Russian Cyber Attack: Network Hardening
Almost everyone saw Biden’s warning about the potential for a Russian Cyber Attack, and his proclamation that Russia is currently exploring the possibility of unleashing a cyber attack on the United States and critical infrastructure. First of all, do we have any critical infrastructure? Yes, we do: Local Governments, Politicians, as well as food industry websites – our network is as essential as they come. Therefor, over the past couple of weeks, we have been silently making some changes which some of you have indeed noticed with a brief outage here and there.
The first step of hardening against an actor such as Russia is to do your research. We have gone back years into known data and even called a few contacts in the US Army Signal Corps to create a profile for Russia. Knowing how they might attack can give us insight into what vectors we need to better guard against. And from the research Russia likes to play distract and breech – that is they might DDOS a network to mask a brute force break-in to a node on that network.
In IT, sometimes it’s okay to fight fire with fire. In this case we’ve developed a few solutions we hope to at least slow any attacker down.
Essentially we have hardened our network in a big way. Firstly, all IP addresses and assignments are now modular. Combining that with our webservers being able to serve a modular IP means that taking our network down for any extended period of time via DDOS attack is near impossible because we can simply black hole one IP and switch over seamlessly to the other. In fact, we’re currently working now with attempting to automate this process which we have had moderate success with.
Most networks have their critical weakness at the router. Almost no router out there can handle most DDOS attacks and even our router can handle a lot but it can be taken to it’s knees trying to mitigate some attacks. Therefor we’ve now negotiated with Charter a need for 2 glue IP addresses for our router which means we can black hole every public IP we have and still maintain transit with Charter allowing them to get a snapshot of the traffic on their side and seeing what we are seeing to deploy upstream filtering. This additionally allows us to change the IP address of our router in a more modular way as well so if one IP is attacked we can simply black hole that IP and update the border gate community to our spares over our two glued private assignments.
The one thing I’ve found odd is the lack of security for IPv6. We’ve fixed that. Understanding that IPv6, however new, can indeed become a vector in which many companies are entirely venerable to as most commercial routers don’t even come with any security for IPv6. We’ve set up our own edge firewall specifically for IPv6 now in hopes that if it becomes a vector for attack it will be as good or better than our IPv4 preparations.
What this means is we can constantly move the target for any would be attacker forcing them to constantly have to zero back in on a target and by the time they have, we’ve changed locations again giving us the ability to not only frustrate any attacker but ultimately defeat them.
We plan on rolling out a few more security features today and Friday which we expect minimum disruptions.
As another precaution, we have now deployed all of our shared hosting environments as virtual machines with CentOS being the host machine. We’ve also been able to pull off one more crazy little trick – we have setup a Linux Raid array using both a VM hard drive and a NFS mount in a Raid 1 configuration meaning that the VM hard drive is constantly mirroring to another network hard drive keeping backups of these VM’s in 2 separate locations at all times. You can only pull this off with Linux and it’s use of mounting devices and file systems and using it’s on software-based raid technology.
No network administrator worth his salt will ever tell you their network is “hack proof” but we’re sure trying to get to that point – it is a worthy goal. For you this means that we have made every possible preparation for whatever the future has in store. We have ensured that websites are harder to break into, harder to take offline, and harder to destroy. None of our solutions are fool proof or 100%, but we hope that if they have to be used, they help.
In addition to this, we’re also starting to store some websites offsite, especially websites the Department of Homeland Security has classified as “Essential”. Until this issue with Russia is over, we will be offering this service without charge to these essential websites allowing us to recover these websites in the event of catastrophic data loss.
The one magic bullet that we’re currently reserving is a list of every Russian network in existence is now currently sitting on our firewall and can at any point be dropped at the edge firewall.