DoS Cyber Attack on a Government Agency in Europe- April 2012 Constantly Changing Attack Vectors 1
Table of Content Preamble...3 About Radware s DefensePro... 3 About Radware s Emergency Response Team (ERT)... 3 Summary...3 Executive Summary... 3 Timeline of events... 5 Chronological Description...6 Day 2... 6 Day 3... 7 Day 4... 7 Attack Vector Details...8 Attack Vector I: Empty Connection Flood on TCP/80... 8 Attack Vector II: FIN-ACK Flood on TCP/80... 10 Attack Vector III: HTTP Flood... 12 Attack Motivation... 15 2
Preamble This attack case summary describes one of the real life attacks which was experienced by a Radware customer and successfully mitigated thanks to Radware s DefensePro product and Radware s Emergency Response Team (ERT) expertise. The customer s name is undisclosed for privacy purposes and is referenced by customer in this report. About Radware s DefensePro Radware's award-winning DefensePro is a real-time network attack prevention device that protects the application infrastructure against network & application downtime, application vulnerability exploitation, malware spread, network anomalies, information theft and other emerging network attacks. It combines a set of security modules which altogether provide a complete attack mitigation solution: Intrusion Prevention System (IPS), Network Behavioral Analysis (NBA), Denial-of-Service (DoS) Protection and Reputation Engine. The vast majority of the attacks are successfully mitigated and stopped by DefensePro alone. About Radware s Emergency Response Team (ERT) Radware's Emergency Response Team (ERT) is a service, complementary to Radware s DefensePro, designed to provide 24x7 security services for customers facing a denial-of-service (DoS) attack or a malware outbreak. Often, these attacks require immediate assistance. The ERT provides instantaneous, expert security assistance in order to restore network and service operational status. The ERT is staffed by experts that have vast knowledge and experience with network threats, their detection and mitigation, and in-depth experience of the DefensePro family of products. In addition, the ERT takes information from each customer engagement and simulates the same scenario internally for further analysis and proactive implementation of defense techniques for other customers that facing a similar security threat. Summary Executive Summary The customer was targeted with a DDoS campaign that lasted five consecutive days. In the days preceding the attack, Anonymous published threats of attacks to European ISPs and government websites. ERT assisted one of the largest European ISP to prepare for this attack. Nevertheless, no direct threat to the customer website was made and this attack was not credited to Anonymous (actually it was not published in the media at all). This attack had several unique characteristics; all of which might infer a different motivation (see more under Attack Motivation). Attack Vectors There were three confirmed attack vectors in this attack campaign Attack Vector I: Empty Connection Flood on TCP/80 3
Attack Vector II: FIN-ACK Flood on TCP/80 Attack Vector III: HTTP Flood Day-by-Day Summary Day1 Customer comes under attack. Initially, the ISP partially revives service by blocking international access to the webserver using ACLs on the router. Day 2 A DefensePro unit is installed on the customer's ISP premises by Radware's integrator as a "PoC under attack"; the ACL rule on the ISP router is removed. By the time ERT is initiated, there are two attack vectors running simultaneously: Empty Connection Flood on TCP/80 (Attack Vector I) and FIN-ACK Flood on TCP/80 (Attack Vector II). ERT is initiated around noon, DefensePro configuration is tuned and the Empty Connection and FIN-ACK floods are mitigated. Service is revived for the next 24 hours. Day 3 By changing the FIN-ACK attack vector, attackers are able to evade applied protection and affect service. ERT is initiated and introduces aggressive protections which completely block the attack and revive service. Day 4 Attack vector changes- a Slow Rate HTTP Flood begins. This flood is able to evade the applied 302 Redirect Web Cookies; therefore, ERT activates JavaScript Web Cookies. Two hours later, the attack intensifies, evading the JavaScript Web Cookies challenge and immediately affects service. In the next couple of hours, ERT uses a combination of mitigation techniques in order to block this sophisticated attack vector. Day 5 In the next 24 hours, the attack continues but it is successfully blocked by DefensePro and no service interruption is reported. 4
Timeline of events DATE Day1 Day2 Day3 Day4 Day5 EVENTS The customer website is targeted with a DDoS attack and service is affected. The ISP blocks international access to the webserver using an ACL on the router; service is revived. A DefensePro unit is installed on-site. ERT is initiated, the initial configuration is refined and tuned, attack is mitigated and service is revived. Webserver is under attack, attack evades existing protections. ERT is initiated, aggressive protections are configured, and service is revived. Attack starts; vector changes and evades current protections. New protections are set (JavaScript Challenge), service is revived. Attack evades the challenge, service is affected. ERT is initiated again. Service is revived using a combination of mitigation techniques. Attack continues and mitigated by DefensePro without ERT involvement. 5
Chronological Description Day 2 At the time ERT is first initiated there are two attack vectors running simultaneously: Attack Vector I: Empty Connection Flood on TCP/80 Attack Vector II: FIN-ACK Flood on TCP/80 The attack amounts for a combined rate of 11.9 Mbps/19K PPS; up to 20K concurrent connections are opened on the server, making service unavailable for most clients. Figure 1 shows the distribution between different attack vectors in this attack stage (number of packets sent over a course of a second) Figure 1-Distribution between different attack vectors FIN-ACK SYN ACK HTTP Data Some attackers used only one of the attack vectors, while others combined both to an "Empty Connection FIN-ACK Flood", shown in figure 2 below Figure 2- Empty Connection FIN-ACK Flood The motivation for this is unclear, since the attacker immediately clears allocated server resources. This was mitigated using the applied Web Cookies 302 Redirect Challenge. 6
Day 3 Late in the evening, some attack packets are able to evade the BDoS mechanism and affect service. On this day, the attack comprised mainly of one attack vector, amounting up to 4Mbps: Attack Vector II: FIN-ACK Flood on TCP/80 Half an hour later, ERT is initiated and revives service by applying aggressive protections (out-ofstate and custom signatures with suspend action). Day 4 A new attack vector begins in the morning: Attack Vector III: HTTP Flood This relatively slow rate attack (few requests per second) is quickly mitigated using the JavaScript Web Cookies Challenge. Later on, the attack intensifies, evades the Web Cookies and instantly affects service (reaching 6000 concurrent connections, 30 Mbps). Note the increase in inbound traffic in the figure below: Figure 3 - Increased inbound traffic In the next couple of hours, ERT applied several attack mitigation techniques (including custom signatures and black listing). Complete service availability is achieved only a few hours later. 7
Attack Vector Details Attack Vector I: Empty Connection Flood on TCP/80 Summary An Empty Connection flood was observed on the first day of the attack campaign. Roughly, 400 attacking hosts were identified and the attack was completely mitigated using SYN protection. Attack Measurements 2.5 Mbps 5K PPS Attack Description In empty connection floods, attackers use real hosts in order to send multiple TCP-SYN requests to target machines. Once the target machine responds and accepts the connections (SYN-ACK packets), attackers complete the TCP Handshake (ACK) and establish the connections. The target machine now waits for data packets, but these will never arrive, hence empty connection flood. Repeating this technique, attackers are able to exhaust the target resources. It is plausible that empty connection floods existed only in advanced phases of HTTP attacks, when the webserver application resources were saturated. Since the webserver could not accept new application requests, the attackers were not able to progress to the next stage of the attack. Figure 4 shows examples of packets snapshot- note how each attacker SYN request is followed by an ACK packet. Figure 4 - Packets snapshot Attack Impact Exhausting resources of the web server Attack Detection and Mitigation SYN Protection T-Proxy DefensePro SYN Protection was able to mitigate this attack using the transparent proxy module. This module monitors the increment between the number of SYN and the number of data 8
packets sent to the protected server. Since this value breached 2500 packets (default), the mechanism triggered. Figure 5 shows a graph of the number of SYN, ACK and data packets over a course of one second. Notice the number of SYN packets is almost identical to the number of ACK packets, while the number of data packets is extremely low. Figure 5 - Number of SYN, ACK and data packets over a course of one second SYN ACK Data Once SYN protection mechanism was triggered, the attack was quickly mitigated. The figure below shows 2.5 Mbps of attack traffic dropped by DefensePro. Figure 6-2.5 Mbps of attack traffic dropped by DefensePro 9
Attack Vector II: FIN-ACK Flood on TCP/80 Summary Attackers used this vector on the first, second and third day on the attack campaign. Initially the attack was blocked using BDoS, ERT later applied out-of-state and a custom signature in order to mitigate slower floods that evaded BDoS. Attack Measurements Day 2 6.85 Mbps 14K PPS Day 3 3.33 Mbps 7K PPS Attack Description In this attack vector, attackers sent multiple TCP FIN-ACK packets to the targeted server, aimed at exhausting stateful device resources. Attack traffic was generated using multiple real hosts (not spoofed as in most FIN-ACK floods). This attack vector should not be confused with FIN-ACK packets sent as terminators of malicious HTTP transactions in the HTTP Flood attack vector (see more information in the next chapter).the bellow packets snapshot shows one of these attackers Figure 7 Bellow packets snapshot Attack Impact Exhausting stateful resources as Firewall/IPS/etc If Firewall failure is achieved- exhaust webserver resources Attack Mitigation Day 2- BDoS Once configured, BDoS quickly detected this attack and created a suitable real time signature. The following figure shows BDoS mitigating this attack vector on the first day of the attack (notice the 7Mbps of dropped traffic): Figure 8 - BDoS mitigating the attack vector 10
Day 3Out-of-State and Custom Signature On the second day of the attack campaign, attackers also targeted the web server with a slowrate FIN-ACK flood triggering BDoS. ERT activated the out-of-state protection in order to make sure future slow-rate out-of-state floods are instantly detected and mitigated. During the next 24 hours several low-rate out-ofstate floods (apparently FIN-ACK as well) were successfully detected and mitigated by this mechanism. In addition, ERT applied a custom signature that suspends sources sending more than 20 FIN-ACK packets per second. 11
Attack Vector III: HTTP Flood Summary Attackers used this attack vector on the fourth day of the attack campaign. Attack pattern perfectly mimicked legitimate requests while evading the Web Cookies protection. This vector was blocked using a combination of mitigation techniques (see details below). Attack Peak Measurements 35 Mbps Up to 30K Concurrent Connections 1000 attackers Up to 400 New Connections per second Figure 9 - Attack Description The attack started as a slow-rate HTTP get flood, completely blocked using DefensePro Web cookies JavaScript challenge. Early in the afternoon, the attacker changed the pattern and increased the rate significantly. The new attack pattern evaded the Web cookies mechanism and affected service almost immediately. Capture analysis reveals that the attacker used highly sophisticated bot network, distributed among many countries (including Russia, Saudi Arabia, China, Brazil and Turkey). Figure 10 Capture analysis 12
Malicious traffic successfully mimicked legitimate user requests: Attackers requested legitimate resources (the homepage for example) and all its necessary references (images, scripts etc.) in loops. Request loops repeated themselves every 60 seconds, assimilating in the general legitimate traffic flow. For example, the following attacker requests the homepage and its references: All HTTP Header values changed between sources, suggesting that requests were generated using the infected host web browser. Attack Impact Exhaust webserver resources Attack Mitigation ERT used a combination of techniques to mitigate this attack vector once it was determined that attackers are able to evade the JavaScript Web Cookies challenge. Custom Signature A number of custom signatures were applied for suspending sources based on malicious traffic characteristics. These were namely suspicious accept-language values (Chinese, Turkish, Arabic, etc.), suspicious user-agents (curl, wget) and high-rate repetitive requests for the webserver's static content library (/fileadmin). Black List 13
Since large volumes of attack traffic originated in Saudi Arabia, ERT applied a black list rule, which completely blocked this country from accessing the webserver. SYN Protection T-Proxy Although malicious connections were suspended using custom signatures, the first couple of packets of every connection (TCP handshake) were initially allowed through, forcing the environment to allocate suitable resources. By activating the T-Proxy in an "always-on" mode, ERT guaranteed that malicious connections were not forwarded to the customer environment at all. 14
Attack Motivation ERT increased its level of awareness in this country in the week preceding the attack, following a threat released by Anonymous as part of an announced operation. This operation included rallies and marches, in addition to threats of attacking ISP and government websites, which were all in protest of laws aimed at increasing government supervision on internet traffic. In spite of the above, no direct link was found between this operation and the attack campaign against the customer, aside from the date. Several characteristics of this campaign distinguish it from other Anonymous attacks on government agencies around the world: To the best of our knowledge, the attack existence was not mentioned in the national or international media. Anonymous did not take credit for it in any of its public relation channels (Facebook, Tweeter and such). Websites attacked by Anonymous usually hold direct relation to the attack published motivation. The relation between this customer and the privacy laws are few and far between. No usage of "Anonymous Attack Tools" was identified throughout the attack (LOIC, RefRef, Slowloris and such). All other large Anonymous attack campaigns in record included at least minimal usage in these tools. The third attack vector was highly sophisticated: the attacker was able to harness a large BOT network, distributed among many countries, and react to mitigation techniques applied by the ERT. This demonstrates skills usually attributed to professional hackers, not Hacktivist. The combination of above characteristics leads ERT to believe that the motivation for this attack campaign was not Hacktivism, rather another obscure one. 15