All posts by Flokinet

Security

HTTP Strict Transport Security (HSTS)

1 Comment

The HSTS Policy helps protect web application users against some passive (eavesdropping) and active network attacks. A man-in-the-middle attacker has a greatly reduced ability to intercept requests and responses between a user and a web application server, while the user’s browser has HSTS Policy in effect for that web application

So what we need?

Activate mod headers in apache:

a2enmod headers

HSTS header into VirtualHost:

Header always set Strict-Transport-Security “max-age=31536000; includeSubDomains”

max age set the Time in seconds and includeSubDomains set the HSTS header also into your subdomains (recommended). If you don’t want his just only let it our and close after31536000.

Done.

Security

Secure your TLS with PFS

Leave a comment

 

Today’s mostly used SSL is broken. The reason is, RC4 is broken and that is mostly used by SSL active websites. Check your SSL used website about SSL Ciphers (in FF click on the secure bar logo) – you will see for example: RSA_RC4_128_SHA

That means the server uses RSA with RC4 and SHA 128. And that is broken.

But it is getting worse. The NSA is currently building the biggest spy center in the US to save any data they get. Why? It may be true that you can’t break the current secure ciphers now, but what about later?

So what we need is a system which will remain secure in the future. PFS (Perfect-Forward-Secrecy) fulfills this requirement.

How does it work?

When two peers want to establish a TLS tunnel with PFS, after performing the server (or the mutual) authentication, they agree on an ephemeral session key.

The session keys are then used to encrypt the rest of the conversation (session). They are deleted afterwards. The goal of the key exchange phase is to enable the two parties to negotiate the keys securely; in other words, to prevent anyone else from learning these keys.

How do we enable it?

First: Use a long SSL Cert Key. We recommend to use RSA 4096 bits.

Also you realy should look foward to get TLS 1.2 active on your server (should be already supported by every unix on latest version)

Activate PFS

You will need Apache 2.3+ , earlier versions are not supporting PFS.

Replace (or add if applicable) the following configuration directives in your SSL module configuration file (most likely to be found in /etc/apache2/mods-enabled/ssl.conf).

 

SSLProtocol +TLSv1.2
SSLCompression off
SSLHonorCipherOrder on
SSLCipherSuiteECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384

Update your Dovecot mailserver:

ssl_cipher_list=ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384
ssl_prefer_server_ciphers = yes

How does it look later? Have a look at our billing system (SSL labs).

 

Network, News, Security

***SPAM*** Ransom request: DDoS Attack!

Leave a comment

Dear valued customer,

yesterday we have recived a blackmailing from the so called “Armada Collective” (see email at the end of this post).

They demand 20BTC (around 8000 Euro), otherwise our networks in Iceland and Finland will be attacked by ddos.

To state it clear:

We are not going to pay any money to those persons, as blackmailer do not stop in such a case.

We informed immediately the Icelandic Police, the FBI (because there are already other cases active about it) and the local CERTS to be aware of it.

To avoid downtime for our customers, we are starting to implement protections, but we have to see how it works in case of such a strong attack.

Our network in Romania is not affected because our ddos protection can filter these size of attack.

In case of an attack which causes the downtime of your product, please stay calm and wait a moment until our protections can start to work.

Please be aware of the fact, that in case of a ddos attack, the whole network at the location can be affected.

We are working now on it, to prevent the worst case and we will continue, in case the attack starts. Please keep in mind, that such kind of danegeld extortion is a strike against freedom of the internet, which we are fighting for.
To comply with the demand would mean to give up the fight!

We hope to have all of you staying behind this decision, as it can affect you as well as it affects us.

We will update regulary our blog, Twitter

@flokinetehf
and our Network status page:
https://www.billing.flokinet.com/serverstatus.php

———————-

from:

to: info@flokinet.is

Subject: ***SPAM*** Ransom request: DDoS Attack!

Ransom request: DDoS Attack!

FORWARD THIS MAIL TO WHOEVER IS IMPORTANT IN YOUR COMPANY AND CAN MAKE DECISION!

We are Armada Collective.

If you haven heard for us, use Google. Recently, we have launched some of the largest DDoS attacks in history.
Check this out, for example: https://twitter.com/optucker/status/665470164411023360 (and it was measured while we were DDoS-ing 3 other sites at the same time)
And this: https://twitter.com/optucker/status/666501788607098880

We will start DDoS-ing your network if you don’t pay 20 Bitcoins @ XYZ(modified by us)

Right now we will start small 30 minutes UDP attack on your site IP: 185.100.84.14. It will not be hard, just to prove that we are for real Armada Collective. Check your logs.

If you don’t pay by Wednesday, massive attack will start on your networks in Finland and Iceland, price to stop will increase to 40 BTC and will go up 2 BTC for every hour of attack.

In addition, we will be contacting affected customers to explain why they are down and recommend them to move to OVH. We will do the same on social networks.

Our attacks are extremely powerful – sometimes over 1 Tbps per second.

Prevent it all with just 20 BTC @ XYZ(modified by us)

Do not reply, we will not read. Pay and we will know its you. AND YOU WILL NEVER AGAIN HEAR FROM US!

And nobody will ever know you cooperated.


Armada Collective

Network, News

IPv6 ready

Leave a comment

Our network in Romania and Finland is now IPv6 ready, Iceland will follow soon.

What is IPv6?

What is IPv6?
IPv6 is the next generation Internet Protocol (IP) address standard intended to supplement and eventually replace IPv4, the protocol most Internet services use today. Every computer, mobile phone and any other device connected to the Internet needs a numerical IP address in order to communicate with other devices. The original IP address scheme, called IPv4, is running out of numbers.

What does Ipv6 offer me?

IPv6 offer besides solving the IPv4 shortage problem a lot of new functions.

  1. More Efficient Routing
    IPv6 reduces the size of routing tables and makes routing more efficient and hierarchical. IPv6 allows ISPs to aggregate the prefixes of their customers’ networks into a single prefix and announce this one prefix to the IPv6 Internet. In addition, in IPv6 networks, fragmentation is handled by the source device, rather than the router, using a protocol for discovery of the path’s maximum transmission unit (MTU).
  2. More Efficient Packet Processing
    IPv6’s simplified packet header makes packet processing more efficient. Compared with IPv4, IPv6 contains no IP-level checksum, so the checksum does not need to be recalculated at every router hop. Getting rid of the IP-level checksum was possible because most link-layer technologies already contain checksum and error-control capabilities. In addition, most transport layers, which handle end-to-end connectivity, have a checksum that enables error detection.
  3. Directed Data Flows
    IPv6 supports multicast rather than broadcast. Multicast allows bandwidth-intensive packet flows (like multimedia streams) to be sent to multiple destinations simultaneously, saving network bandwidth. Disinterested hosts no longer must process broadcast packets. In addition, the IPv6 header has a new field, named Flow Label, that can identify packets belonging to the same flow.
  4. Simplified Network Configuration
    Address auto-configuration (address assignment) is built in to IPv6. A router will send the prefix of the local link in its router advertisements. A host can generate its own IP address by appending its link-layer (MAC) address, converted into Extended Universal Identifier (EUI) 64-bit format, to the 64 bits of the local link prefix.
  5. Support For New Services
    By eliminating Network Address Translation (NAT), true end-to-end connectivity at the IP layer is restored, enabling new and valuable services. Peer-to-peer networks are easier to create and maintain, and services such as VoIP and Quality of Service (QoS) become more robust.
  6. Security
    IPSec, which provides confidentiality, authentication and data integrity, is baked into in IPv6. Because of their potential to carry malware, IPv4 ICMP packets are often blocked by corporate firewalls, but ICMPv6, the implementation of the Internet Control Message Protocol for IPv6, may be permitted because IPSec can be applied to the ICMPv6 packets
Privacy

DDOS protection in Romania

1 Comment

As a privacy and security focused company we want to deliver the best options to our customers.

A rising security problem within the last years are ddos attacks and FlokiNET takes the next step to ensure your service is secure with us.

From today our whole network in Romania include the 950gbit ddos protection.

Does this apply to all services?

All services at our location Romania include free ddos protection. This include shared hosting, VPS, dedicated server and colocation.

What does that mean for me? Do i have to activate anything?

No, the protection is active in the background and ensure your service stays online.

I dont want any protection! What can i do?

Just contact our support and we will deactivate it for your IP(s)

Info: What is a ddos attack? 

Does it protect from all kind of DDoS attacks?
Yes, it does. The protection system detects and mitigates all known kind of DDoS attacks. In case a unknown attack happens or it appears that an attack wasn’t recognized automatically, our techs will analyze the threat and adjust the algorithms immediately. Our staff works 24/7 and monitors all traffic anomalies.
Should an attack to your service keep undiscovered by our automatic system and our staff, please open a support ticket so our staff can have a look at this traffic and mitigate it for you.

 

How long does it take to mitigate an attack?
The automatic DDoS detection is real time, it detects an attack within <=5 seconds. After around 20 seconds, about 90% of traffic should be mitigated and the remaining 10% within 1 minute after an attack started. It may take a little longer if our tech team need manually to recognize an attack and adjust the filters.

 

Are there any negative side effects, such as a higher latency, during an attack is being mitigated?
No, there should not. A DDoS attack is recognized by patterns. It’s similar to an Anti-Spam protection for your e-mail box. You want to block all the bad spam mails, but don’t want false-positives that will block real e-mails. The same is with DDoS protection. The filters try to understand which traffic is not wanted and which is real traffic, not to lock-out your real users. For this reason it might still be that during an attack a little bit of unwanted traffic will reach your service, but it is very less.

Overview:
• Number of attacks doesn’t count
• The protection works for any known type of DDoS attack, on any layer
• Size of the attack doesn’t count
• Number of protected IPs/equipment is unlimited. You can choose to protect your entire AS through this service.
• You are allowed to re-sell the service.
• Specific request regarding costumized layers and protection ways are available.

Examples of filtered DDoS attacks:
• IP non-existing protocol attack such as Flood with IP packets with reserved values in protocol field;
• Attack with fragments such as sending mangled IP fragments with overlapping, over-sized payloads to the target machine;
• ICMP attacks such as: ICMP Flood, Smack, Smurf attack (OBSOLETE);
• IGMP attacks such as: IGMP flood;
• TCP attacks such as: SYN Flood, SYN-ACK Flood, ACK Flood, FIN Flood, RST Flood, TCP ECE Flood, TCP NULL Flood, TCP Erroneous Flags Flood, TCP Xmas, Fake Session, SRC IP Same as DST IP;
• UDP attacks such as: General Random UDP Floods, Fraggle, DNS query, DNS Amplification (+DNSSEC), NTP Amplification, SNMPv2, NetBIOS, SDP, CharGEN, QOTD, BitTorrent, Kad, Quake Network Protocol, Steam Protocol;
• HTTP attacks such as: Slowloris (Apache / IIS Attack), R-U-Dead-Yet (RUDY), HTTP Object Request Flood;
• Other category attacks such as: Misused Application Attack, Slow Read attack.

 

News

Website 2.0 and the FlokiNET Blog

Leave a comment

Here it is – the new website with the first round of features and services like “Under Threat” for fast help in emergency situations, new services like LIR and SecureVoIP and a much better overview of our products.

Within this blog we will update you from now on about upcoming events and products and also talk about security and privacy focused topics.

Because transparency is also an important topic for us we will publish regulary transparency reports to show you how we handle legal requests.

In case you find an error on our new page (there are always some…), need a feature or just want to let us know things: info@flokinet.is is 24/7 available.