Mobile LOIC Counter Measures

Transcription

1 Technical Security Note Mobile LOIC Counter Measures North America Radware Inc. 575 Corporate Dr., Lobby 1 Mahwah, NJ Tel: (888) International Radware Ltd. 22 Raoul Wallenberg St. Tel Aviv 69710, Israel Tel:

2 Table of Contents Abstract... 2 Mobile LOIC... 2 Operation... 3 Technical Details... 3 HTTP Request Format... 3 HTTP implementation... 4 Distinct Characteristics... 4 Investigation and Analysis of the Mobile LOIC Tool... 4 Code Analysis... 4 Experiment... 4 Results... 5 Drop Action... 6 Reset Action... 6 Drop and Suspend Action... 6 Conclusion... 8 Abstract LOIC (Low Orbit Ion Cannon) is an open-source denial-of-service (DoS) attack tool. The tool has been used in various attacks by the Anonymous group in Project Chanology, Operation Payback, OpSony and others. Existing network-security technologies and tools focus on identifying attack-traffic patterns and preventing the attack traffic from arriving at their designated destinations. This is a defensive approach. Radware SOC has developed a methodology to defeat the attacks at their origin, rather than at their destination. This offensive technique is referred to as a counterattack or a countermeasure. By crippling the attack sources, the impact on the designated victim is reduced, and in some cases, may render the attack ineffective. The attacker may then choose to change the target of the attack. This document presents research that Radware SOC has conducted in order to identify the weaknesses and vulnerabilities of the LOIC tool, and with this information, counter the attacks that the Mobile LOIC tool generates. Mobile LOIC Mobile LOIC is a Javascriptbased HTTP DoS tool which is delivered within an HTML page. The HTML page may be hosted on a website and accessed remotely with the use of a web browser. Since only a web browser is required, an attacker may use a smart phone to generate an attack (hence the name Mobile LOIC ). Normally attack organizers post a URL for the website hosting the page and invite users to use the tool and attack the specified target. The source HTML is located at: Page 2

3 Operation Mobile LOIC is very simple to operate, as shown in Figure 1. There are three configurable parameters: Target URL Specifies the URL of the attacked target. Must start with Requests per second Specifies the number of desired requests to be sent per second. Append message Specifies the content for the msg parameter to be sent within the URL of HTTP requests. Figure 1: Mobile LOIC GUI Technical Details HTTP Request Format Mobile LOIC sends multiple HTTP GET requests to the specified URL. Requests contain two parameters: id The value of this parameter is a number which is generated on-the-fly using the Javascript Date() function. msg The value of this parameter is the text entered in the Append Message field. Page 3

4 The HTTP headers in the requests are determined by the browser s configuration. HTTP implementation Other attack tools which implement the HTTP layer react to certain HTTP-level challenges differently from a legitimate browser. Mobile LOIC utilizes the HTTP implementation of the browser it is accessed from. This simple approach makes it very hard to distinguish legitimate users using a browser because it is actually the browser which is reacting. The following table shows the tool s reaction to certain HTTP challenges when used by popular browsers: Browser HTTP implementation 302 Redirect 302 Redirect + Cookie 200 Ok + JS Cookie IE 9* WinINet Passed Failed Failed Firfox 4* Mozilla HTTP Passed Passed Failed Chrome* Own [1] Passed Failed Failed * The results should be considered verified on a standard installation with default settings. Distinct Characteristics Each HTTP request sent by the Mobile LOIC tool contains the above id parameter described in HTTP Request Format. This parameter s value depends on time, but it is relatively constant within the timeframe which characterizes popular DoS attacks. This value may be used to distinctly detect the attacking traffic. Investigation and Analysis of the Mobile LOIC Tool Investigation was conducted with the aim of discovering the best countermeasure against the LOIC tool the central question being whether it is possible for an inline device to effectively mitigate the attack and also affect the way the tool operates. The investigation was conducted using mainly code analysis and experimentation. Code Analysis The publicly available Javascript code of the tool was analyzed. It was observed that the tool generates HTTP requests using the img.setattribute function. This causes the browser to produce an HTTP GET request according to the parameters of the function. Experiment Running the tool, the effect of different connections-handling actions was observed. Page 4

5 Figure 2: Stage 1 The Switch Forwards the Attacking Traffic For the setup illustrated in Figure 2, a network switch which is able to perform several TCP operations was required. In this case, DefensePro was used. The setup has a DefensePro device positioned between an attacker running Mobile LOIC and an Apache HTTP server. In Stage 1, the DefensePro device was configured to forward the LOIC traffic to the server. The traffic was monitored using DefensePro Real-Time Monitoring. In Stage 2, once a relatively stable attack rate was achieved, the DefensePro device was configured to drop the attack traffic, suspend the source IP, or block the traffic and send a reset packet to the attack source, as shown in Figure 3: Figure 3: Stage 2 The Switch Drops, Suspends or Resets the Connection or Source Results Figures 4, 5, and 6 show results for the Drop, Reset and Drop and Suspend actions on detection of the Mobile LOIC tool. The green line in the graphs indicates incoming traffic, the blue line indicates passed traffic, and the yellow line shows discarded traffic. In all three graphs, the low starting green level signifies background traffic which is considered legitimate. The beginning of the attack is characterized by a sharp rise in the green and blue levels. The beginning of the action is characterized by a sharp decrease in the green and blue lines. The significant difference between the three actions may be seen from what happens shortly after the action is started. Page 5

6 Drop Action Once the action is applied, the attacking traffic does drop but not completely. Spikes in the green line indicate that the tool retries the requests at set intervals. Those intervals correspond to the timeouts when the browser waits for the reply. When the timeout finishes, the connection is terminated and a new connection with a new request is generated. Reset Action Once the action is applied, the traffic drops for a short time and then quickly increases even higher than the initial no action state. This result is explained by the way the browser is limited in opening new connections. When the browser sends a new request, there is a timeout in which it waits for the reply. If the connection is reset, the timeout is artificially terminated and there is space to open a new connection quicker. Drop and Suspend Action Once the action is applied, the traffic quickly drops to the level of the background traffic. This is because the suspended action causes the TCP layer traffic of the attacking source to be cleared form the network. Figure 4: Real time monitoring of traffic Drop action Page 6

7 Figure 5: Real time monitoring of traffic Reset action Figure 6: Real time monitoring of traffic Drop and Suspend action Page 7

8 Conclusion The experiment described in this document shows the significance of the action chosen on detection of DoS attack tools. While one action may clear the network, help the protected server to keep operating, and even counter the tool causing it to send less requests, the wrong action may indirectly help the tool and cause it to send requests quicker. Drop and suspend is the most efficient action in the current version of Mobile LOIC. This action causes the tool to retry requests in a slower rate while keeping the network clear of attack traffic. Counter Attack Reset Drop Drop and Suspend Impact on traffic generated by the tool Increased Decreased to ~30% Decreased to ~10% Impact on attack traffic which reached the server Increased Decreased to ~10% Decreased to 0 Radware Security Operations Center 2012 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Page 8