Your Linux Firewall Can’t Stop These 3 Attacks!

Nowadays, Linux systems are considered fairly secure, as people think that Linux rarely gets infected with malware such as viruses, rootkits, worms, etc. You might also see that we hardly ever come across Antivirus software being sold for Linux, giving the illusion that Linux is an ultimately secure Operating System. Given that roughly 75 percent of the world's servers run on Linux, we can’t truly believe that Linux is as secure as we think it is. Linux is only as secure as the person controlling and configuring it. Essentially, if a user has bad security practices, e.g. opening unauthorized emails or downloading potentially malicious links, then there is a very high chance that their Linux system will be compromised.

A Linux firewall is defined as a solution or service that regulates, protects, and blocks network traffic as it passes to and from a Linux-based environment. Ultimately, it keeps your Linux systems secure by filtering certain network traffic that can be sent and received by the system itself. 

By default, Linux uses nftables, the successor of iptables, as a firewall and it does a fairly good job of keeping Linux Systems secure and mitigating potential attacks, especially if you have a good Security Engineer within your organization who is quite proficient with the tool. However, it does raise a very valid question: What attacks can’t this Linux firewall protect against? Whether you are using a paid firewall service or whether you are using the built-in iptables tool, there are just some attacks that the Linux firewall cannot protect against! Follow along with us as we go through what these attacks are and how they can affect your system.

Nearly Impossible Attacks to Stop

DDoS Attacks

Like most cyberattacks, the deadliest ones come from within. Now with a normal DoS attack or DDoS attack, it can be managed and certain measures can be set in place to mitigate these attacks. The DDoS attack we will be talking about is a little more aggressive in terms of the methods it uses to successfully execute the attack. We will be speaking on Reflection Attacks, specifically, reflected DoS and DDoS amplification attacks. I know you may be wondering what exactly is a Reflected Amplification attack but do not fear! Keep following along as we discover more about what they are. 

Reflected Amplification Attacks

Reflection Amplification, simply put, is a combination of two techniques that allows cybercriminals to magnify the amount of malicious traffic they can generate and obscure the sources of the attack traffic. Let's split these two words to kind of get a better understanding.

Reflection Attacks

Simply put, reflection attacks are attacks that use the same protocol in both directions. The attacker spoofs the victim’s IP address and sends a request for information via UDP to servers known to respond to that type of request. The server answers the request and sends the response to the victim’s IP address. From the servers’ perspective, it was the victim who sent the original request. All the data from those servers pile up, congesting the target’s Internet connectivity. With the maximized bandwidth, normal traffic cannot be serviced and clients cannot connect. Any server open to the Internet and running UDP-based services can be used as a reflector.

Amplification Attacks

Amplification attacks increase the amount of data passing around. Essentially, an attacker uses a modest number of machines with little bandwidth to send fairly substantial attacks.

Reflection /Amplification Attacks Together

These two attacks alone can be fairly managed but when put together, not even the bests of firewalls can stop this, especially with a seasoned attacker behind the controls. They send a tremendous amount of spoofed packets causing systems to freeze, crash, or even reboot. The way an attacker carries on with this type of attack is actually through misconfiguration of the firewall in place. Almost all change and error is caused by human fault and in this instance, misconfigurations of firewalls are the main culprit and reason for these types of attacks. Even then, if properly configured, you might still find yourself in the midst of a DDoS attack.

Other Types of DoS/DDoS Attacks

• Buffer Overflow: Buffer Overflow attacks, as listed above, are a common type of DoS attack. It relies on sending an amount of traffic to a network resource that exceeds the default processing capacity of the system.
• Ping of Death: Attackers send spoofed packets that ping every computer on the targeted network. The target responds and becomes flooded with responses from the malicious packet. It is also known as Internet Control Message Protocol (ICMP) Flood and Smurf Attack.
• SYN Flood: A SYN Flood attack exploits the TCP handshake – a method used for the TCP network to create a connection with a local host/client/server. Unfortunately, the handshake is left incomplete, leaving the connected host in an occupied status and unavailable to take further requests. Attackers will increase the number of requests, saturating all open ports and preventing anyone from connecting to the network.
• Teardrop: In a teardrop attack, IP data packet fragments are sent to the target network. The network then reassembles the fragments into the original packet. The process of reassembling these fragments exhausts the system and it ends up crashing. It crashes because the fragments are designed to confuse the system so it can never be put back together.

If any of these other DoS/DDoS methods are used within a Reflection/Amplification attack, there is a good chance your Linux systems cannot withstand an attack of his magnitude.

Misconfigurations in Web Applications

Everyone that uses a web application has one thing in common, they are (mostly) all protected by a firewall. However, having a firewall doesn’t necessarily mean your system is secure. A firewall may be secure to the naked eye, but if it’s protecting a web application that has existing vulnerabilities, a Cyber Criminal can easily bypass it. There are countless examples of software vulnerabilities that hackers can exploit to bypass the firewall. Firewalls themselves also have vulnerabilities, normally caused by misconfiguration. Misconfigurations at the application layer, such as an error in configuring a WAF, can lead to a series of different attacks, such as SQL injections, CSRF, or even XSS. Furthermore, once the application vulnerability is exploited, it can lead to the Cyber Criminal gaining elevated access to the database, host server, and possibly more systems within a company. This is why it’s important to ensure to install the latest updates and patches and also, continually monitor events and logs. On top of staying up to date with updates and patches, as well as monitoring logs, you can invest in a good WAF.

Malicious Scripts

If an attacker manages to find their way onto your system, you would think your firewall or Intrusion Detection System would pick it up! Unfortunately, attackers have even managed to make their way around that. Nowadays, there are scripts that are meant to bypass firewalls and intrusion detection systems. Most Linux systems and servers deploy firewalls as a defense mechanism. In some malicious scripts, attackers try to disable the firewall (ufw) as a defense evasive tactic. Along with that, attackers also remove iptables rules (using iptables -F) because it is widely used for managing the firewall rules on Linux systems and servers. Another possible shell script would be one that disables certain Linux security modules such as SElinux, Apparmor, and other applications alike. These modules can be configured to grant users certain privileges and a seasoned attacker can create a script to manipulate these modules and grant themselves access as well.

What Can YOU Do?

I know we just went over nearly impossible attacks to defend against, so you must be thinking what can you possibly do?! Well, there are actually quite a few things we can do to mitigate these attacks. Follow along with the list below:

• Use up-to-date code dependencies, and third-party components, and update your web server/server
• Make sure you have recent security updates and patches installed for all software and hardware
• Properly configure any security tools and configuration files, such as PHP.ini and iptables, in your Linux environment
• Make sure that you have installed and properly configured an Intrusion Detection System
• Make sure to properly monitor any traffic that might seem suspicious
• Use vulnerability scanners to fully assess your web applications and your servers
• Limit any traffic to and from your server to malicious and black-listed IP addresses
• Properly educate yourself/your team on security protocols and stay up to date with recent malware/ransomware so you don't find yourself in a Zero-day attack

If you follow along with this checklist and continually educate yourself on the possible vulnerabilities that are out there and that could potentially be in your system, you can properly mitigate most of these attacks.

Our Thoughts

As Cyber Criminals are using more sophisticated methods for attacks, it becomes increasingly important to monitor and record the activities happening on your system. It is important to have properly configured systems, firewalls, and all security features & patches updated to be able to properly defend against these types of attacks. It is a scary world out there and as everything becomes more digitized, we need to do our best efforts in keeping the systems that hold all our sensitive information safe. Make sure to check out our vulnerability basics (insert link here) article to further understand what vulnerabilities you might be encountering and make sure to check our WAF article to see how to keep your Web Applications secure!