Welcome to tex Stuff, a production from my Heart Radio Heathen and welcome to text Stuff. I am your host, Jonathan STRICKLINN. I am an executive producer and apparently vampire at I Heart Radio. How the tech are you? Okay, I'm dropping in now you all got the cringe out of the way. First thing. We're done with that. But we are in spooky season as I publish this October of two thousand twenty two. And you know, I don't typically do episodes that relate to spooky stuff, but I thought it would be fun if I did a few this month that are tangentially maybe questionably themed to be halloween ish. This gets a little tricky in tech. I mean, I have done episodes about stuff like the tech in professional haunted house attractions and stuff like that, which it is great, but you know, I can't really revisit that. There's not a whole lot more to say. I did do a classic episode with my co host Chris Palette about ghost hunting technology or so called ghost hunting technology. Maybe I'll do an update to that because it's been so long since I recorded that that episode, and uh, and I always like getting my dander up about stuff like that. But you know, pickens are slim when you look at stuff that you can theme toward Halloween in the tech space. But yesterday in the news episode, I talked about how some activists who at the very least are sympathetic to the Kremlin, used distributed denial of service attacks or de DOS attacks against a dozen or so US airport websites. Not air carriers, not the airlines, mind you, but the airport websites. And the attacks brought down some sites for a few hours, but otherwise had very little impact on travel. Now you might say, okay, but how are you connecting di DOS attacks to Halloween. Well, the tenuous connective tissue is that to to pull off the d DOS attack, hackers first have to assemble a bot net, which is a collection of compromised computer systems. And another phrase that sometimes describes a bot is zombie, and bought net would be a zombie army. So you have these zombie computers and so zombies. It's totally thematic, right. Okay, let's start with a baseline before we get to distributed denial of service attack. Let's just start with denial of service. What the heck is that? How does it work. Well, let's think of the Internet as a giant, interconnected mess of clients and servers. There there are other components there too. I am oversimplifying it down to clients and servers. So servers are the machines that hold the stuff that we want to access online. Maybe we are logging on to play an online game and the game exists on a server somewhere out on the internet, probably exists on several servers, and we just connect to a specific one. Or maybe we want to order food online using an app, Well, that service is hosted on another server somewhere online. Or maybe we just want to pop onto the web and visit a news site and read up on the headlines, while that news site is on another server somewhere out there on the web. So the basic way the Internet works is that you access a client of One example of a client would be a web browser on your computer. That's the client. So that's your point of access to the Internet, and you want to see something specific, like that news site. Let's say, so you type in the u r L for the news site into your browser and the browser sends out a message that goes across the Internet and it gets directed to the specific server that houses that you are l The server receives this request from your client, and then it replies to that request. It sends the files that represent the front page of that news site to your client your web browser. Your web browser then displays those files as a web page to the user. In a way, this is the most simplified method to describe what's going on with the Internet in general and the web in particular. The specifics get a little more sophisticated than that, but from a very high level, that is what's happening with web traffic, without getting into things like packets and routing and all that kind of stuff. Now, sometimes stuff goes wrong in this process. You know, maybe the server that's holding the files you want has gone offline for some reason, so you get an error back because your request could not be answered. The server that would normally be there for some reason isn't there. Maybe there are issues between the client and the server. So it's not that the server has an issue or that your client has an issue, but something in the middle is causing some problems, or maybe the client connection goes down, like maybe your home internet has gone down and that's the problem or maybe the server is online. There are no other issues between your client and the server, but the server itself is currently overwhelmed. Now that can happen naturally without malice involved. So let's say, for example, that word gets out out a new video game console. Let's say, and everyone knows when that console is officially going to go up for pre order, and you can go straight to this company's website and sign up for a pre order the moment it becomes available, and you will be first in line to get this brand new video game console. And lots of people know about this, so tons of people are interested and invested in this. So the appointed hour arrives and now millions of people around the world are all frantically attempting to connect to the same server to put in their pre order, and the server is just overwhelmed by the mass of incoming traffic and it slows down the servers of ability to respond to the requests. So everyone's starting to experience these long delays as they try and connect, and you get increasingly frustrated because you're waiting and waiting and waiting for a web page to load in your browser, and the servers doing its best to respond to demands. Sometimes this kind of situation can be enough to actually cause the server to crash entirely, which is even more frustrating because then it has to go through the whole reboot process before you can connect to it again, and that obviously makes matters more frustrating. And like I said, this all can happen naturally just due to demand. We've seen it happen multiple times, even in modern day, like we saw it happen a lot early in the days of the web because of unexpected demand, but it still happens today too. However, this thing that can happen naturally can also be caused to happen artificially. A nefarious person can try and create that sort of situation on purpose. Now this brings us to a denial of service attack or DOS attack D O S big D little oh big S. All right, So there's an analogy that I love to use when talking about denial of service. I'm going to use it again. So imagine for a moment that anytime anyone rang your doorbell or knocked on your door, you absolutely had to go answer the door. You couldn't pretend not to be home or ignore it. You are compelled, you have no other option. You have to answer the door. Now, let's say you're at home and you've decided that you want to make yourself snack. You're feeling peckish, so you start to head to your kitchen, but then someone rings the doorbell, so you turn around and you walk to the front door and you open it, but there's no one there, so you close the door and you head back inside. You start heading back to the kitchen, but you get two steps toward the kitchen and the doorbell rings again, so you do a one eight. You walk back to the door and you open it. There's no one there, those darn kids, And now you're getting irritated, possibly because you've got some low blood sugar going on because you haven't had your snack yet, So you close the door. You turn back to head toward the kitchen. Bing bong goes the doorbell and you turn around again to answer the door, and once again, no one is there. And this happens over and over, and because you are compelled to answer the door, you can't ever make any progress doing anything else, and then eventually you just collapse in frustration, starvation, and confusion and a denial of service attack is really similar to this. A basic one might be that someone is sending a message to a server, but the return address for this message goes nowhere, So it's a message that's going to a server, but the server has the wrong information about where that message came from and where it has to send its reply. So the hacker is just sending message after message to the server with this false return address, and the server has to answer each one. That's the server's job. So the hacker is just flooding the server as much as possible to bring it down, because the server can't just ignore incoming messages. If a server ignored incoming messages, the basic operations of the Internet would break down. Now, that kind of attack is actually not that hard to defend against because if you do detect it, if you detect that there's an unusual amount of traffic coming from a single source, um even if that source is a fake IP address, you can just block anything coming from there, and then you can keep accepting other traffic. And it's britty. It's, in the grand scheme of things, relatively easy to deal with. A denial of service attack a basic denial of service attack, but the denial of service attack is small change compared to a distributed denial of service attack. This is big D big D little oh big s d DOS. So to do ad DOS attack, a hacker needs access to a bunch of computers. This is the distributed part, and working together these computers, which could number in the millions for a particularly huge zombie army or bought net, they can all work together to send them just to a targeted server, which then gets bogged down trying to answer all these messages. Now, if this podcast were instead of book, I would have put a footnote up there when I mentioned large botton nets. It is hard to get a real figure for how big a boton net is it. You can make some estimates, but it's hard to get a firm grasp, largely because computers are not necessarily always on right. They're not always connected. You might turn your computer off, or you might your Internet connection might go down or whatever, and so it's not easy to actually quantify how big these buttonets can be. However, we have some general idea of some of the largest ones. So there was a botton net. Still is a bottonet associated with a trojan called Zeus that involved more than thirteen million computers, so they can be quite large. Also should add botton nets can be is for lots of other stuff besides the DOS attacks. That's like one of the easily identifiable reasons for a butt net, but there are other ones as well. Also, just adding that you should always be careful to make sure your machines don't become part of one, which means practicing good etiquette online. You know, making sure you're not downloading files that are coming from questionable sources, not clicking on links that are coming from questionable sources, all the basic stuff you know about. These are reasons why that's important to follow. All right, We've got some more to say about zombies, but first let's take a break. We're back, all right. So for ad DOS attack to work, first you have to actually gather your zombie army, and that alone requires a few steps of its own. So step one is you design or you make use of existing malware that compromises targeted computer systems. So if someone installs the malware, it creates a compromised computer system. So the goal is to create a means for a hacker to be able to send a command to the compromised machines that will then prompt the machine to follow orders the malware. It could be relatively simple where it just allows for this de dos attack approach, or it could be more extensive, and frequently is more extensive that allows a a wider spectrum back door access for hackers that could ultimately give a hacker administrator level access to a machine, which is obviously a really bad thing for that target machine. And that's really why you need to be super careful and practice good etiquette when you're online, because if you download certain types of malware, it essentially means you've just handed your computer over to a hacker. They're able to get back door access to your your system, they can look at all your files, they can lock it down. That's how ransomware works, where they locked down your computer system or locked down certain directories in your computer and then they demand a ransom and in return they will unlock those for you. So that this is again a reminder to be very careful when you're online. You don't want to hand over the keys to your system to some stranger, right, You just don't want to do that. Anyway, Lots of hackers make use of already existing tools. Uh, there's a much smaller group of them who are actually designing the tools. Those are the ones you really have to worry about. I mean, you have to worry about all of them, the ones who just make use of re existing stuff in order to advance their own agendas. Often they are dismissively referred to as script kitties. They're taking existing script or programming and making use of it, but they're not righting it themselves. Uh that that's a term that's often used for them. I find that term to be problematic simply because it doesn't reduce how potentially dangerous they can be. Uh. You, if you dismiss them and you think that they're not an issue, then you might be setting yourself up for being victimized. So I don't really like using the script kiddies designation anyway. A lot of the time hackers hide malware packages inside a larger, seemingly legitimate file, and this is called the trojan method. It's named after the trojan horse of ancient legend. So instead of packing a bunch of soldiers inside a big wooden horse, these digital trojan horses have a malware package hiding within them. So you designed the trojan to look like something else, maybe something that folks would really like to get hold of. This is one reason while you hear people cause UH and others about downloading pirated files, going to sources where you've got, you know, stuff that's like games and movie files and all this kind of stuff supposedly ready for you to download. It's not just that the matter of piracy itself is illegal, that you're essentially stealing, you know, the idea of downloading a product without paying for that product is stealing. But it's also that hackers will sometimes insert malware into files and they will hide those in pirate communities, like they'll they'll name the files something that people really want, you know, maybe it's like uh, an upcoming film that hasn't hit theaters yet, but it's supposedly elite copy of it, and you know, there are a lot of people who are curious about that, and they'll go through the trouble of downloading it. Well, you hide some malware in there, and whether it's the real film or not, you've delivered malware to someone and potentially commenced them to install it because you know, maybe you've compressed the file in some way and you've disguised it and people are clicking on it. They're just eager to get a look at this movie, and in the process they install malware to their machine. Also, if someone is illegally downloading files, that person is likely to resist speaking up about being victimized simply because they were already engaged in something that was questionable, right they were pirating files. It's it's that thought that if someone's being dishonest, they're not going to come forward when you have targeted them because they're worried about being found out. So it's it's identifying your target audience and the ones that are less likely to actually take steps to fix a problem if it pops up, so that can give hackers more time with these compromise machines, these zombie computers. So hackers build up their zombie armies, their bought nets by distributing the malware in various ways. The trojan method is just one of many. There are lots of others, and they monitor the botton net as it grows. You know, they're essentially administering the botton net in the back end. They have the ability to send out commands. This is why you get concepts like a zombie army because the the individual compromised devices are the soldiers of that army. The hacker ends up being the commander of that army and can send out commands to the entire army. And maybe the hacker doesn't take action right away. Maybe they just sit and wait. They have this growing number of devices that are part of their army, and they just wait until the time's right. In fact, it's even possible that they don't even have a target in mind yet. They just they compromise the machines. But it's really because they plan on doing an attack, but they haven't even decided who they're going to attack. That can sometimes happen too. But when the time comes, they send out the command to all these infected devices, at least the ones that are currently online, and they direct these devices to all start flinging messages at the target server and boom, you got your distributed denial of service attack carried out by zombie computers. Spooky. Now, de dos attacks can get more complicated than how I've described. For example, it's also possible to make use of compromised Internet of Things devices. They don't have to just be computers, and you may have heard me speak in past episodes about issues with IoT security in the past. Some companies are not very good at securing their devices properly, so you'll get a manufactured product there's poor security on that product. There's the assumption is just that it's not going to get targeted. UH. There's a great example of various manufacturers that have used common login and password for devices like including routers where there's a a generic UH log in and password, and if you know the generic logan and password for those routers, it means that you can access any router where the user has not made the effort to change those and as you might guess, most people don't go to that effort. Most people fail to go in and change the default settings on their various devices, which means if you know the default log in, you can access those devices right even if you don't have access to other stuff on the network. So then hackers can get access to a very large installed base of Internet of Things devices in this way. For Scout Research Labs looked at more than eight million devices in the IoT field and they found that there are some particularly weak examples and they happen to be in very important places. They found that one category of device of IoT device that tends to have pretty weak security our medical devices. That is terrifying. They also found that networking equipment was particularly weak with security. Again, this is like the infrastructure, the bones upon which everything is built, and those are weak points in a way, it almost doesn't matter how much security you've built on top of everything else. If you can get at the underlying networking equipment, you can cause some real havoc. So it's possible to direct these kinds of devices to also send Internet traffic to a targeted server. So a zombie army may not be composed of computers. It could include stuff that's well outside your typical computer. And as more devices joined the Internet of Things, this problem continues to grow. And while companies like cloud Flare, which we'll talk about in a couple of minutes, have really come up with some mitigation strategies to deal with de dos attacks, the attackers are always looking for other ways to be effectived. DOS attacks can also be sophisticated in other ways. So I gave a big overview of how de dose works. But while that is an overview, you need to know that there are different types of de DOS attacks that target different elements or layers of a network, So you've got you know, you can think of networking as different layers, with each layer corresponding to a specific subset of UM tasks. And I'm not going to go into the full layer description. I've done episodes about that in the past, but my point is that ad dose attack can target a specific layer, and if you use ad DOS attack that targets multiple layers using lots of different computers, that becomes a very sophisticated de DOS attack, one that is much harder to defend against than one than ADDS attack that targets just a single layer, like the web server layer that I kind of described earlier, the one that took down the airport websites that I mentioned at the beginning of this episode, that was a very simple de DOS attack. It was attacking a specific layer, just one, so it wasn't a multi layer attack UM and so was therefore easier to defend against. But they don't all have to be like that. They can be a multi layer attack from multiple vectors, and that becomes a much more challenging issue to defend against. And you know, the goal is almost always to gum up the network so that traffic slows to a crawl or it crashes entirely. So the goal is usually the same goal, right, You're just trying to disrupt connectivity to a specific target, But there are different ways of doing that, whether you're attacking the server itself or you're attacking elements within the Internet that direct traffic to that server. And maybe in the future episode I'll go into more detail about that, but that's going to require like a full length episode, so we're gonna leave that for now. We're also going to take another quick break. When we come back, I'm gonna talk more about cloud Flare and how cloud Flare helps protect against things like de dos attacks and keep us safe from the zombies. But first this break. All right, before the break, I mentioned cloud Flare, which provides several services, not just protection against de dos. But that's one that a lot of people relate cloud Flare too. They think of that as like a company that protects other companies from unwanted massive amounts of traffic, in other words, de DOS attacks. This is tricky because, at least initially, a de dos attack can look like legitimate traffic to a server, and you know you don't want to block legitimate traffic, right, You don't want to proactively cut people off from connecting to a server. The whole point is of services to allow clients to connect to them, and so if you are blocking off all traffic, then there might as well not be a server there at all. So you want to make sure you're able to differentiate between what an attack is and what legitimate traffic is. The server starts getting requests that are piling up, but these requests are coming from different machines with ad DOS attack, right, They're not coming from a single source. So at first Blush it looks like it's just a massive uptick in legitimate traffic. And as I said, there could be times when this actually happens, like there are situations where this occurs naturally, so you have to be able to sort those moments out from malicious de dos attacks. Now, the way cloud Flare does this involves a few different approaches. One is to look at the IP addresses of the incoming messages. Uh, if they originate from the same address or from a relatively narrow range of IP addresses, that's suspicious, right. If you're if you're looking at and you're thinking, these are all really similar, so it looks like they're all coming from the same group. That could indicate a the DOS attack. Similarly, if the traffic is coming in from a narrow range of behavioral profiles, that's a red flag. So a behavioral profile in this context is really about the type of device that sent the traffic in the first place. Right, Was it a laptop, was it a mobile device? Wasn't an Internet of Things device? So if you are running a news site and you start to detect a you know, ton of traffic that's coming in from smart thermostats, that's a big old red flag because you can't really think of a reason why smart thermostats would be pinging a web server for a news site. So if you're cloud flare, you might look at the incoming traffic and say, that's hanky, this is probably ADDS attack. Also, if the surge in traffic starts arriving in patterns, like if you notice that every thirty minutes you get another surge, that's a red flag. If it's happening at a regularly, you know, kind of timed interval that looks artificial, that looks like that's a system that's directing waves of messages at a predetermined amount of time. If they're not coming in haphazardly, If they're coming in in these waves, then that suggests it's an artificial attack. Or if you detect a huge traffic spike but it's an unusual time of day, that's another indicator. For example, you wouldn't expect a ton of traffic to hit say a website for a line of credit unions that are on the East coast of the United States at two a m. Eastern time, for example, right, because typically those sites should only really be getting huge amounts of traffic or even just regular amounts of traffic during the daytime for Eastern time. So, yes, the Internet is global, so it's not like you would expect traffic to drop to zero necessarily. But we tend to see traffic behave in similar amounts uh and and in similar scale wherever the site happens to be based. Right, So if a site is based on the East coast of the United States in the middle of the night in the US, you probably see a drop in traffic there. If you see a spike in the middle of the night, that's a potential indication of an attack. Now, obviously that's not always true, but you know, for certain types of sites, it's a good rule of thumb. So first, cloud flare actually has to differentiate an attack from legitimate traffic, and then it essentially has to block incoming traffic from suspected attack sources, thus shielding the client from all of those unwanted messages. It may also use something called rate limiting. This is essentially all about setting boundaries, which is important in any relationship. You've got to set your boundaries. Now, in this case, setting boundaries means setting how many requests a server will accept in a given amount of time, and once you hit that limit, no more requests can come through until the next available time slot opens up. That limits both the attacks and legitimate traffic however, so it can definitely reduce the probability of addos attack taking down a target, but it also means that legitimate users aren't going to really be able to get access either, so everyone kind of gets affected. Another strategy is making use of a reverse proxy. All right, so proxies are really useful things on the Internet, and it's very possible that you've used one before. If you use a VPN, you have relied on a proxy, so a proxy stands in place for some other entity. With VPNs, the proxy stands in place for clients. So when you connect to your computer to a VPN, you're connecting to a proxy server and all the web traffic you engage with has to go through that VPN. So to the outside world, if someone were snooping on you, they would see that you are connected to a VPN, but that's as far as they can tell. They know that you connected to this VPN, but that's as much as they know. They can also tell that the VPN is connecting to all these other different sites and services, but they wouldn't be able to say for sure that that was you directing the VPN to do that because the VPN is also got lots of other computers connected to it, so you don't know who is connecting to what. You can see that everything is going into the VPN, and then you can see that the VPN is then sending that information along to the various clients connected to the VPN, But you have obfuskated what folks are doing. VPNs are used for all sorts of legitimate reasons. There are companies that use VPNs so that way outsiders can't snoop on traffic between the company and the employees. For example, VPNs can be used to get around regional restrictions. So an example of that could be in a foreign country where the government is really cracking down on Internet access, a VPN might allow you to or proxy server might allow you to sidestep those restrictions and access the Internet in an otherwise unfettered way. So they're legitimate reasons for this. So the VPN sends all traffic along to you, and due to encryption and the fact that there are multiple clients connected to the VPN, it hides what's going on. Now. Reverse proxy is similar, but it's different in an important way. So a reverse proxy is a server that sits in front of or servers. So with a VPN, no server will ever connect directly to a client. It can only connect to a client via the VPN. With a reverse proxy, no client can connect to a specific server, instead connects to the reverse proxy server, which acts as kind of a mentalman and then sends traffic along to the ultimate server. So it's a gatekeeper really, and attackers would not have the IP address of the target server, they would instead be able to only direct traffic to the reverse proxy server. So if a company like cloud flare is in charge of those reverse proxy servers, cloud Flare can institute tougher security measures to prevent an onslaught of illegitimate traffic hitting the target. So the reverse proxy kind of acts like a really tough bouncer outside of a club. The bouncer will let the right folks into the club and make sure that the undesirables hit the curve. Now, protect the against the dos attacks can get really sophisticated, largely because a well designed de dos attack will aim at hitting a target through several layers. Right. They won't just be a simple overwhelming attack if they're if they're planned out properly. So defense has to be able to work for all these different layers of attack. Otherwise, you can protect one part of your target but leave another part unshielded and boom the di dos attack. It still ends up being effective. This is why companies like cloud flare exist because while protection isn't impossible, it is time consuming, it's easy to get wrong, and it's also why it's a really big deal. Whenever cloud Flare dumps a client, which doesn't happen often, but it can in extreme circumstances. For example, there's the Kiwi Farms case. Now, in case you are unaware of Kiwi Farms, which I would say you are lucky if you don't know what Kiwi farms is. Kiwi Farms is a site that houses forums largely dedicated to doxing, that is the release of private information about a person harassing, abusing, and threatening certain folks, for example the trans community. And it's beyond horrifying the links that folks will go to in order to torture targets. And the Kiwi Farms groups have been known to heap so much abuse on people, including revealing details of their personal lives on online, or inventing stories and spreading them as if they were true online or swatting victims that that means that they make a fake emergency call into law enforcement that prompts an armed response team to arrive at the target's home. These levels of abuse have gone so far that some folks were driven to committing suicide as a result. It is truly hardifying stuff. Now, Kiwi Farms depended on cloud Flare to shield the site from attacks, because obviously hate group is also going to become a target itself from people who want to take that hate group down. In September of this year, cloud Flare announced it was dropping Kiwi Farms as a client due to quote immediate threat to human life end quote, and so Kiwi Farms has had trouble staying online ever since and has been the the site of data breaches since then. People have gotten access to accounts and things like that, and there are related issues that the site has encountered that involve hosting, so not just protection but hosting. But that's that's just a related but different matters, So we're not going to go into all that, but it really does illustrate that cloud flares services are really important, particularly for high profile sites, whether that site is high profile because it's seen as being a really important part of the infrastructure as a as a whole, or it's just high profile because of the nature of the site itself in the case of Kiwi Farms, and once that protection goes away, those sites have a real hard time staying up because they are such attempting target at any rate. The di DOS attack that brought down the airport websites that I talked about at the beginning that appears to have been a relatively simple one. It was effective in that it did clog up web traffic to the airport websites, but it didn't take very long for folks to resolve the problem, and as I mentioned, it failed to disrupt travel at all. But we still see the occasional di dos attack take down sites and services that have a wider impact on society, so it's not like these things are going away. And again, part of the responsibility falls to us as denizens of the online world to make sure that we are being as careful as we can so that we don't compromise our devices and have them join zombie arm. Some of that is beyond our control. Some of it falls to companies to make sure that they institute better security measures when they create Internet connected devices so that hackers don't easily have a skeleton key that gives them access to an enormous number of those devices. And obviously, ultimately at fault are the people who are directing these attacks. Right if they weren't doing it, then it wouldn't be a concern. But we have to do our best to make sure we don't become part of the problem anyway. That was today's spooky topic of zombie computers zombie armies. Um, I'll be talking about lots of other types of spooky related stuff, questionably spooky related stuff this month. I'm still trying to figure out how I could do a ghost in the Machine episode. I'll try and figure out if I couldn't make that happen, And there's some other concepts that are floating around that I would like to tackle. If you have suggestions for spooky top picks that are tech related, let me know. One way to do that is to download the I Heart radio app. It's free to download and use. Just navigate on over to the tech Stuff page. You can do that in the search engine and use the little microphone icon to leave me a voice message up to thirty seconds in length. Let me know if you would like me to use the message in an upcoming episode. I'm all about opt in, so I will only do it if you tell me expressly that it's okay to do it. And the other way to reach out to me is on Twitter. The handle for the show is tech Stuff hs W and I'll talk to you again really soon. Tech Stuff is an i heart Radio production. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.

Welcome to tex Stuff, a production from my Heart Radio Heathen and welcome to text Stuff. I am your host, Jonathan STRICKLINN. I am an executive producer and apparently vampire at I Heart Radio. How the tech are you? Okay, I'm dropping in now you all got the cringe out of the way. First thing. We're done with that. But we are in spooky season as I publish this October of two thousand twenty two. And you know, I don't typically do episodes that relate to spooky stuff, but I thought it would be fun if I did a few this month that are tangentially maybe questionably themed to be halloween ish. This gets a little tricky in tech. I mean, I have done episodes about stuff like the tech in professional haunted house attractions and stuff like that, which it is great, but you know, I can't really revisit that. There's not a whole lot more to say. I did do a classic episode with my co host Chris Palette about ghost hunting technology or so called ghost hunting technology. Maybe I'll do an update to that because it's been so long since I recorded that that episode, and uh, and I always like getting my dander up about stuff like that. But you know, pickens are slim when you look at stuff that you can theme toward Halloween in the tech space. But yesterday in the news episode, I talked about how some activists who at the very least are sympathetic to the Kremlin, used distributed denial of service attacks or de DOS attacks against a dozen or so US airport websites. Not air carriers, not the airlines, mind you, but the airport websites. And the attacks brought down some sites for a few hours, but otherwise had very little impact on travel. Now you might say, okay, but how are you connecting di DOS attacks to Halloween. Well, the tenuous connective tissue is that to to pull off the d DOS attack, hackers first have to assemble a bot net, which is a collection of compromised computer systems. And another phrase that sometimes describes a bot is zombie, and bought net would be a zombie army. So you have these zombie computers and so zombies. It's totally thematic, right. Okay, let's start with a baseline before we get to distributed denial of service attack. Let's just start with denial of service. What the heck is that? How does it work. Well, let's think of the Internet as a giant, interconnected mess of clients and servers. There there are other components there too. I am oversimplifying it down to clients and servers. So servers are the machines that hold the stuff that we want to access online. Maybe we are logging on to play an online game and the game exists on a server somewhere out on the internet, probably exists on several servers, and we just connect to a specific one. Or maybe we want to order food online using an app, Well, that service is hosted on another server somewhere online. Or maybe we just want to pop onto the web and visit a news site and read up on the headlines, while that news site is on another server somewhere out there on the web. So the basic way the Internet works is that you access a client of One example of a client would be a web browser on your computer. That's the client. So that's your point of access to the Internet, and you want to see something specific, like that news site. Let's say, so you type in the u r L for the news site into your browser and the browser sends out a message that goes across the Internet and it gets directed to the specific server that houses that you are l The server receives this request from your client, and then it replies to that request. It sends the files that represent the front page of that news site to your client your web browser. Your web browser then displays those files as a web page to the user. In a way, this is the most simplified method to describe what's going on with the Internet in general and the web in particular. The specifics get a little more sophisticated than that, but from a very high level, that is what's happening with web traffic, without getting into things like packets and routing and all that kind of stuff. Now, sometimes stuff goes wrong in this process. You know, maybe the server that's holding the files you want has gone offline for some reason, so you get an error back because your request could not be answered. The server that would normally be there for some reason isn't there. Maybe there are issues between the client and the server. So it's not that the server has an issue or that your client has an issue, but something in the middle is causing some problems, or maybe the client connection goes down, like maybe your home internet has gone down and that's the problem or maybe the server is online. There are no other issues between your client and the server, but the server itself is currently overwhelmed. Now that can happen naturally without malice involved. So let's say, for example, that word gets out out a new video game console. Let's say, and everyone knows when that console is officially going to go up for pre order, and you can go straight to this company's website and sign up for a pre order the moment it becomes available, and you will be first in line to get this brand new video game console. And lots of people know about this, so tons of people are interested and invested in this. So the appointed hour arrives and now millions of people around the world are all frantically attempting to connect to the same server to put in their pre order, and the server is just overwhelmed by the mass of incoming traffic and it slows down the servers of ability to respond to the requests. So everyone's starting to experience these long delays as they try and connect, and you get increasingly frustrated because you're waiting and waiting and waiting for a web page to load in your browser, and the servers doing its best to respond to demands. Sometimes this kind of situation can be enough to actually cause the server to crash entirely, which is even more frustrating because then it has to go through the whole reboot process before you can connect to it again, and that obviously makes matters more frustrating. And like I said, this all can happen naturally just due to demand. We've seen it happen multiple times, even in modern day, like we saw it happen a lot early in the days of the web because of unexpected demand, but it still happens today too. However, this thing that can happen naturally can also be caused to happen artificially. A nefarious person can try and create that sort of situation on purpose. Now this brings us to a denial of service attack or DOS attack D O S big D little oh big S. All right, So there's an analogy that I love to use when talking about denial of service. I'm going to use it again. So imagine for a moment that anytime anyone rang your doorbell or knocked on your door, you absolutely had to go answer the door. You couldn't pretend not to be home or ignore it. You are compelled, you have no other option. You have to answer the door. Now, let's say you're at home and you've decided that you want to make yourself snack. You're feeling peckish, so you start to head to your kitchen, but then someone rings the doorbell, so you turn around and you walk to the front door and you open it, but there's no one there, so you close the door and you head back inside. You start heading back to the kitchen, but you get two steps toward the kitchen and the doorbell rings again, so you do a one eight. You walk back to the door and you open it. There's no one there, those darn kids, And now you're getting irritated, possibly because you've got some low blood sugar going on because you haven't had your snack yet, So you close the door. You turn back to head toward the kitchen. Bing bong goes the doorbell and you turn around again to answer the door, and once again, no one is there. And this happens over and over, and because you are compelled to answer the door, you can't ever make any progress doing anything else, and then eventually you just collapse in frustration, starvation, and confusion and a denial of service attack is really similar to this. A basic one might be that someone is sending a message to a server, but the return address for this message goes nowhere, So it's a message that's going to a server, but the server has the wrong information about where that message came from and where it has to send its reply. So the hacker is just sending message after message to the server with this false return address, and the server has to answer each one. That's the server's job. So the hacker is just flooding the server as much as possible to bring it down, because the server can't just ignore incoming messages. If a server ignored incoming messages, the basic operations of the Internet would break down. Now, that kind of attack is actually not that hard to defend against because if you do detect it, if you detect that there's an unusual amount of traffic coming from a single source, um even if that source is a fake IP address, you can just block anything coming from there, and then you can keep accepting other traffic. And it's britty. It's, in the grand scheme of things, relatively easy to deal with. A denial of service attack a basic denial of service attack, but the denial of service attack is small change compared to a distributed denial of service attack. This is big D big D little oh big s d DOS. So to do ad DOS attack, a hacker needs access to a bunch of computers. This is the distributed part, and working together these computers, which could number in the millions for a particularly huge zombie army or bought net, they can all work together to send them just to a targeted server, which then gets bogged down trying to answer all these messages. Now, if this podcast were instead of book, I would have put a footnote up there when I mentioned large botton nets. It is hard to get a real figure for how big a boton net is it. You can make some estimates, but it's hard to get a firm grasp, largely because computers are not necessarily always on right. They're not always connected. You might turn your computer off, or you might your Internet connection might go down or whatever, and so it's not easy to actually quantify how big these buttonets can be. However, we have some general idea of some of the largest ones. So there was a botton net. Still is a bottonet associated with a trojan called Zeus that involved more than thirteen million computers, so they can be quite large. Also should add botton nets can be is for lots of other stuff besides the DOS attacks. That's like one of the easily identifiable reasons for a butt net, but there are other ones as well. Also, just adding that you should always be careful to make sure your machines don't become part of one, which means practicing good etiquette online. You know, making sure you're not downloading files that are coming from questionable sources, not clicking on links that are coming from questionable sources, all the basic stuff you know about. These are reasons why that's important to follow. All right, We've got some more to say about zombies, but first let's take a break. We're back, all right. So for ad DOS attack to work, first you have to actually gather your zombie army, and that alone requires a few steps of its own. So step one is you design or you make use of existing malware that compromises targeted computer systems. So if someone installs the malware, it creates a compromised computer system. So the goal is to create a means for a hacker to be able to send a command to the compromised machines that will then prompt the machine to follow orders the malware. It could be relatively simple where it just allows for this de dos attack approach, or it could be more extensive, and frequently is more extensive that allows a a wider spectrum back door access for hackers that could ultimately give a hacker administrator level access to a machine, which is obviously a really bad thing for that target machine. And that's really why you need to be super careful and practice good etiquette when you're online, because if you download certain types of malware, it essentially means you've just handed your computer over to a hacker. They're able to get back door access to your your system, they can look at all your files, they can lock it down. That's how ransomware works, where they locked down your computer system or locked down certain directories in your computer and then they demand a ransom and in return they will unlock those for you. So that this is again a reminder to be very careful when you're online. You don't want to hand over the keys to your system to some stranger, right, You just don't want to do that. Anyway, Lots of hackers make use of already existing tools. Uh, there's a much smaller group of them who are actually designing the tools. Those are the ones you really have to worry about. I mean, you have to worry about all of them, the ones who just make use of re existing stuff in order to advance their own agendas. Often they are dismissively referred to as script kitties. They're taking existing script or programming and making use of it, but they're not righting it themselves. Uh that that's a term that's often used for them. I find that term to be problematic simply because it doesn't reduce how potentially dangerous they can be. Uh. You, if you dismiss them and you think that they're not an issue, then you might be setting yourself up for being victimized. So I don't really like using the script kiddies designation anyway. A lot of the time hackers hide malware packages inside a larger, seemingly legitimate file, and this is called the trojan method. It's named after the trojan horse of ancient legend. So instead of packing a bunch of soldiers inside a big wooden horse, these digital trojan horses have a malware package hiding within them. So you designed the trojan to look like something else, maybe something that folks would really like to get hold of. This is one reason while you hear people cause UH and others about downloading pirated files, going to sources where you've got, you know, stuff that's like games and movie files and all this kind of stuff supposedly ready for you to download. It's not just that the matter of piracy itself is illegal, that you're essentially stealing, you know, the idea of downloading a product without paying for that product is stealing. But it's also that hackers will sometimes insert malware into files and they will hide those in pirate communities, like they'll they'll name the files something that people really want, you know, maybe it's like uh, an upcoming film that hasn't hit theaters yet, but it's supposedly elite copy of it, and you know, there are a lot of people who are curious about that, and they'll go through the trouble of downloading it. Well, you hide some malware in there, and whether it's the real film or not, you've delivered malware to someone and potentially commenced them to install it because you know, maybe you've compressed the file in some way and you've disguised it and people are clicking on it. They're just eager to get a look at this movie, and in the process they install malware to their machine. Also, if someone is illegally downloading files, that person is likely to resist speaking up about being victimized simply because they were already engaged in something that was questionable, right they were pirating files. It's it's that thought that if someone's being dishonest, they're not going to come forward when you have targeted them because they're worried about being found out. So it's it's identifying your target audience and the ones that are less likely to actually take steps to fix a problem if it pops up, so that can give hackers more time with these compromise machines, these zombie computers. So hackers build up their zombie armies, their bought nets by distributing the malware in various ways. The trojan method is just one of many. There are lots of others, and they monitor the botton net as it grows. You know, they're essentially administering the botton net in the back end. They have the ability to send out commands. This is why you get concepts like a zombie army because the the individual compromised devices are the soldiers of that army. The hacker ends up being the commander of that army and can send out commands to the entire army. And maybe the hacker doesn't take action right away. Maybe they just sit and wait. They have this growing number of devices that are part of their army, and they just wait until the time's right. In fact, it's even possible that they don't even have a target in mind yet. They just they compromise the machines. But it's really because they plan on doing an attack, but they haven't even decided who they're going to attack. That can sometimes happen too. But when the time comes, they send out the command to all these infected devices, at least the ones that are currently online, and they direct these devices to all start flinging messages at the target server and boom, you got your distributed denial of service attack carried out by zombie computers. Spooky. Now, de dos attacks can get more complicated than how I've described. For example, it's also possible to make use of compromised Internet of Things devices. They don't have to just be computers, and you may have heard me speak in past episodes about issues with IoT security in the past. Some companies are not very good at securing their devices properly, so you'll get a manufactured product there's poor security on that product. There's the assumption is just that it's not going to get targeted. UH. There's a great example of various manufacturers that have used common login and password for devices like including routers where there's a a generic UH log in and password, and if you know the generic logan and password for those routers, it means that you can access any router where the user has not made the effort to change those and as you might guess, most people don't go to that effort. Most people fail to go in and change the default settings on their various devices, which means if you know the default log in, you can access those devices right even if you don't have access to other stuff on the network. So then hackers can get access to a very large installed base of Internet of Things devices in this way. For Scout Research Labs looked at more than eight million devices in the IoT field and they found that there are some particularly weak examples and they happen to be in very important places. They found that one category of device of IoT device that tends to have pretty weak security our medical devices. That is terrifying. They also found that networking equipment was particularly weak with security. Again, this is like the infrastructure, the bones upon which everything is built, and those are weak points in a way, it almost doesn't matter how much security you've built on top of everything else. If you can get at the underlying networking equipment, you can cause some real havoc. So it's possible to direct these kinds of devices to also send Internet traffic to a targeted server. So a zombie army may not be composed of computers. It could include stuff that's well outside your typical computer. And as more devices joined the Internet of Things, this problem continues to grow. And while companies like cloud Flare, which we'll talk about in a couple of minutes, have really come up with some mitigation strategies to deal with de dos attacks, the attackers are always looking for other ways to be effectived. DOS attacks can also be sophisticated in other ways. So I gave a big overview of how de dose works. But while that is an overview, you need to know that there are different types of de DOS attacks that target different elements or layers of a network, So you've got you know, you can think of networking as different layers, with each layer corresponding to a specific subset of UM tasks. And I'm not going to go into the full layer description. I've done episodes about that in the past, but my point is that ad dose attack can target a specific layer, and if you use ad DOS attack that targets multiple layers using lots of different computers, that becomes a very sophisticated de DOS attack, one that is much harder to defend against than one than ADDS attack that targets just a single layer, like the web server layer that I kind of described earlier, the one that took down the airport websites that I mentioned at the beginning of this episode, that was a very simple de DOS attack. It was attacking a specific layer, just one, so it wasn't a multi layer attack UM and so was therefore easier to defend against. But they don't all have to be like that. They can be a multi layer attack from multiple vectors, and that becomes a much more challenging issue to defend against. And you know, the goal is almost always to gum up the network so that traffic slows to a crawl or it crashes entirely. So the goal is usually the same goal, right, You're just trying to disrupt connectivity to a specific target, But there are different ways of doing that, whether you're attacking the server itself or you're attacking elements within the Internet that direct traffic to that server. And maybe in the future episode I'll go into more detail about that, but that's going to require like a full length episode, so we're gonna leave that for now. We're also going to take another quick break. When we come back, I'm gonna talk more about cloud Flare and how cloud Flare helps protect against things like de dos attacks and keep us safe from the zombies. But first this break. All right, before the break, I mentioned cloud Flare, which provides several services, not just protection against de dos. But that's one that a lot of people relate cloud Flare too. They think of that as like a company that protects other companies from unwanted massive amounts of traffic, in other words, de DOS attacks. This is tricky because, at least initially, a de dos attack can look like legitimate traffic to a server, and you know you don't want to block legitimate traffic, right, You don't want to proactively cut people off from connecting to a server. The whole point is of services to allow clients to connect to them, and so if you are blocking off all traffic, then there might as well not be a server there at all. So you want to make sure you're able to differentiate between what an attack is and what legitimate traffic is. The server starts getting requests that are piling up, but these requests are coming from different machines with ad DOS attack, right, They're not coming from a single source. So at first Blush it looks like it's just a massive uptick in legitimate traffic. And as I said, there could be times when this actually happens, like there are situations where this occurs naturally, so you have to be able to sort those moments out from malicious de dos attacks. Now, the way cloud Flare does this involves a few different approaches. One is to look at the IP addresses of the incoming messages. Uh, if they originate from the same address or from a relatively narrow range of IP addresses, that's suspicious, right. If you're if you're looking at and you're thinking, these are all really similar, so it looks like they're all coming from the same group. That could indicate a the DOS attack. Similarly, if the traffic is coming in from a narrow range of behavioral profiles, that's a red flag. So a behavioral profile in this context is really about the type of device that sent the traffic in the first place. Right, Was it a laptop, was it a mobile device? Wasn't an Internet of Things device? So if you are running a news site and you start to detect a you know, ton of traffic that's coming in from smart thermostats, that's a big old red flag because you can't really think of a reason why smart thermostats would be pinging a web server for a news site. So if you're cloud flare, you might look at the incoming traffic and say, that's hanky, this is probably ADDS attack. Also, if the surge in traffic starts arriving in patterns, like if you notice that every thirty minutes you get another surge, that's a red flag. If it's happening at a regularly, you know, kind of timed interval that looks artificial, that looks like that's a system that's directing waves of messages at a predetermined amount of time. If they're not coming in haphazardly, If they're coming in in these waves, then that suggests it's an artificial attack. Or if you detect a huge traffic spike but it's an unusual time of day, that's another indicator. For example, you wouldn't expect a ton of traffic to hit say a website for a line of credit unions that are on the East coast of the United States at two a m. Eastern time, for example, right, because typically those sites should only really be getting huge amounts of traffic or even just regular amounts of traffic during the daytime for Eastern time. So, yes, the Internet is global, so it's not like you would expect traffic to drop to zero necessarily. But we tend to see traffic behave in similar amounts uh and and in similar scale wherever the site happens to be based. Right, So if a site is based on the East coast of the United States in the middle of the night in the US, you probably see a drop in traffic there. If you see a spike in the middle of the night, that's a potential indication of an attack. Now, obviously that's not always true, but you know, for certain types of sites, it's a good rule of thumb. So first, cloud flare actually has to differentiate an attack from legitimate traffic, and then it essentially has to block incoming traffic from suspected attack sources, thus shielding the client from all of those unwanted messages. It may also use something called rate limiting. This is essentially all about setting boundaries, which is important in any relationship. You've got to set your boundaries. Now, in this case, setting boundaries means setting how many requests a server will accept in a given amount of time, and once you hit that limit, no more requests can come through until the next available time slot opens up. That limits both the attacks and legitimate traffic however, so it can definitely reduce the probability of addos attack taking down a target, but it also means that legitimate users aren't going to really be able to get access either, so everyone kind of gets affected. Another strategy is making use of a reverse proxy. All right, so proxies are really useful things on the Internet, and it's very possible that you've used one before. If you use a VPN, you have relied on a proxy, so a proxy stands in place for some other entity. With VPNs, the proxy stands in place for clients. So when you connect to your computer to a VPN, you're connecting to a proxy server and all the web traffic you engage with has to go through that VPN. So to the outside world, if someone were snooping on you, they would see that you are connected to a VPN, but that's as far as they can tell. They know that you connected to this VPN, but that's as much as they know. They can also tell that the VPN is connecting to all these other different sites and services, but they wouldn't be able to say for sure that that was you directing the VPN to do that because the VPN is also got lots of other computers connected to it, so you don't know who is connecting to what. You can see that everything is going into the VPN, and then you can see that the VPN is then sending that information along to the various clients connected to the VPN, But you have obfuskated what folks are doing. VPNs are used for all sorts of legitimate reasons. There are companies that use VPNs so that way outsiders can't snoop on traffic between the company and the employees. For example, VPNs can be used to get around regional restrictions. So an example of that could be in a foreign country where the government is really cracking down on Internet access, a VPN might allow you to or proxy server might allow you to sidestep those restrictions and access the Internet in an otherwise unfettered way. So they're legitimate reasons for this. So the VPN sends all traffic along to you, and due to encryption and the fact that there are multiple clients connected to the VPN, it hides what's going on. Now. Reverse proxy is similar, but it's different in an important way. So a reverse proxy is a server that sits in front of or servers. So with a VPN, no server will ever connect directly to a client. It can only connect to a client via the VPN. With a reverse proxy, no client can connect to a specific server, instead connects to the reverse proxy server, which acts as kind of a mentalman and then sends traffic along to the ultimate server. So it's a gatekeeper really, and attackers would not have the IP address of the target server, they would instead be able to only direct traffic to the reverse proxy server. So if a company like cloud flare is in charge of those reverse proxy servers, cloud Flare can institute tougher security measures to prevent an onslaught of illegitimate traffic hitting the target. So the reverse proxy kind of acts like a really tough bouncer outside of a club. The bouncer will let the right folks into the club and make sure that the undesirables hit the curve. Now, protect the against the dos attacks can get really sophisticated, largely because a well designed de dos attack will aim at hitting a target through several layers. Right. They won't just be a simple overwhelming attack if they're if they're planned out properly. So defense has to be able to work for all these different layers of attack. Otherwise, you can protect one part of your target but leave another part unshielded and boom the di dos attack. It still ends up being effective. This is why companies like cloud flare exist because while protection isn't impossible, it is time consuming, it's easy to get wrong, and it's also why it's a really big deal. Whenever cloud Flare dumps a client, which doesn't happen often, but it can in extreme circumstances. For example, there's the Kiwi Farms case. Now, in case you are unaware of Kiwi Farms, which I would say you are lucky if you don't know what Kiwi farms is. Kiwi Farms is a site that houses forums largely dedicated to doxing, that is the release of private information about a person harassing, abusing, and threatening certain folks, for example the trans community. And it's beyond horrifying the links that folks will go to in order to torture targets. And the Kiwi Farms groups have been known to heap so much abuse on people, including revealing details of their personal lives on online, or inventing stories and spreading them as if they were true online or swatting victims that that means that they make a fake emergency call into law enforcement that prompts an armed response team to arrive at the target's home. These levels of abuse have gone so far that some folks were driven to committing suicide as a result. It is truly hardifying stuff. Now, Kiwi Farms depended on cloud Flare to shield the site from attacks, because obviously hate group is also going to become a target itself from people who want to take that hate group down. In September of this year, cloud Flare announced it was dropping Kiwi Farms as a client due to quote immediate threat to human life end quote, and so Kiwi Farms has had trouble staying online ever since and has been the the site of data breaches since then. People have gotten access to accounts and things like that, and there are related issues that the site has encountered that involve hosting, so not just protection but hosting. But that's that's just a related but different matters, So we're not going to go into all that, but it really does illustrate that cloud flares services are really important, particularly for high profile sites, whether that site is high profile because it's seen as being a really important part of the infrastructure as a as a whole, or it's just high profile because of the nature of the site itself in the case of Kiwi Farms, and once that protection goes away, those sites have a real hard time staying up because they are such attempting target at any rate. The di DOS attack that brought down the airport websites that I talked about at the beginning that appears to have been a relatively simple one. It was effective in that it did clog up web traffic to the airport websites, but it didn't take very long for folks to resolve the problem, and as I mentioned, it failed to disrupt travel at all. But we still see the occasional di dos attack take down sites and services that have a wider impact on society, so it's not like these things are going away. And again, part of the responsibility falls to us as denizens of the online world to make sure that we are being as careful as we can so that we don't compromise our devices and have them join zombie arm. Some of that is beyond our control. Some of it falls to companies to make sure that they institute better security measures when they create Internet connected devices so that hackers don't easily have a skeleton key that gives them access to an enormous number of those devices. And obviously, ultimately at fault are the people who are directing these attacks. Right if they weren't doing it, then it wouldn't be a concern. But we have to do our best to make sure we don't become part of the problem anyway. That was today's spooky topic of zombie computers zombie armies. Um, I'll be talking about lots of other types of spooky related stuff, questionably spooky related stuff this month. I'm still trying to figure out how I could do a ghost in the Machine episode. I'll try and figure out if I couldn't make that happen, And there's some other concepts that are floating around that I would like to tackle. If you have suggestions for spooky top picks that are tech related, let me know. One way to do that is to download the I Heart radio app. It's free to download and use. Just navigate on over to the tech Stuff page. You can do that in the search engine and use the little microphone icon to leave me a voice message up to thirty seconds in length. Let me know if you would like me to use the message in an upcoming episode. I'm all about opt in, so I will only do it if you tell me expressly that it's okay to do it. And the other way to reach out to me is on Twitter. The handle for the show is tech Stuff hs W and I'll talk to you again really soon. Tech Stuff is an i heart Radio production. For more podcasts from my heart Radio, visit the i heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.