DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors

Similar documents
DoS Cyber Attack on a Government Agency in South America- February 2012 Anonymous Mobile LOIC in Action

ERT Threat Alert New Risks Revealed by Mirai Botnet November 2, 2016

Radware Attack Mitigation Solution (AMS) Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Radware s Attack Mitigation Solution Protect Online Businesses and Data Centers Against Emerging Application & Network Threats - Whitepaper

Cyber War Chronicles Stories from the Virtual Trenches

A custom excerpt from Frost & Sullivan s Global DDoS Mitigation Market Research Report (NDD2-72) July, 2014 NDD2-74

Securing Online Businesses Against SSL-based DDoS Attacks. Whitepaper

Enterprise D/DoS Mitigation Solution offering

TOP TEN DNS ATTACKS PROTECTING YOUR ORGANIZATION AGAINST TODAY S FAST-GROWING THREATS

DDoS Detection&Mitigation: Radware Solution

Cisco Firepower with Radware DDoS Mitigation

DDoS Protector. Simon Yu Senior Security Consultant. Block Denial of Service attacks within seconds CISSP-ISSAP, MBCS, CEH

Check Point DDoS Protector Simple and Easy Mitigation

Protecting Against Application DDoS A acks with BIG-IP ASM: A Three- Step Solution

the Breakdown of Perimeter Defenses

Why IPS Devices and Firewalls Fail to Stop DDoS Threats

Distributed Denial of Service (DDoS)

haltdos - Web Application Firewall

Cyber Security Guidelines Distributed Denial of Service (DDoS) Attacks

Yuri Gushin & Alex Behar

Active defence through deceptive IPS

Mobile LOIC Counter Measures

Arbor Solution Brief Arbor Cloud for Enterprises

Check Point DDoS Protector Introduction

HOW TO CHOOSE A NEXT-GENERATION WEB APPLICATION FIREWALL

Global DDoS Threat Landscape

Imma Chargin Mah Lazer

THE BUSINESS CASE FOR OUTSIDE-IN DATA CENTER SECURITY

Chapter 7. Denial of Service Attacks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

Multi-vector DDOS Attacks

DDoS: Coordinated Attacks Analysis

Sam Pickles, F5 Networks A DAY IN THE LIFE OF A WAF

Comprehensive datacenter protection

Basic Concepts in Intrusion Detection

DDoS MITIGATION BEST PRACTICES

WHITE PAPER. DDoS of Things SURVIVAL GUIDE. Proven DDoS Defense in the New Era of 1 Tbps Attacks

RSA INCIDENT RESPONSE SERVICES

Prolexic Attack Report Q4 2011

Cloudflare Advanced DDoS Protection

Herding Cats. Carl Brothers, F5 Field Systems Engineer

Beyond Blind Defense: Gaining Insights from Proactive App Sec

Corero & GTT DDoS Trends Report Q2 Q3 2017

Cisco IOS Classic Firewall/IPS: Configuring Context Based Access Control (CBAC) for Denial of Service Protection

Fighting the Shadows: How to Stop Real-world Cybersecurity Application Threats That You Can t See

Intrusion Detection System For Denial Of Service Flooding Attacks In Sip Communication Networks

COMPUTER NETWORK SECURITY

THE EFFECTIVE APPROACH TO CYBER SECURITY VALIDATION BREACH & ATTACK SIMULATION

HOW TO HANDLE A RANSOM- DRIVEN DDOS ATTACK

Figure 1: Attempts for /ws/v1/cluster/apps/new-application

RSA INCIDENT RESPONSE SERVICES

Security for SIP-based VoIP Communications Solutions

DDoS Introduction. We see things others can t. Pablo Grande.

Protecting DNS Critical Infrastructure Solution Overview. Radware Attack Mitigation System (AMS) - Whitepaper

Mitigating Outgoing Spam, DoS/DDoS Attacks and Other Security Threats

Intelligent and Secure Network

Network Security. Thierry Sans

Security+ Guide to Network Security Fundamentals, Fourth Edition. Network Attacks Denial of service Attacks

PALANTIR CYBERMESH INTRODUCTION

Chapter 10: Denial-of-Services

I D C T E C H N O L O G Y S P O T L I G H T

WEB DDOS PROTECTION APPLICATION PROTECTION VIA DNS FORWARDING

Corrigendum 3. Tender Number: 10/ dated

CYBER ANALYTICS. Architecture Overview. Technical Brief. May 2016 novetta.com 2016, Novetta

Integrated Web Application Firewall (WAF) & Distributed Denial Of Service (DDoS) Mitigation For Today s Enterprises

Imperva Incapsula Website Security

Firewalls, Tunnels, and Network Intrusion Detection

Think You re Safe from DDoS Attacks? As an AWS customer, you probably need more protection. Discover the vulnerabilities and how Neustar can help.

CYBER ATTACKS EXPLAINED: PACKET SPOOFING

RESELLER LOGO RADICALLY BETTER. DDoS PROTECTION. Radically more effective, radically more affordable solutions for small and medium enterprises

A10 DDOS PROTECTION CLOUD

INTRODUCTION: DDOS ATTACKS GLOBAL THREAT INTELLIGENCE REPORT 2015 :: COPYRIGHT 2015 NTT INNOVATION INSTITUTE 1 LLC

Denial of Service. Denial of Service. A metaphor: Denial-of-Dinner Attack. DDoS over the years. Ozalp Babaoglu

Configuring attack detection and prevention 1

DDOS RESILIENCY SCORE (DRS) "An open standard for quantifying an Organization's resiliency to withstand DDoS attacks" Version July

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Elevation of Privilege

A Review Paper on Network Security Attacks and Defences

War Stories from the Cloud Going Behind the Web Security Headlines. Emmanuel Mace Security Expert

CISCO NETWORKS BORDERLESS Cisco Systems, Inc. All rights reserved. 1

Anti-DDoS. FAQs. Issue 11 Date HUAWEI TECHNOLOGIES CO., LTD.

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Malware Outbreak

Kaspersky Security Network

Arbor White Paper. DDoS: THE STAKES HAVE CHANGED. HAVE YOU? REVEALED: 3 dangerous myths about DDoS attacks

VERISIGN DISTRIBUTED DENIAL OF SERVICE TRENDS REPORT

O N L I N E I N C I D E N T R E S P O N S E C O M M U N I T Y

Distributed Denial of Service

The Interactive Guide to Protecting Your Election Website

DDoS attack patterns across the APJ cloud market. Samuel Chen CCIE#9607 Enterprise Security Architect, Manager - APJ

Radware DefensePro DDoS Mitigation Release Notes Software Version Last Updated: December, 2017

Developing the Sensor Capability in Cyber Security

CyberArk Privileged Threat Analytics

Resources and Credits. Definition. Symptoms. Denial of Service 3/3/2010 COMP Information on Denial of Service attacks can

We b Ap p A t ac ks. U ser / Iden tity. P hysi ca l 11% Other (VPN, PoS,infra.)

snoc Snoc DDoS Protection Fast Secure Cost effective Introduction Snoc 3.0 Global Scrubbing Centers Web Application DNS Protection

Comparison of Firewall, Intrusion Prevention and Antivirus Technologies

Sourcefire Solutions Overview Security for the Real World. SEE everything in your environment. LEARN by applying security intelligence to data

INCIDENTRESPONSE.COM. Automate Response. Did you know? Your playbook overview - Unauthorized Access

Chair for Network Architectures and Services Department of Informatics TU München Prof. Carle. Network Security. Chapter 8

Service Provider View of Cyber Security. July 2017

How to Identify Advanced Persistent, Targeted Malware Threats with Multidimensional Analysis

Transcription:

DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1

Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team (ERT)... 3 Summary...3 Executive Summary... 3 Timeline of events... 5 Chronological Description...6 Day 2... 6 Day 3... 7 Day 4... 7 Attack Vector Details...8 Attack Vector I: Empty Connection Flood on TCP/80... 8 Attack Vector II: FIN-ACK Flood on TCP/80... 10 Attack Vector III: HTTP Flood... 12 Attack Motivation... 15 2

Preamble This attack case summary describes one of the real life attacks which was experienced by a Radware customer and successfully mitigated thanks to Radware s DefensePro product and Radware s Emergency Response Team (ERT) expertise. The customer s name is undisclosed for privacy purposes and is referenced by customer in this report. About Radware s DefensePro Radware's award-winning DefensePro is a real-time network attack prevention device that protects the application infrastructure against network & application downtime, application vulnerability exploitation, malware spread, network anomalies, information theft and other emerging network attacks. It combines a set of security modules which altogether provide a complete attack mitigation solution: Intrusion Prevention System (IPS), Network Behavioral Analysis (NBA), Denial-of-Service (DoS) Protection and Reputation Engine. The vast majority of the attacks are successfully mitigated and stopped by DefensePro alone. About Radware s Emergency Response Team (ERT) Radware's Emergency Response Team (ERT) is a service, complementary to Radware s DefensePro, designed to provide 24x7 security services for customers facing a denial-of-service (DoS) attack or a malware outbreak. Often, these attacks require immediate assistance. The ERT provides instantaneous, expert security assistance in order to restore network and service operational status. The ERT is staffed by experts that have vast knowledge and experience with network threats, their detection and mitigation, and in-depth experience of the DefensePro family of products. In addition, the ERT takes information from each customer engagement and simulates the same scenario internally for further analysis and proactive implementation of defense techniques for other customers that facing a similar security threat. Summary Executive Summary The customer was targeted with a DDoS campaign that lasted five consecutive days. In the days preceding the attack, Anonymous published threats of attacks to European ISPs and government websites. ERT assisted one of the largest European ISP to prepare for this attack. Nevertheless, no direct threat to the customer website was made and this attack was not credited to Anonymous (actually it was not published in the media at all). This attack had several unique characteristics; all of which might infer a different motivation (see more under Attack Motivation). Attack Vectors There were three confirmed attack vectors in this attack campaign Attack Vector I: Empty Connection Flood on TCP/80 3

Attack Vector II: FIN-ACK Flood on TCP/80 Attack Vector III: HTTP Flood Day-by-Day Summary Day1 Customer comes under attack. Initially, the ISP partially revives service by blocking international access to the webserver using ACLs on the router. Day 2 A DefensePro unit is installed on the customer's ISP premises by Radware's integrator as a "PoC under attack"; the ACL rule on the ISP router is removed. By the time ERT is initiated, there are two attack vectors running simultaneously: Empty Connection Flood on TCP/80 (Attack Vector I) and FIN-ACK Flood on TCP/80 (Attack Vector II). ERT is initiated around noon, DefensePro configuration is tuned and the Empty Connection and FIN-ACK floods are mitigated. Service is revived for the next 24 hours. Day 3 By changing the FIN-ACK attack vector, attackers are able to evade applied protection and affect service. ERT is initiated and introduces aggressive protections which completely block the attack and revive service. Day 4 Attack vector changes- a Slow Rate HTTP Flood begins. This flood is able to evade the applied 302 Redirect Web Cookies; therefore, ERT activates JavaScript Web Cookies. Two hours later, the attack intensifies, evading the JavaScript Web Cookies challenge and immediately affects service. In the next couple of hours, ERT uses a combination of mitigation techniques in order to block this sophisticated attack vector. Day 5 In the next 24 hours, the attack continues but it is successfully blocked by DefensePro and no service interruption is reported. 4

Timeline of events DATE Day1 Day2 Day3 Day4 Day5 EVENTS The customer website is targeted with a DDoS attack and service is affected. The ISP blocks international access to the webserver using an ACL on the router; service is revived. A DefensePro unit is installed on-site. ERT is initiated, the initial configuration is refined and tuned, attack is mitigated and service is revived. Webserver is under attack, attack evades existing protections. ERT is initiated, aggressive protections are configured, and service is revived. Attack starts; vector changes and evades current protections. New protections are set (JavaScript Challenge), service is revived. Attack evades the challenge, service is affected. ERT is initiated again. Service is revived using a combination of mitigation techniques. Attack continues and mitigated by DefensePro without ERT involvement. 5

Chronological Description Day 2 At the time ERT is first initiated there are two attack vectors running simultaneously: Attack Vector I: Empty Connection Flood on TCP/80 Attack Vector II: FIN-ACK Flood on TCP/80 The attack amounts for a combined rate of 11.9 Mbps/19K PPS; up to 20K concurrent connections are opened on the server, making service unavailable for most clients. Figure 1 shows the distribution between different attack vectors in this attack stage (number of packets sent over a course of a second) Figure 1-Distribution between different attack vectors FIN-ACK SYN ACK HTTP Data Some attackers used only one of the attack vectors, while others combined both to an "Empty Connection FIN-ACK Flood", shown in figure 2 below Figure 2- Empty Connection FIN-ACK Flood The motivation for this is unclear, since the attacker immediately clears allocated server resources. This was mitigated using the applied Web Cookies 302 Redirect Challenge. 6

Day 3 Late in the evening, some attack packets are able to evade the BDoS mechanism and affect service. On this day, the attack comprised mainly of one attack vector, amounting up to 4Mbps: Attack Vector II: FIN-ACK Flood on TCP/80 Half an hour later, ERT is initiated and revives service by applying aggressive protections (out-ofstate and custom signatures with suspend action). Day 4 A new attack vector begins in the morning: Attack Vector III: HTTP Flood This relatively slow rate attack (few requests per second) is quickly mitigated using the JavaScript Web Cookies Challenge. Later on, the attack intensifies, evades the Web Cookies and instantly affects service (reaching 6000 concurrent connections, 30 Mbps). Note the increase in inbound traffic in the figure below: Figure 3 - Increased inbound traffic In the next couple of hours, ERT applied several attack mitigation techniques (including custom signatures and black listing). Complete service availability is achieved only a few hours later. 7

Attack Vector Details Attack Vector I: Empty Connection Flood on TCP/80 Summary An Empty Connection flood was observed on the first day of the attack campaign. Roughly, 400 attacking hosts were identified and the attack was completely mitigated using SYN protection. Attack Measurements 2.5 Mbps 5K PPS Attack Description In empty connection floods, attackers use real hosts in order to send multiple TCP-SYN requests to target machines. Once the target machine responds and accepts the connections (SYN-ACK packets), attackers complete the TCP Handshake (ACK) and establish the connections. The target machine now waits for data packets, but these will never arrive, hence empty connection flood. Repeating this technique, attackers are able to exhaust the target resources. It is plausible that empty connection floods existed only in advanced phases of HTTP attacks, when the webserver application resources were saturated. Since the webserver could not accept new application requests, the attackers were not able to progress to the next stage of the attack. Figure 4 shows examples of packets snapshot- note how each attacker SYN request is followed by an ACK packet. Figure 4 - Packets snapshot Attack Impact Exhausting resources of the web server Attack Detection and Mitigation SYN Protection T-Proxy DefensePro SYN Protection was able to mitigate this attack using the transparent proxy module. This module monitors the increment between the number of SYN and the number of data 8

packets sent to the protected server. Since this value breached 2500 packets (default), the mechanism triggered. Figure 5 shows a graph of the number of SYN, ACK and data packets over a course of one second. Notice the number of SYN packets is almost identical to the number of ACK packets, while the number of data packets is extremely low. Figure 5 - Number of SYN, ACK and data packets over a course of one second SYN ACK Data Once SYN protection mechanism was triggered, the attack was quickly mitigated. The figure below shows 2.5 Mbps of attack traffic dropped by DefensePro. Figure 6-2.5 Mbps of attack traffic dropped by DefensePro 9

Attack Vector II: FIN-ACK Flood on TCP/80 Summary Attackers used this vector on the first, second and third day on the attack campaign. Initially the attack was blocked using BDoS, ERT later applied out-of-state and a custom signature in order to mitigate slower floods that evaded BDoS. Attack Measurements Day 2 6.85 Mbps 14K PPS Day 3 3.33 Mbps 7K PPS Attack Description In this attack vector, attackers sent multiple TCP FIN-ACK packets to the targeted server, aimed at exhausting stateful device resources. Attack traffic was generated using multiple real hosts (not spoofed as in most FIN-ACK floods). This attack vector should not be confused with FIN-ACK packets sent as terminators of malicious HTTP transactions in the HTTP Flood attack vector (see more information in the next chapter).the bellow packets snapshot shows one of these attackers Figure 7 Bellow packets snapshot Attack Impact Exhausting stateful resources as Firewall/IPS/etc If Firewall failure is achieved- exhaust webserver resources Attack Mitigation Day 2- BDoS Once configured, BDoS quickly detected this attack and created a suitable real time signature. The following figure shows BDoS mitigating this attack vector on the first day of the attack (notice the 7Mbps of dropped traffic): Figure 8 - BDoS mitigating the attack vector 10

Day 3Out-of-State and Custom Signature On the second day of the attack campaign, attackers also targeted the web server with a slowrate FIN-ACK flood triggering BDoS. ERT activated the out-of-state protection in order to make sure future slow-rate out-of-state floods are instantly detected and mitigated. During the next 24 hours several low-rate out-ofstate floods (apparently FIN-ACK as well) were successfully detected and mitigated by this mechanism. In addition, ERT applied a custom signature that suspends sources sending more than 20 FIN-ACK packets per second. 11

Attack Vector III: HTTP Flood Summary Attackers used this attack vector on the fourth day of the attack campaign. Attack pattern perfectly mimicked legitimate requests while evading the Web Cookies protection. This vector was blocked using a combination of mitigation techniques (see details below). Attack Peak Measurements 35 Mbps Up to 30K Concurrent Connections 1000 attackers Up to 400 New Connections per second Figure 9 - Attack Description The attack started as a slow-rate HTTP get flood, completely blocked using DefensePro Web cookies JavaScript challenge. Early in the afternoon, the attacker changed the pattern and increased the rate significantly. The new attack pattern evaded the Web cookies mechanism and affected service almost immediately. Capture analysis reveals that the attacker used highly sophisticated bot network, distributed among many countries (including Russia, Saudi Arabia, China, Brazil and Turkey). Figure 10 Capture analysis 12

Malicious traffic successfully mimicked legitimate user requests: Attackers requested legitimate resources (the homepage for example) and all its necessary references (images, scripts etc.) in loops. Request loops repeated themselves every 60 seconds, assimilating in the general legitimate traffic flow. For example, the following attacker requests the homepage and its references: All HTTP Header values changed between sources, suggesting that requests were generated using the infected host web browser. Attack Impact Exhaust webserver resources Attack Mitigation ERT used a combination of techniques to mitigate this attack vector once it was determined that attackers are able to evade the JavaScript Web Cookies challenge. Custom Signature A number of custom signatures were applied for suspending sources based on malicious traffic characteristics. These were namely suspicious accept-language values (Chinese, Turkish, Arabic, etc.), suspicious user-agents (curl, wget) and high-rate repetitive requests for the webserver's static content library (/fileadmin). Black List 13

Since large volumes of attack traffic originated in Saudi Arabia, ERT applied a black list rule, which completely blocked this country from accessing the webserver. SYN Protection T-Proxy Although malicious connections were suspended using custom signatures, the first couple of packets of every connection (TCP handshake) were initially allowed through, forcing the environment to allocate suitable resources. By activating the T-Proxy in an "always-on" mode, ERT guaranteed that malicious connections were not forwarded to the customer environment at all. 14

Attack Motivation ERT increased its level of awareness in this country in the week preceding the attack, following a threat released by Anonymous as part of an announced operation. This operation included rallies and marches, in addition to threats of attacking ISP and government websites, which were all in protest of laws aimed at increasing government supervision on internet traffic. In spite of the above, no direct link was found between this operation and the attack campaign against the customer, aside from the date. Several characteristics of this campaign distinguish it from other Anonymous attacks on government agencies around the world: To the best of our knowledge, the attack existence was not mentioned in the national or international media. Anonymous did not take credit for it in any of its public relation channels (Facebook, Tweeter and such). Websites attacked by Anonymous usually hold direct relation to the attack published motivation. The relation between this customer and the privacy laws are few and far between. No usage of "Anonymous Attack Tools" was identified throughout the attack (LOIC, RefRef, Slowloris and such). All other large Anonymous attack campaigns in record included at least minimal usage in these tools. The third attack vector was highly sophisticated: the attacker was able to harness a large BOT network, distributed among many countries, and react to mitigation techniques applied by the ERT. This demonstrates skills usually attributed to professional hackers, not Hacktivist. The combination of above characteristics leads ERT to believe that the motivation for this attack campaign was not Hacktivism, rather another obscure one. 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback