/.

Microsoft Moves: Die, NTLM! Die!

Microsoft has long been burdened by the need to maintain backward compatibility with older product versions which were originally designed in an era when the world generally - and Microsoft in particular - was more . . . naive . . . about security. Although the Redmond giant has always tended to favour, first glitz and glamour, then functionality, and finally security, when it has bitten the bullet and moved to new architectures that compromised that backward compatibility, the results have been painful for at least some of its customer base. Remember Windows Vista? Nothing much changed as Microsoft waited for the market to catch up, with compatible versions of applications and - especially - device drivers, and when an effectively-updated Vista was relaunched as Windows 7, customers loved it.

Now it looks like the firm is preparing to bite the bullet again, this time addressing the problems surrounding legacy authentication, specifically the NTLM authentication protocol. NTLM replaced the very weak original LanMan hashes that date back to the days of Microsoft LAN Manager, but is still essentially a simple protocol which hashes a password and then sends the hash over the wire. Hardly any enterprise networks rely on NTLM, having adopted Active Directory - which is based on Kerberos - many, many years ago, but NTLM lives on for a few reasons:

  • NTLM doesn’t require local network connection to a Domain Controller
  • NTLM is the only protocol supported when using local accounts
  • NTLM works when you don’t know who the target server is

As a result, some applications and services continue to rely on NTLM, rather than switching to Kerberos. As a result, it is often not possible to disable NTLM; even some enterprise scenarios require it as a fallback when Kerberos is not available. And, of course, many SME's and microbusinesses rely on NTLM, as it is used by many third-party network accessible storage (NAS) products as well as Microsoft's own Workgroups feature and Remote Desktop Protocol in these non-AD environments.

In order to be able to finally dispense with NTLM, Microsoft is introducing two new features for Windows 11. The first is 'Initial and Pass Through Authentication Using Kerberos' (IAKerb), which the company describes as "a public extension to the industry standard Kerberos protocol that allows a client without line-of-sight to a Domain Controller to authenticate through a server that does have line-of-sight." As I first read that word, "public", a small daemon on my shoulder urgently whispered, "Embrace-Extend-Extinguish!", but I am prepared to wait and see - both Micosoft and the market have evolved since those days, I hope.

IAKerb works through a 'Negotiate' extension and will allow the Windows authentication stack to proxy Kerberos messages through the server on behalf of a client in a firewall-segmented or remote access scenario. As it does this, it will rely on the confidentiality and authenticity of origin services of Kerberos itself to protect its messages against relay and replay attacks.

The second new feature is perhaps more significant for non-AD sites and scenarios. In order to support local (as opposed to domain) remote logons, a local Kerberos KDC will be added to Windows 11, built on top of the Security Account Manager. This will leverage IAKerb and allow Windows to pass Kerberos messages between machines without having to add support, and open ports, for such services as DNS, netlogon or DCLocator. In addition, Microsoft is removing hard-coded references to NTLM from other Windows components, changing them to use the Negotiate protocol instead, allowing an easy transition to Kerberos.

These changes will be enabled by default and will not require configuration in most scenarios, although NTLM will continue to be available as a fallback for the time being. However, another set of changes coming to Windows 11 include additional service information being recorded in event logs, coupled with more granular policies, to allow domain admins to track and block NTLM on a service-by-service basis. The same telemetry info will be used by Microsoft itself to eventually pull the plug on NTLM for good - although even once it is disabled by default, users will be able to re-enable it. Somehow, I do not think it will go gentle into that good night.

So, for those of us who manage small networks, expect a few pain points in times to come. On balance, though, it will be worth it; an entire category of dictionary, rainbow tables and pass-the-hash attacks will eventually be consigned to the scrap heap of history.

Palko, Matthew, The evolution of Windows authentication, blog post, 11 October 2023. Available online at https://techcommunity.microsoft.com/t5/windows-it-pro-blog/the-evolution-of-windows-authentication/ba-p/3926848.


Upcoming Courses


These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Creative Commons License TLP:CLEAR Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.

Tags: