Don't do the crime, but learn from those who did

By

[Blog post] Avalanche offers a few choice lessons.

You might not think it impacted you directly, but there’s every chance that the Avalanche digital crime network has reached out and touched your user base somehow. It was that enormous, spread out over 180 countries, 800,000 domain names, hundreds of servers and multiple networks.

Don't do the crime, but learn from those who did

The scale is mind-blowing, especially when you consider that Avalanche was a managed and automated set-up spanning an enormous amount of devices in a very heterogenous environment.

That’s one thing, but what really impresses is how resilient Avalanche was.

It took cops in 40 countries four years to close down Avalanche, which was active since at least 2009. That’s with the help of security vendors, internet governance bodies like ICANN, and academic institutions combing through terabytes of data to figure out how Avalanche worked and where its servers were.

Avalanche wasn’t run with an army of staff, either. Although it’s not clear how many were involved, only five people have been arrested so far.

One thing that stands out is that the crooks clearly understood how the internet works and really took advantage of the huge scale it offers, giving them massive redundancy.

Running on hundreds of thousands of hijacked machines, domains and networks made it impossible to choke off Avalanche at any particular point. Obviously, the criminals didn’t pay for this but it shows that massively distributed set-ups are resilient and difficult to take down.

It's interesting to consider how the Double Fast Flux technique - with thousands of freshly generated domain names, and fast-changing IP addresses for the criminals’ servers - could be adapted for legitimate uses.

The cyber crims used short time-to-live settings for domain name records to hide and move their servers around quickly - this could be one way to side-step distributed denial of service attacks, Cloudflare researcher Marek Majkowski mused.

Another interesting concept is how applications and data are abstracted from the infrastructure used by the criminals.

If bits of the network are taken down, that’s no problem: everything on it can be easily replicated elsewhere quickly, because the data isn’t tied up to any particular hardware and the operation could continue.

That’s the sort of disaster recovery strategy everyone should have.

Security through obscurity is supposed to be a false premise but it clearly helped keep Avalanche alive, by dint of being a moving target. Reverse proxies like *cough* CloudFlare are handy here.

Ransomware, phishing, spamming and other forms of cybercrime are lucrative and easy to commit, so there’s no doubt that there will be a new Avalanche soon. When it arrives it will probably teach us a thing or to about anti-detection and resilience techniques.

Got a news tip for our journalists? Share it with us anonymously here.
Tags:
Juha Saarinen
Juha Saarinen has been covering the technology sector since the mid-1990s for publications around the world. He has been writing for iTnews since 2010 and also contributes to the New Zealand Herald, the Guardian and Wired's Threat Level section. He is based in Auckland, New Zealand. Google
Read more from this blog: SigInt

Most Read Articles

Services Australia's sweeping security uplift plans for myGov

Services Australia's sweeping security uplift plans for myGov

Medibank allegedly missed EDR alerts before data breach

Medibank allegedly missed EDR alerts before data breach

Northern Beaches Council reviews security stack to shore up widening perimeter

Northern Beaches Council reviews security stack to shore up widening perimeter

CrowdStrike rejects Delta Air Lines claims over outage

CrowdStrike rejects Delta Air Lines claims over outage

Log In

  |  Forgot your password?