DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

Similar documents
DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Cisco Firepower with Radware DDoS Mitigation

Arbor Solution Brief Arbor Cloud for Enterprises

Mobile LOIC Counter Measures

Enterprise D/DoS Mitigation Solution offering

DDoS Detection&Mitigation: Radware Solution

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

haltdos - Web Application Firewall

the Breakdown of Perimeter Defenses

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Prolexic Attack Report Q4 2011

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Comprehensive datacenter protection

this security is provided by the administrative authority (AA) of a network, on behalf of itself, its customers, and its legal authorities

Check Point DDoS Protector Introduction

Chapter 10: Denial-of-Services

Check Point DDoS Protector Simple and Easy Mitigation

Corrigendum 3. Tender Number: 10/ dated

Lecture 12. Application Layer. Application Layer 1

Denial of Service, Traceback and Anonymity

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

Network Security. Thierry Sans

Imperva Incapsula Product Overview

AKAMAI SOLUTION BROCHURE CLOUD SECURITY SOLUTIONS FAST RELIABLE SECURE.

DefensePro. Release Notes

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

SHARE THIS WHITEPAPER. Attack Mitigation Service Fully Managed Hybrid (Premise & Cloud) Cyber-Attack Mitigation Solution - Whitepaper

IBM Next Generation Intrusion Prevention System

RSA INCIDENT RESPONSE SERVICES

Basic Concepts in Intrusion Detection

Detect Cyber Threats with Securonix Proxy Traffic Analyzer

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

SOLUTION BRIEF RSA NETWITNESS SUITE 3X THE IMPACT WITH YOUR EXISTING SECURITY TEAM

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Fregata. DDoS Mitigation Solution. Technical Specifications & Datasheet 1G-5G

The Barracuda Web Application Firewall Versus Anonymous. Best Practices for Planning and Defending Against Attacks by Anonymous.

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

RSA INCIDENT RESPONSE SERVICES

Configuring BIG-IP ASM v12.1 Application Security Manager

Configuring Access Rules

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

Cyber War Chronicles Stories from the Virtual Trenches

The Barracuda Web Application Firewall Versus Anonymous. Best Practices for Planning and Defending Against Attacks by Anonymous.

akamai s [state of the internet] / security

Chapter 7. Denial of Service Attacks

Panelists. Moderator: Dr. John H. Saunders, MITRE Corporation

Cyber Security Guidelines Distributed Denial of Service (DDoS) Attacks

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

RSA NetWitness Suite Respond in Minutes, Not Months

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Information Security Adaption: Survival In An Evolving Threat Landscape. Carl Herberger VP, Security Solutions, Radware

Office 365 Buyers Guide: Best Practices for Securing Office 365

NIP6000 Next-Generation Intrusion Prevention System

Integrated Web Application Firewall & Distributed Denial of Service (DDoS) Mitigation Solution

Vendor: Cisco. Exam Code: Exam Name: Implementing Cisco Threat Control Solutions. Version: Demo

Future-ready security for small and mid-size enterprises

Corero & GTT DDoS Trends Report Q2 Q3 2017

Gujarat Forensic Sciences University

DDoS Mitigation & Case Study Ministry of Finance

Symantec Ransomware Protection

Fireware-Essentials. Number: Fireware Essentials Passing Score: 800 Time Limit: 120 min File Version: 7.

CyberArk Privileged Threat Analytics

Intrusion Attempt Who's Knocking Your Door

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

DDoS: Coordinated Attacks Analysis

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

ADVANCED THREAT PREVENTION FOR ENDPOINT DEVICES 5 th GENERATION OF CYBER SECURITY

All-in one security for large and medium-sized businesses.

EMERGING THREATS & STRATEGIES FOR DEFENSE. Paul Fletcher Cyber Security

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Virus Outbreak

The Telephony Denial of Service (TDoS) Threat

PROTECTING INFORMATION ASSETS NETWORK SECURITY

Distributed Denial of Service (DDoS)

IBM Cloud Internet Services: Optimizing security to protect your web applications

Technical White Paper June 2016

Rethinking Perimeter Security: New Threats Require Real-Time Protection A DefensePro Technology Paper By Avi Chesla - VP, Security & Management

Anti-DDoS. User Guide (Paris) Issue 01 Date HUAWEI TECHNOLOGIES CO., LTD.

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

Multi-vector DDOS Attacks

Drive Greater Value from Your Cisco Deployment with Radware Solutions

AKAMAI THREAT ADVISORY. Satori Mirai Variant Alert

Network Security Issues and New Challenges

A10 DDOS PROTECTION CLOUD

A GUIDE TO DDoS PROTECTION

An Introduction to DDoS attacks trends and protection Alessandro Bulletti Consulting Engineer, Arbor Networks

National Cyber Security Operations Center (N-CSOC) Stakeholders' Conference

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

F5 DDoS Attack Quick Reference Sheets

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Cybersecurity Overview

Transcription:

DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action 1

Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team... 3 Attack summary...4 Executive Summary... 4 Attack Vector Details...5 Attack Vector I: HTTP Flood: Mobile-LOIC... 5 Attack Vector II: TCP Data Flood: LOIC... 6 Attack Vector III: UDP Floods... 7 Attack Vector IV: HTTP Flood: other tools... 8 Geographical Blocking...8 2

Preamble This attack case summary describes one of the real life attacks which was experienced by a Radware customer and successfully mitigated thanks to Radware s DefensePro product and Radware s Emergency Response Team (ERT) expertise. The customer s name is undisclosed for privacy purposes and is referenced by customer in this report. About Radware s DefensePro Radware's award-winning DefensePro is a real-time network attack prevention device that protects the application infrastructure against network & application downtime, application vulnerability exploitation, malware spread, network anomalies, information theft and other emerging network attacks. It combines a set of security modules which altogether provide a complete attack mitigation solution: Intrusion Prevention System (IPS), Network Behavioral Analysis (NBA), Denial-of-Service (DoS) Protection and Reputation Engine. The vast majority of the attacks are successfully mitigated and stopped by DefensePro alone. About Radware s Emergency Response Team Radware's Emergency Response Team (ERT) is a service, complementary to Radware s DefensePro, designed to provide 24x7 security services for customers facing a denial-of-service (DoS) attack or a malware outbreak. Often, these attacks require immediate assistance. The ERT provides instantaneous, expert security assistance in order to restore network and service operational status. IT is staffed by experts that have vast knowledge and experience with network threats, their detection and mitigation, and in-depth experience of the DefensePro family of products. In addition, the ERT takes information from each customer engagement and simulates the same scenario internally for further analysis and proactive implementation of defense techniques for other customers that may be facing a similar security threat. 3

Attack summary Executive Summary The customer, a high-profile Government entity, was targeted by a DDoS attack in the context of a wider campaign against Government sites in this country. In the days preceding the attack, Anonymous published warnings and threats of attacks through their usual means of communication (Youtube, Twitter, Facebook). The site was protected by a DefensePro device, just installed and configured few days ago. ERT, which was invoked, logged in on the day of the attack to tune the device which successfully mitigated the attack and the website was available to users. This document describes different attack vectors and their mitigation and discusses the effectiveness of Geo-Blocking, used by the customer during the attack. Attack Vectors There were four confirmed attack vectors in this attack campaign: Attack Vector I: HTTP Flood: Mobile-LOIC Attack Vector II: TCP Data Flood: LOIC Attack Vector III: UDP Floods Attack Vector IV: HTTP Flood: other tools 4

Attack Vector Details Attack Vector I: HTTP Flood: Mobile-LOIC Summary Using the Mobile-LOIC attack tool, each attacker sent multiple HTTP GET requests to the customer s webserver home page. Mobile-LOIC delivers semi-random parameter values in its requests in order to evade proxies and caching services and reach the backend server. DefensePro blocked this attack vector using an Application Security signature. Mobile-LOIC Control Panel Attack Description Verified attackers: about 100 TPS: ~400 Bandwidth: 1.5 Mbps HTTP GET requests for the homepage ("/"), two parameters were delivered in the URL: id= Semi-random 13 digits number Attack packets snapshot One of the problems of HTTP flood attacks (from attacker s perspective) is that HTTP request may be answered by the local ISP proxy or by CDN, and not reach the actual targeted web server. Mobile-LOIC uses the Random Parameters technique in order to create un-cacheable requests, ensuring each will reach the backend server. 5

Attack Vector II: TCP Data Flood: LOIC Summary Using the LOIC attack tools, attackers sent multiple TCP data packets with constant payload toward TPC/80 at the attacked Webserver. This attack vector was not substantial and only few attackers used it. DefensePro blocked this attack vector using two Application Security signatures. LOIC Control Panel 6

Attack Vector III: UDP Floods Summary The third attack vector was: UDP Floods. The device blocked several of them during the length of the campaign using the Behavioral DoS Protection and the Black List; this includes floods on UDP/80 and UDP/443 and Fragmented UDP flood on random destination ports. Some of the floods were probably generated using LOIC. Attack Description The following UDP floods were detected and blocked by DefensePro device: - 33K PPS UDP/80 flood, probably generated using LOIC - dd4k PPS 45 Mbps Fragmented UDP flood, random destination port - Low rate UDP/443 flood Attacking sources were almost certainly spoofed by the attackers. Attack Mitigation Attacks were mitigated using a combination of Behavioral DoS, DoS-Shield signature for Fragmented Flood and Black List on UDP/80 and UDP/443. Attack mitigation 7

Attack Vector IV: HTTP Flood: other tools Summary Additional HTTP GET Request floods generated by other attack tools (HOIC for example) were blocked using the Web Cookies challenge mechanism. No additional information is currently available. Geographical Blocking During some stages of the attack, the customer blocked requests originating outside the customer s country at the ISP level. This technique achieved only limited outcome since some attacker sources were originating at the customer s country itself. The following map shows countries where attack traffic originated: 2012 Radware, Ltd. All Rights Reserved. Radware and all other Radware product and service names are registered trademarks of Radware in the U.S. and other countries. All other trademarks and names are the property of their respective owners. Printed in the U.S.A. 8

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback