Denial of Service (DoS)- This time It’s Personal

Our always-on, anywhere workforce has scattered the perimeter of the network to coffee shops, home offices, and just about any other place imaginable with Wi-Fi and/or a cellular connection.  While the distributed perimeter certainly provides more accessibility and productivity, it also brings with it vulnerabilities.  Let’s examine the less expected target of a DoS or DDoS attack:  the individual.

The impact of targeting an individual or groups of employees could be pretty severe.  Let’s create a hypothetical target…  John, a sales person at Acme Corp, is a BYOD road warrior that sees the office once a week, and has several appointments per day either delivered in person or using web conferencing.  He likely is preparing sales offers at night in the hotel, and video chatting with family via Skype. An outage of any type is more than a minor hiccup in this person’s day.  Hardware failure has serious implications.

This person is vulnerable in several ways.  They are outside of a corporate network, dependent on consumer internet connections without teams working in shifts to mitigate packet floods.  And yes I just said packet floods… for individuals.

How does one go about finding an individual?  One way is Skype.  Once a person is connected, the local DHCP server dutifully allocates an IP address even if this is NATed behind a DSL router.  It is how communication to and from the Internet works.  It is also how Skype works in peer-to-peer mode.  Skype has a default setting that allows anyone to lookup the IP address of any user.  The use case is to allow users to call users with whom they are not officially connected.   Older versions of Skype didn’t even have the option to turn this behavior off.  Each time the user connects to a Wi-Fi hot spot, hotel network, or even at home over their DSL, the new IP address is reliably updated like a homing beacon. All the attacker needs to know is the Skype name.  From there the attacker can use a resolver/booter service to seriously complicate the target’s life with less than reliable internet connectivity during business hours.  If the attacker knows the target’s schedule perhaps through a fake friend request on Facebook, this could be pure mayhem.

Here are tips to prevent this from happening to you:

• Update Skype to a current version
• In Skype, go to Tools>>Options>>Calls>>Call Settings>>select the option “Only People in my Contact List”Begin to look at what information is needed to attack an individual.  Applications that leak IP address or physical location top my list. Anything that routes to them (even over VPN) where a local offline policy may apply is also a candidate.

The reasons for wanting to take down a portion of the mobile workforce in a targeted or general basis could range from hacktivists, disgruntled former employees, to well-funded groups hired by competitors.  We have never exposed this much attack surface area before as we have now with BYOD, and those are your employees out there.