Technical White Paper June 2016

Transcription

1 TLP:WHITE! Technical White Paper June 2016 GuidetoDDoSAttacks! Authored)by:) Lee)Myers,)Senior)Manager)of)Security)Operations) Christopher)Cooley,)Cyber)Intelligence)Analyst) This MultiCState Information Sharing and Analysis Center (MSCISAC) document is a guide to aid partnersintheirremediationeffortsofdistributeddenialofservice(ddos)attacks.thisguideis not inclusive of all DDoS attack types and references only the types of attacks partners of the MSCISAChavereportedasexperiencing. TABLEOFCONTENTS: Introduction StandardDDoSAttackTypes: SYNFlood... 4 UDPFlood.. 5 ICMPFlood 6 HTTPGETFlood 7 ReflectionDDoSAttackTypes: NTPReflectionAttackwithAmplification. 8 DNSReflectionAttackwithAmplification. 9 WordpressPingbackReflectionAttackwithAmplification 10 SSDPReflectionAttackwithAmplification MicrosoftSQLReflectionAttackwithAmplification GeneralRecommendationsandMitigationStrategies. 13 TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 1

2 TLP:WHITE INTRODUCTION ADenialofService(DoS)attackisanattempttomakeasystemunavailabletotheintendeduser(s), suchaspreventingaccesstoawebsite.asuccessfuldosattackconsumesallavailablenetworkor systemresources,usuallyresultinginaslowdownorservercrash.whenevermultiplesourcesare coordinatinginthedosattack,itbecomesknownasaddosattack. MSCISACregularlyobservestwomethodsofDDoSattacks:StandardandReflection. AStandardDDoSattackoccurswhenattackerssendasubstantialamountofmalformednetwork trafficdirectlytoatargetserverornetwork.oneofthewaysanattackercanaccomplishthisisby using a botnet to send the traffic. A botnet is a large number of victim computers, or zombies, connectedovertheinternet,thatcommunicatewitheachotherandcanbecontrolledfromasingle location. When an attacker uses a botnet to perform the DDoS attack, they send instructions to someorallofthezombiemachinesconnectedtothatbotnet,therebymagnifyingthesizeoftheir attack,makingitoriginatefrommultiplenetworksandpossiblyfrommultiplecountries. Figure1:ExampleStandardDDoSSYNFlood Image!Source:!Center!for!Internet!Security A Reflection DDoS attack occurs when attackers spoof their IP address to pose as the intended victimandthensendlegitimaterequeststolegitimatepubliccfacingservers.theresponsestothese requestsaresenttotheintendedvictimandoriginatefromlegitimateservers. Inadditiontothesemethods,atechniqueusedbyattackerstoincreasetheeffectivenessoftheir attack is called Amplification. Usually used in conjunction with Reflection attacks, Amplification occurswhentheresponsethatissenttothevictimislargerthantherequestthatissentfromthe attacker. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 2

3 TLP:WHITE Figure2:ExampleDNSReflectionDDoSwithAmplification Image!Source:!Center!for!Internet!Security Inadditiontotheuseofbotnets,sometoolsarefreelyavailableonlinethatcyberthreatactorscan usetoperformddosattacks.mostofthesetoolswereoriginallydesignedtobestresstestersand havesincebecomeopensourcetoolsusedtoconductddosattacksbyamateurcyberthreatactors. PopularexamplesofthesetoolsincludetheLowOrbitIonCannon(LOIC)andtheHighOrbitIon Cannon(HOIC).Thesetoolscanbedownloaded,installed,andutilizedbyanyonewhowishestobe apartofanongoingddosattack.withthegoalofconsumingallavailablebandwidthallocatedto the target, the LOIC sends significant amounts of Transmission Control Protocol (TCP) and User DatagramProtocol(UDP)traffic,whiletheHOICspecificallysendsHTTPtraffic.Otherexamplesof toolsthatcanbeusedtoperformddosactivitiesincludemetasploit,pyloris,andslowloris. Figure3:ImageoftheLOICGraphicalUser Image!Source:!en.wikipedia.org WhilethemainpurposebehindaDDoSattackisthemaliciousconsumptionofresources,different attackers may use different techniques to generate the traffic necessary for an effective DDoS. A loneactorwithabotnetattheirdisposalmayusethatbotnettoorchestratetheattacks.however, botnetsarealsoavailableforhire,withoperatorschargingminimalfeesforshortdurationattacks. Agroupofactorsworkingtogethermaychoosetousethesametypeoffreetool,ratherthantrying togainaccesstoabotnet.attacksliketheseareusuallylesssuccessful,asitisdifficulttocoordinate enoughattackersfortheeffecttobenoticeable. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 3

4 TLP:WHITE STANDARDDDoSATTACKTYPES SYNFlood ASYNFloodisoneofthemostcommonformsofDDoSattacksobservedbytheMSCISAC.Itoccurs whenanattackersendsasuccessionoftcpsynchronize(syn)requeststothetargetinanattempt to consume enough resources to make the server unavailable for legitimate users. This works becauseasynrequestopensnetworkcommunicationbetweenaprospectiveclientandthetarget server.whentheserverreceivesasynrequest,itrespondsacknowledgingtherequestandholds the communication open while it waits for the client to acknowledge the open connection. However, in a successful SYN Flood, the client acknowledgment never arrives, thus tying up the server sresourcesuntiltheconnectiontimesout.alargenumberofincomingsynrequeststothe targetserverexhaustsallavailableserverresourcesandresultsinasuccessfulddosattack. To identify a SYN Flood, investigate network logs and locate the TCP SYN flag. Tcpdump or Wiresharkmayworkforthispurpose. o TCPSYNpacketsarenormalandarenotnecessarilyindicativeofmaliciousactivity.Look foralargenumberofsynpacketscomingfrommultiplesourcesoverashortperiod. Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. TohelpminimizetheimpactofsuccessfulSYNFloodattacks,definestrict TCPkeepalive and maximumconnection rulesonallperimeterdevices,suchasfirewallsandproxyservers. Onsomefirewallappliances,youcanenable SYNcookies tohelpmitigatetheeffectsofasyn Flood.EnablingSYNcookiesforcesthefirewalltovalidatetheTCPconnectionbetweenclient and server before traffic is passed to the server. When attackers never send a final acknowledgmentoftheopenconnection,thefirewalldropstheconnection. SlowlorisAttacks:WhileSlowlorisisaDoStoolthatcanbeeasilyaccessedbythreatactors,the termslowlorisisalsousedtodescribeatypeofdosattack.slowlorisattacksattempttoestablish multipletcpconnectionsonatargetwebserver,andholdthemopenforaslongaspossibleby sendingpartialrequests,verysimilartoasynflood. VariationofSYNFlood:ESSYN/XSYNFlood An ESSYN Flood, also known as an XSYN Flood, is an attack designed to target entities using stateful firewalls. The attack works when a large number of unique source IP addresses all attempttoopenconnectionswiththetargetdestinationip.eachnewconnectionfromaunique sourceipcreatesanewentryinthefirewallstatetable.thepurposeofthisattackistocreate moreuniqueconnectionsthenthereisspaceforinthefirewall sstatetable.oncethetableisfull, the firewall will not accept any additional inbound connections, denying service to legitimate usersattemptingtoaccessthedestinationip. VariationofSYNFlood:PSHFlood APush(PSH)FloodinvolvessendingalargenumberofTCPpacketswiththePSHbitenabled.The purpose of a PSH packet is to bypass packet buffering, which allows for the efficient transfer of databyensuringpacketsarefilledtothemaximumsegmentsizewhenmultiplepacketsaresent overatcp connection.if thepshbitisenabled, it indicates the packetshould immediately be senttotheapplication.innormalcircumstances,thisdoesnotpresentanissue,howeverwhena significantnumberofpshpacketsaresenttoatargetserver,thereisapotentialtooverloadits resources,creatingadossituation. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 4

5 TLP:WHITE UDPFlood AUDPFloodisverysimilartoaSYNFloodinthatanattackerusesabotnettosendasignificant amountoftraffictothetargetserver.thedifferenceisthatthisattackismuchfaster,andrather thanattemptingtoexhaustserverresources,itseekstoconsumealloftheavailablebandwidthon theserver snetworklink,therebydenyingaccesstolegitimateusers.theattackworksbecausea serverthatreceivesaudppacketonanetworkport,suchas50555/udp,checksforanapplication thatislisteningonthatport.ifnothingislisteningonthatport,itrepliestothesenderoftheudp packetwithaninternetcontrolmessageprotocol(icmp)destinationunreachablepacket.during anattack,alargenumberofudppacketsarrive,eachwithvariousdestinationports.thisforcesthe servertoprocesseachone,andinmostcases,respondtoeachone.thistypeofattackcanquickly leadtotheconsumptionofallavailablebandwidth. ToidentifyaUDPFlood,investigatenetworklogsandlookforalargenumberofinboundUDP packetsoverirregularnetworkportscomingfromalargenumberofsourceipaddresses. o Many legitimate services use UDP for their network traffic. Common UDP ports are 53 (DNS), 88 (Kerberos), 137/138/445 (Windows), and 161 (SNMP). When investigating a DDoSattack,lookforUDPtrafficwithhighnumberednetworkports(1024+). Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. To minimize the effect of UDP Flood attacks, define strict rules on your perimeter network devices,likefirewalls,toallowonlyinboundtrafficonportsthatarerequired. UDPFloodVariantUsingReflection:FraggleDDoSAttack A Fraggle attack is an alternate method of carrying out a UDP Flood attack. In a Fraggle attack,theattackerusesthetarget sipaddressastheirown,whichiscalledspoofing,and then sends UDP echo (port 7) requests to the character generation port (port 19) of the broadcast IP address for a public network on the Internet. The broadcast IP address of a networkwill sendanytrafficthatitreceivestoall otheripaddresseswithinitsnetwork. Therefore,whentheUDPechorequestisreceivedbythebroadcastIPaddress,therequestis thenforwardedontoalllivecomputersonthenetwork.eachofthosecomputersthinkthat these echo requests are coming from the target IP address, and therefore send their responsestothetargetratherthanbacktotheattacker.theresultofthisisalargenumber ofunsolicitedudpcharactergenerationtrafficbeingsenttothetargetoftheddos,resulting intheconsumptionofavailablebandwidth. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 5

6 TLP:WHITE ICMPFlood AnICMPFloodoccurswhenanattackerusesabotnettosendalargenumberofICMPpacketstoa targetserverinanattempttoconsumeallavailablebandwidthanddenylegitimateusersaccess. This attack works when a large number of sources can send enough ICMP traffic to consume all availablebandwidthofthetarget snetwork. Anexampleofthiscouldbethe ping command.thiscommandisprimarilyusedtotestnetwork connectivitybetweentwopointsonanetwork.however,itispossibletosupplythiscommandwith differentvariablestomakethepinglargerinsizeandoccurmoreoften.byusingthesevariables correctly,andwithenoughsourcemachinesinitiatingthetraffic,itispossibletoconsumeallofthe availablebandwidth. To identify an ICMP Flood, investigate network logs and look for a significant amount of inboundicmptrafficfromalargenumberofsources. o Depending on what tool you are using to investigate your logs, you can identify ICMP packets either by the protocol displayed in the graphical user interface, such as with WireShark. When analyzing ICMP traffic you will notice that no port information is available,asicmpdoesnotusenetworkportsliketcporudp. o If you are using a tool that displays the network protocols as numbered values, ICMP is protocol1. o There are also ICMP type and code fields that identify what ICMP traffic is being sent or received.foracompletelistofthesetypesandcodes,pleasesee Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. TomitigatesomeofthedamageofICMPFloodattacks,blockICMPtrafficatperimeternetwork devicessuchasrouters.additionally,setapacketcpercsecondthresholdforicmprequestson perimeter routers. If the amount of inbound ICMP traffic exceeds this threshold, the excess traffic is ignored until the next second. PacketCperCsecond thresholds effectively keep your networkfrombeingoverrunwithicmptraffic. o Note:TheabovestepdoesnotstopadeterminedICMPFlood.Ifthereisenoughinbound traffictoexhaustthebandwidthbetweentheupstreamnetworkproviderandtheperimeter devicefilteringicmp,legitimatetrafficmaybedropped,ordelayedtothepointofados.if this is the case, it isnecessary to contact the upstream network service provider to have ICMPactivitydroppedattheirlevelbeforeitreachesyournetworklink. ICMPFloodVariantUsingReflection:SmurfAttack ASmurfattackisanalternatemethodofcarryingoutanICMPFloodattack.InaSmurfattack, theattackerusesthetarget sipaddressastheirown,whichiscalledspoofing,andthensends ICMP ping requests to the broadcast IP address of a public network on the Internet. The broadcastipaddressofanetworkwillsendanytrafficthatitreceivestoallotheripaddresses within its network. Therefore, when the ICMP ping request is received by the broadcast IP address,itisthenforwardedontoalllivecomputersonitsnetwork.eachofthosecomputers thinkthatthesepingrequestsarecomingfromthetargetipaddressandthereforesendtheir responsestothetargetratherthanbacktotheattacker.theresultofthisisalargenumberof unsolicitedicmppingrepliesbeingsenttothetargetoftheddos,resultingintheconsumption ofavailablebandwidth. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 6

7 TLP:WHITE HTTPGETFlood An HTTP GET Flood occurs when an attacker, or attackers, generate a significant number of continuoushttpgetrequestsforatargetwebsiteinanattempttoconsumeenoughresourcesto maketheserverunavailableforlegitimateusers.inthiscase,theattackingipaddressesneverwait for a response from the target server, despite the server attempting to respond to all incoming requests.thisresultsinconnectionsbeingleftopenonthewebserver.alargeenoughnumberof incoming HTTP GET requests to the target web server eventually exhausts all available server resourcesandresultsinasuccessfulddosattack. To identify an HTTP GET Flood, investigate network logs and look for a large number of inboundtrafficfromasignificantnumberofsourceipaddresseswithadestinationportof80 and a protocol of TCP. The packet data should also begin with GET. We recommend using eithertcpdumporwireshark. o HTTP GET requests are normal and are not on their own indicative of malicious activity. LookforalargenumberofidenticalGETrequestscomingfromalargenumberofsources overashortperiod.thesamesourceipaddressesshouldrecsendthesamegetrequests rapidly. If you identify an attack, leverage a DDoS mitigation service provider for the best results in mitigatingthisactivity. It is difficult to set up proactive security measures to block against this attack, as legitimate trafficisusedtocarryitout.often,ratebasedprotectionsarenotsufficienttoblockthisattack, andthesourceipaddressesoftheattackarepartofalargebotnet,soblockingeverysourceip isnotefficientandmayincludelegitimateusers. o OnesolutionthatmayhelpmitigatethistypeofattackistouseaWebApplicationFirewall (WAF).HTTPFloodsoftenexhibittrendsthatacorrectlyconfiguredWAFfiltersandblocks withoutblockinglegitimateaccesstothewebserver. HTTPGETFloodVariation:HTTPPOSTFlood AnotherHTTPFloodincorporatestheuseoftheHTTPPOSTrequestinsteadofGET.This attackworksbecauseitforcesthewebservertoallocatemoreresourcesinresponsetoeach inboundrequest.alargenumberoftheserequestscouldtieupenoughserverresourcesas todenylegitimateusersaccesstothewebserver. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 7

8 TLP:WHITE REFLECTIONDDoSATTACKTYPES NTPReflectionAttackwithAmplification A Network Time Protocol (NTP) reflection attack occurs when the attacker uses traffic from a legitimatentpservertooverwhelmtheresourcesofthetarget.ntpisusedtosynchronizeclocks on networked machines and runs over port 123/UDP. An obscure command, monlist, allows a requestingcomputertoreceiveinformationregardingthelast600connectionstothentpserver. Anattackercanspoofthetarget sipaddressandsendamonlistcommandtorequestthatthentp server send a large amount of information to the target. These responses typically have a fixed packetsizethatcanbeidentifiedacrossalargenumberofreplies.sincetheresponsefromthentp serverislargerthantherequestsentfromtheattacker,theeffectoftheattackisamplified.when anattackerspoofsthetarget sipaddressandthensendsthemonlistcommandtoalargenumberof InternetCfacing NTP servers, the amplified responses are sent back to the target. This eventually resultsintheconsumptionofallavailablebandwidth. ToidentifyaNTPReflectionAttackwithAmplification,investigateyournetworklogsandlook forinboundtrafficwithasourceportof123/udpandaspecificpacketsize. Onceidentified,trytoleverageyourupstreamnetworkserviceproviderandprovidethemwith theattackingipaddressesandthepacketsizesusedintheattack.upstreamprovidershavethe abilitytoplaceafilterattheirlevelthatforcesinboundntptraffic,usingthespecificpacket sizethatyouareexperiencing,todrop. Along with remediating inbound attacks, take the following preventative measures to ensure thatyourntpserversarenotusedtoattackothers. o If you are unsure whether or not your NTP server is vulnerable to being utilized in an attack,followtheinstructionsavailableatopenntp:hxxp://openntpproject.org/. o Upgrade NTP servers to version or later, which removes the monlist command entirely,orimplementaversionofntpthatdoesnotutilizethemonlistcommand,suchas OpenNTPD. o If you are unable to upgrade your server, disable the monlist query feature by adding disablemonitor toyourntp.conffileandrestartingthentpprocess. o ImplementfirewallrulesthatrestrictunauthorizedtraffictotheNTPserver. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 8

9 TLP:WHITE DNSReflectionAttackwithAmplification A Domain Name System (DNS) Reflection attack occurs when the attacker manipulates the DNS systemtosendanoverwhelmingamountoftraffictothetarget.dnsserversresolveipaddresses todomainnamesallowingtheaverageinternetusertotypeaneasilyremembereddomainname into their Internet browser, rather than remembering the IP addresses of websites. A DNS Reflection attack occurs when an attacker spoofs the victim s IP address and sends DNS name lookuprequeststopublicdnsservers.thednsserverthensendstheresponsetothetargetserver, andthesizeoftheresponsedependsontheoptionsspecifiedbytheattackerintheirnamelookup request.togetthemaximumamplification,theattackercanusetheword ANY intheirrequest, whichreturnsallknowninformationaboutadnszonetoasinglerequest.whenanattackerspoofs atarget sipaddressandsendsdnslookuprequeststoalargenumberofpublicdnsservers,the amplifiedresponsesaresentbacktothetargetandwilleventuallyresultintheconsumptionofall availablebandwidth.! ToidentifyifaDNSReflectionAttackwithAmplificationisoccurring,investigatenetworklogs andlookforinbounddnsqueryresponseswithnomatchingdnsqueryrequests. o DNSqueriesarenormalandarethemselvesnotindicativeofanattack. Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Along with remediating inbound attacks, disable DNS recursion, if possible, by following the guidelinesprovidedbyyourdnsservervendor(bind,microsoft,etc.).indoingso,thisensures thatyourdnsserversarenotusedtoattackothers. o InstructionsfordisablingrecursioncanalsobefoundatTeamCymru: cymru.org/services/resolvers/instructions.html. o TodiscoverifanyofyourpublicDNSserversmaybeusedtoattackothers,usethefreetest atopenresolverproject.org. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 9

10 TLP:WHITE WordpressPingbackReflectionAttackwithAmplification WordPressisapopularContentManagementSystem(CMS)thatisusedtodevelopandmaintain websitesandblogs.afunctionofwordpresssitesiscalledthepingbackfeature,whichisusedto notifyotherwordpresswebsitesthatyouhaveputalinktotheirwebsiteonyoursite.sitesusing WordPressautomatethisprocess,andmaintainautomatedlistslinkingbacktositesthatlinkto them. These pingbacks are sent as Hypertext Transfer Protocol (HTTP) POST requests to the /xmlrpc.phppage,whichisusedbywordpresstocarryoutthepingbackprocess.bydefault,this featuredownloadstheentirewebpagethatcontainsthelinkthattriggeredthepingbackprocess. AnattackercanlocateanynumberofWordPresswebsitesandthensendpingbackrequeststoeach ofthemwiththeurlofthetargetwebsite,resultingineachofthosewordpresswebsitessending requeststothetargetserverrequestingthedownloadofthewebpage.alargenumberofrequests todownloadthewebpagecaneventuallyoverloadthetargetwebserver.! To identify a WordPress Pingback Reflection attack with Amplification, investigate your network logs and look for a large number of inbound TCP traffic over port 80 from a large number of sources. The traffic appears as HTTP GET requests for random values such as? = thisrequestbypassesthecacheandforcesafullcpagereloadforevery packet.! Ifyouidentifyanattack,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Atthetimeofthiswriting,thereisnowaytopreventthisinboundtrafficasonitsownitis normalwebtraffic.however,thereisawaytoensurethatyourwordpresswebsitesarenot usedto attack others. To do this, WordPress offers a tool that is available for downloadthat disables the pingback feature of XMLRPC. Download the tool at the following link: hxxp://wordpress.org/plugins/disablecxmlcrpccpingback/. o Alternatively, you can create a plugin for the website that adds a filter that manually disables the pingback function of XMLRPC. An example of this plugin can be found at hxxps://blog.cisecurity.org/wordpresscpingbackcfeaturecbeingcusedcincddoscattacks/ TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 10

11 TLP:WHITE SSDPReflectionAttackwithAmplification TheSimpleServiceDiscoveryProtocol(SSDP)iscommonlyusedforthediscoveryofUniversalPlug andplay(upnp)devices.upnpisaseriesofnetworkingprotocolsthatallowsnetworkingdevices to discover and connect with one another, without user intervention. Using SSDP, Simple Object Access Protocol (SOAP) is used to deliver control messages to UPnP devices. A SSDP reflection attackoccurswhenanattackerspoofsthevictim sipaddressandsendscraftedsoaprequeststo open UPnP devices on the Internet. These devices then send their responses to that victim IP address.dependingonhowtheattackercraftedtherequest,theresponsecouldbeamplifiedbya factorof30fromasinglerequest. According to OpenSSDPProject.org, there are over 80 million devices on the Internet that are vulnerabletoupnpandssdprelatedexploits.whenanattackerspoofsavictim sipaddressand sends crafted SOAP requests over SSDP to a large number of public UPnP devices, the amplified responses are sent back to the victim, eventually resulting in the consumption of all available bandwidth. To identify if an SSDP Reflection Attack with Amplification is occurring, investigate network logsandlookforinboundsourceport1900/udp(ssdp)trafficfromalargenumberofsource IPaddresses. Onceanattackisidentified,trytoleverageyourupstreamnetworkserviceproviderinorderfor themtomitigatetheactivitybeforeitreachesyournetwork. Along with remediating inbound attacks, take the following preventative measures to ensure thatyourupnpdevicesarenotusedtoattackothers. o Ifyouareunsureifanydevicesonyournetworkcouldbeemployedinanattack,followthe o instructionsavailableatopenssdptocheck:hxxp://openssdpproject.org/ It is also recommended to block outbound port 1900/UDP traffic at your border routers, andrestrictupnptotheinternalnetworkifrequired. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 11

12 TLP:WHITE MicrosoftSQLReflectionAttackwithAmplification Microsoft(MS)StructuredQueryLanguage(SQL)isapopularapplicationusedtomanagerelational databases.databaseserversusingmssqlaresometimesleftonexternalipaddressessothatthey can be accessed remotely over the Internet. A MS SQL reflection attack occurs when an attacker spoofsthetarget sipaddressandthensendscraftedrequeststopubliccfacingmssqlserversusing themssqlserverresolutionprotocol(mccsqlr),whichlistensonport1434/udp.theresponse fromthedatabaseservercontainsinformationaboutthedatabaseinstancesrunningontheserver aswellashowtoconnecttoeachone.dependingontheconfigurationofthedatabaseserver,and the number of database instances on the server, the response to the client request could be amplifiedbyafactorof25forasinglerequest. AttackerscansendscriptedMCCSQLRrequests,spoofingthetarget sipaddress,toalargenumber of publiccfacing MS SQL servers. The amplified responses are sent back to the target, possibly resultingintheconsumptionofallofthetarget savailablebandwidth. ToidentifyifaMSSQLReflectionAttackwithAmplificationisoccurring,investigatenetwork logs and look for inbound source port 1434/UDP (MCCSQLR) traffic from a large number of source IP addresses. In some instances, it may be possible to identify a particular payload signature. Ifyouidentifyanattack,trytoleverageyourupstreamproviderinorderforthemtomitigate theactivitybeforeitreachesyournetwork. If possible, block inbound connections to port 1434/UDP or filter connections to allow only trustedipaddresses. Alongwithmitigatinginboundattacks,takethefollowingstepstopreventyourMSSQLserver frombeingusedasareflectorinattacksagainstothers: o UseingressandegressfiltersonfirewallstoblockSQLserverports.Port1434/UDPshould be open only if there is an identified need for the service. If the port is open, it is recommendedthattrafficbefilteredtoallowonlytrustedipaddresses. o SQLserversthathaveonlyonedatabaseinstancerunningdonotneedtorunMSCSQLR.If youarerunningonlyonedatabaseinstance,disablemscsqlr. o As of Microsoft SQL Server 2008 the feature is disabled by default. However, earlier versionsrequireadministratorstodisablethisservicemanually.ifyouarerunninganolder versionofthesoftwareandthereisnotaneedformscsqlr,disableit.ifitisdetermined thatmscsqlrisneeded,consideraddinganadditionallayerofsecurity,suchasrequiring authenticationviasshorvpn,infrontoftheservice. TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 12

13 TLP:WHITE GENERALRECOMMENDATIONSANDMITIGATIONSTRATEGIES The recommendations for DDoS attacks vary depending on what type of attack you are experiencing.however,thefollowinggenericrecommendationsareguidelinesforddosmitigation, whichreducetheimpactofattemptedddosattacks,andenableyoutorespondtosuccessfulddos attacksmorequicklywhentheydooccur. Establish and maintain effective partnerships with your upstream network service provider andknowwhatassistancetheymaybeabletoprovideyouintheeventofaddosattack.inthe case of a DDoS attack, the faster a provider can implement traffic blocks and mitigation strategiesattheirlevel,thesooneryourserviceswillbecomeavailableforlegitimateusers. ConsideralsoestablishingrelationshipswithcompanieswhoofferDDoSmitigationservices. If you are experiencing a DDoS attack, provide the attacking IP addresses to your upstream networkserviceprovidersotheycanimplementrestrictionsattheirlevel.keepinmindthat Reflection DDoS attacks typically originate from legitimate public servers. It is important to ascertaintowhomanipbelongstowhenexaminingnetworklogsduringanattack.usetools suchastheamericanregistryforinternetnumbers(arin)( thesourceipsinvolvedintheattack.otherwise,youmayblocktrafficfromlegitimatenetworks orservers. Enable firewall logging of accepted and denied traffic to determine where the DDoS may be originating. Define strict TCP keepalive and maximum connection on all perimeter devices, such as firewallsandproxyservers.thisrecommendationassistswithkeepingsynfloodattacksfrom beingsuccessful. Considerportandpacketsizefilteringbytheupstreamnetworkserviceprovider. Establish and regularly validate baseline traffic patterns (volume and type) for publiccfacing websites. Applyallvendorpatchesafterappropriatetesting. Configurefirewallstoblock,asaminimum,inboundtrafficsourcedfromIPaddressesthatare reserved(0/8),loopback(127/8),private(rfc1918blocks10/8,172.16/12,and /16), unassigneddhcpclients( /16),multicast( /4)andotherwiselistedinrfc 5735.ThisconfigurationshouldberequestedattheISPlevelaswell. TunepublicCfacingserverprocessestoallowtheminimumamountofprocessesorconnections necessarytoeffectivelyconductbusiness. Configurefirewallsandintrusiondetection/preventiondevicestoalarmontrafficanomalies. Configure firewalls only to accept traffic detailed in your organization s security policy as requiredforbusinesspurposes. Consider setting up OutCofCBand access, Internet and telephony, to an incident management roomtoensureconnectionintheeventofaddosattackthatdisruptsnormalconnectivity.! AbouttheMultiSStateInformationSharingandAnalysisCenter(MSSISAC): TheMSCISACisthefocalpointforcyberthreatprevention,protection,responseandrecoveryfor the nation's state, local, tribal, and territorial (SLTT) governments. The MSCISAC 24x7 cyber security operations center provides realctime network monitoring, early cyber threat warnings andadvisories,vulnerabilityidentificationandmitigationandincidentresponse. Formoreinformationpleasevisithttp://msisac.cisecurity.org/ TLP:WHITE TLP:WHITEinformationmaybedistributedwithoutrestriction,subjecttocopyrightcontrols. 13