Security Upgrades – BitNinja

For a number of years, we have used a combination of tools for security on our servers, including CSF, ModSecurity and cpGuard for Malware protection.

We have spent several months planning implementation of the BitNinja suite to bring a number of security and performance benefits to you, free of charge. As such, a number of changes are being implemented to bring you leading-edge protection to your client’s sites.

Please note that due to the extent of those changes, this is being done on a gradual rollout spanning the next week or so.

For more information on BitNinja, see the following:

https://bitninja.io

IP Address Blacklisting

Until now, we have taken a fairly aggressive approach to malicious IP addresses and traffic, which consisted of a ‘whitelist’ and ‘blacklist’ solution powered by ‘CSF’, the previously implemented firewall of choice.

However, this has limitations, in that should a ‘false positive’ be triggered, access is entirely blocked from our servers / network. This can give the false impression of outages and can also be incredibly frustrating.

We have taken on board the inconvenience of this and have implemented a new solution powered by BitNinja, which works on the concept of ‘Greylisting’, along with a number of additional intrusion prevention technologies.

BitNinja has created a disruptive technology so there are some concepts that are important to understand in order to comprehend the way BitNinja works.

IP reputation is a very effective way of securing a server. It’s a database with information about various IPs in the world. BitNinja clients use IP reputation information automatically on servers to make security decisions and to find out more about an IP address.

Every server with BitNinja can detect and defend a wide range of attacks. The server can send gathered incident information to our central database. Based on the type, timing, and amount of incidents an IP has in the database, it is categorized into one of the following lists:

Not Listed

If there is no information about an IP address, or based on the latest behaviour the IP is not listed.

User Greylist

In traditional IP reputation terminology, we differentiate black and white lists. An IP can be trusted (whitelisted) or absolutely denied (blacklisted). This concept is very inflexible and this is the cause of the bad reputation that IP reputation lists have. If an IP is false-positively blacklisted, its incredibly frustrating that the user of that IP address can’t access the system they want to use and have to undergo an extensive process to whitelist, or remove that IP address reference.

That’s how the concept of greylisting was born.

A greylist is the concept of a list of IPs we think may be malicious but we are not completely sure of it yet.The greylist contains suspicious IPs that the BitNinja software handles with special care. BitNinja has different CAPTCHA modules for different protocols. The duty of a CAPTCHA module is as follows:

    • Decide if the user is human or not
    • Inform the user about the fact that his/her IP has been greylisted
    • Provide a safe way for the user to delist his/her IP
    • Save any requests made by non-human parties, growing the knowledge base about the IP and the sin list.
    • Honeypotting by pretending to be a vulnerable system so bots will try to connect

In introducing this disruptive technology to our servers, we are implementing a less disruptive method of IP reputation and management to you and your end-users, allowing them to control their IP address reputation themselves, vastly reducing false positives or ‘false blocks’.

If there are suspicious incidents derived from an IP address, the IP can be greylisted by some users. If an IP is user-greylisted, it means it is only greylisted by some users, not all BitNinja users. When we have enough information about an IP that is sending malicious requests, we move it to the global greylist. If an IP is globally greylisted, it is greylisted by all BitNinja servers.

Global greylist

If there is enough evidence that an IP is suspicious, the IP address is moved to a global greylist which is then distributed to every BitNinja protected server.

Global blacklists

When an IP is globally greylisted and is still sending malicious requests, we identify it as dangerous. Such IPs are moved to the global blacklist maintained by BitNinja. Any traffic derived from this list will drop packets entirely, causing a timeout. The false-positive rate of the global blacklist is very low, as there are many steps before we decide to blacklist an IP. Blacklisted IPs are moved back to the greylist from time-to-time to check if the traffic is still malicious or the system has been disinfected.

Essential list

The essential list provides protection against the most dangerous IPs. These IPs are often used by the most aggressive hackers all around the world. When an IP generates more than 5000 malicious requests, BitNinja places it on this list. The essential list forms part of the protective layer, defending you and your clients from some of the worlds most aggressive cyber attacks.

Core Benefits

The introduction of this revolutionary technology allows us to further protect you and your clients from attacks, but also…

  • Improved performance and a significant reduction in CPU load
  • Protection against the worlds most malicious offenders
  • A protection ‘backbone’ with data gathered from thousands of servers hosted worldwide
  • Simple, intuitive method for false-positive reductions
DoS and DDoS Protection

BitNinja allows us to introduce a tertiary layer of protection against large scale denial of service attacks.

We will not use BitNinja standalone for DDoS protection and will continue to offer industry-leading network-level protection at the network level, and application level.

However, BitNinja will allow us to vastly improve our ‘application-level’ DoS handling by the use of the above greylisting technology. Now, if any IP address opens more than 80 simultaneous hits to any server, that IP address will be added to the greylist to prevent further connections.

Web Application Firewall 2.0

The web is the most vulnerable interface on most servers. Having a powerful web application firewall is an essential part of the defence toolset if you host any web content. The biggest challenge of a WAF is to find the balance between security level and false-positive rate. You don’t want a weak web application firewall, but you can’t afford many false positives either. Finding this balance was the leading cause of the WAF 2.0 BitNinja module to be born.

We have offered WAF protection on our servers for many years, however, the introduction of BitNinja allows us to handle WAF in a far more efficient way.

BitNinja allows us to ‘route’ traffic through their network, so that the WAF handling is managed externally / outside of the servers which reduces load significantly, taking the dependency away from the physical servers themselves. This works in a very similar way to Cloudflare, yet doesn’t require any alterations on your end to benefit from the facility.

Also, ModSecurity which we had previously implemented does have downsides beyond performance degradation. Also, when Apache and ModSecurity tackle large volumes of hits, there is potential for short ‘crashes’ in Apache itself, causing intermittent downtime. Whilst not frequent, we believe the new solution will resolve this moving forward to improve uptime.

Web Honeypot

Honeypotting is a security technique where you set up a system or subsystem to pretend that there is a vulnerable service available. The attacker, hacker, or bot will easily see that there is a vulnerability and will try to abuse it. As the honeypot is not providing the service it advertises in reality, it will rather collect the attack data and block the attack. This technique is similar for setting up traps against your enemies. This is very effective against both automatized and targeted attacks.

When malware is removed from the server, BitNinja will replace that malware with the honeypot to detect which user is accessing the malware for malicious intent, then blocking that user directly to the blacklist.

Port Honeypot

This module will set up to 100 honeypots on our servers at random ports chosen from the 1000 most popular ports. This module will detect if someone does a deep port scan on your server (except syn stealth scan and some others). The module will also capture any traffic on these honeypots and reply to the requests, so when the attacker tries to exploit one of these fake services, it will generate incidents. This is a very effective way to catch early on both direct attacks and botnet activities.

Malware Detection and Prevention

BitNinja has an excellent module for file-based malware detection. If attackers can break through the defence line of honeypots and the web application firewall, malware detection is the next line of defence to stop them from infecting your sites and accounts.

The BitNinja malware detection platform has been thoroughly tested to ensure there is a far lower rate of false positives than our current implemented solution.

Moving forward, we will be able to protect from unvalidated file uploads, script injection, remote code injection, and CMS (WordPress, Joomla, Drupal, etc) vulnerabilities

Leave a Reply

Your email address will not be published. Required fields are marked *