1

DoS Cyber Attack on an European organization – March 2012

An exotic attack: HTTP fingerprinting

2

Table of Content

Preamble ...............................................................................................................................3

About Radware’s DefensePro...................................................................................................... 3

About Radware’s Emergency Response Team (ERT) ................................................................... 3

Summary ...............................................................................................................................3

Executive Summary ..................................................................................................................... 3

Timeline ....................................................................................................................................... 5

Attack Details ........................................................................................................................6

Attack Vector I: PSH+ACK Garbage Flood port 80 ....................................................................... 6

Attack Vector II: SYN Flood to port 80. ........................................................................................ 7

Attack Vector III: IP fragment flood to port 80. ........................................................................... 9

Attack Vector IV: HTTP fingerprinting. ...................................................................................... 11

Attack Vector V: UDP Flood to Random Ports ........................................................................... 12

Chronological Description .................................................................................................... 14

Day 1 .......................................................................................................................................... 14

Day 2 .......................................................................................................................................... 14

Day 3 .......................................................................................................................................... 14

Next few days ............................................................................................................................ 14

3

Preamble

This attack case summary describes one of the real life attacks which was experienced by a

Radware customer and successfully mitigated thanks to Radware’s DefensePro product and

Radware’s ERT expertise. The customer’s name is undisclosed for privacy purposes and is

referenced by “customer” in this report.

About Radware’s DefensePro Radware's award-winning DefensePro is a real-time network attack prevention device that

protects the application infrastructure against network & application downtime, application

vulnerability exploitation, malware spread, network anomalies, information theft and other

emerging network attacks. It combines a set of security modules which altogether provide a

complete attack mitigation solution: Intrusion Prevention System (IPS), Network Behavioral

Analysis (NBA), Denial-of-Service (DoS) Protection and Reputation Engine. The vast majority of

the attacks are successfully mitigated and stopped by DefensePro alone.

About Radware’s Emergency Response Team (ERT) Radware's Emergency Response Team (ERT) is a service, complementary to Radware’s

DefensePro, designed to provide 24x7 security services for customers facing a denial-of-service

(DoS) attack or a malware outbreak. Often, these attacks require immediate assistance. The ERT

provides instantaneous, expert security assistance in order to restore network and service

operational status. The ERT is staffed by experts that have vast knowledge and experience with

network threats, their detection and mitigation, and in-depth experience of the DefensePro

family of products. In addition, the ERT takes information from each customer engagement and

simulates the same scenario internally for further analysis and proactive implementation of

defense techniques for other customers facing a similar security threat.

Summary

Executive Summary

Background

The customer is a religious entity which was targeted by an hacktivist group for its “doctrine”

and “concepts”. According to some sources, the attack also appears to have been triggered by a

security firm report explaining its ability to protect the customer from DDoS attacks.

The attack campaign lasted for three days and comprised of five attack vectors; one of the

attack vectors was particularly exotic using a HTTP fingerprinting attack vector.

Day 1:

The victim comes under attack in late afternoon hours and suffers an outage for several hours.

During the attack, the Radware local team is invoked, and places the DefensePro product inline,

4

then contacts the Radware’s Emergency Response Team (ERT) which starts configuring the

device.

Day 2:

ERT continues to configure the device prior to the next attack strike. When the attack starts

again, the ERT monitors the attacks and conducts some fine tuning. This attack comprises of

five different attack vectors, which is above the average: PSH+ACK garbage flood, SYN flood, IP

fragmented flood, HTTP fingerprinting and UDP flood.

Day 3:

More attacks are launched. The attacks start with a massive IP fragmented flood together with a

PSH+ACK flood. The attacks peak at 700Mbps.

ERT is invoked again due to an impact on the Juniper router resulting in an outage. To resolve

this issue, ERT provides juniper a blacklist that is used in their router’s ACL’s. In addition, the

customer improves the router configuration which keeps the site up and running for the rest of

the day. The customer is now protected by both the DefensePro which is successfully mitigating

the attacks, and a router which is correctly configured.

Attacks continue throughout the next few days but are successfully and automatically blocked

by DefensePro without requiring further assistance from the ERT.

5

Timeline

Date Event

Day 1 Customer website is taken down by anonymous.

Later, Radware is invoked, ERT receives heads-up.

DefensePro is deployed, ERT starts building configuration.

Day2 ERT continues refining configuration moving the device to an aggressive

configuration.

Attacks begin and are mitigated by DefensePro. ERT monitors and

conducts minor fine tuning.

Attacks end.

Day3 Attacks start again. ERT is initiated due to outage.

ERT concludes the Juniper router (not protected by DefensePro) is the

cause. ERT provides a blacklist to be used by the router’s ACL.

The customer employs blacklist and Juniper improves the router’s

configuration. This resolves the issue, and the site is up.

Attacks continue but are mitigated, and there is no need for further ERT

support.

6

Attack Details

Attack Vector I: PSH+ACK Garbage Flood port 80

Summary

This attack vector was used throughout the attack.

Attack Description

The flood was composed of TCP PSH+ACK packets that contain garbage data (as seen below).

They were not initiated with a proper TCP handshake. The garbage data was exactly the same in

all packets.

Figure 1 shows the attacking packet (PSH+ACK garbage flood).

Figure 1 - Attacking packets

Attack Vector Motivation

Bandwidth saturation of the pipe which could also cause IPS devices to crash.

Attack Mitigation

Syn protection with Out of Sate (OOS) protection

The attack was mitigated by SYN Protection which also enforces the OOS protection.

7

Attack Vector II: SYN Flood to port 80.

Summary

SYN floods occurred on day 1 and day 2 of the campaign. The SYN flood was not from a spoofed

SRC IP. This attack vector was easily identifiable and immediately mitigated, there were roughly

460 attackers.

Attack Description

Here is a snapshot of the attacking packets, notice the SRC IP’s and time on the left (SYN flood).

Figure 2 – Attacking packets

Motivation for SYN Flood

Exhausting resources of Firewall/IPS/etc

Exhausting resources of the web server

Attack Mitigation

BDOS:

BDOS mitigated this attack with the footprint you see below.

Below is a snapshot from the BDOS ongoing attack on Day 2 of the attack (SYN flood).

Figure 3 - BDOS ongoing attack

8

9

Attack Vector III: IP fragment flood to port 80.

Attack Description

This flood was used on all days of the attack campaign. The fragmented packets all had the

following in common.

TCP Protocol

Frag offset = 512

TTL = 244

Same SRC IP (unusual for this attack)

Figure 4 shows the attacking packets (IP fragment flood).

Figure 4 – Attacking packets

Motivation

Motivation for this attack:

Saturate bandwidth.

Attempt to bypass other protection mechanisms by fragmenting TCP packets.

Possibly impact other server resources such as CPU and memory.

10

Attack Mitigation

BDOS:

The “TCP fragmentation” module (part of BDOS) mitigated this attack.

Figure 5 - discards on day 3 (IP fragment flood + PSH ACK flood).

Figure 6 shows the discards on day 3, notice the attack continues until late in the afternoon (IP

fragment flood + PSH ACK flood).

Figure 6 – Discards on day 3

11

Attack Vector IV: HTTP fingerprinting.

Attack Description

ERT found the following exotic attack: A certain IP was fingerprinting the site with “HEAD”

requests, possibly for a distributed GET / or some targeted download/resource saturation type

attack. You can see this below:

Figure 7 - Attacking packets (HTTP fingerprinting)

Motivation for a HEAD fingerprint scan

Verify URL’s to use for other GET flood.

Evade IPD/IDS by randomizing URL’s.

Attack Mitigation

Custom Signature: ERT composed a signature that rate-limited the number of HEAD requests

per IP. An IP that would make more than 5 such requests would be temporarily blacklisted

(suspended). One of the considerations was to completely block any HEAD request, but it is not

always practical as some customers require the HEAD command for certain caching solutions.

12

Attack Vector V: UDP Flood to Random Ports

Summary

The UDP packets had garbage in them and this time there was a mix of spoofed IP’s and real IP’s

once again.

Attack description

The flood was composed of UDP packets in which the SRC and DST ports were constantly

changing. Each packet contained garbage data (same data in each packet). The attack came

from a limited number of IPs most of which were probably not spoofed.

The attack rate peaked to 700Mbps. The router limited upstream to only 80Mbps which was

then blocked by the DefensePro. The attack lasted only 5 minutes.

Figure 8 - Attack (UDP flood)

Figure 9 shows the attack from APSolute Vision management and monitoring tool - from day 2

of the Attack, notice the rate (80Mbit) (UDP flood).

Figure 9 – Snapshot from APSolute Vision

13

Motivation for using a UDP flood

Saturate bandwidth upstream

Possibly tie up web servers processing resources for replying with ICMP Destination

unreachable packets.

This type of flood can also cause other stateful devices to crash.

Attack Mitigation

BDOS:

BDOS mitigated this attack successfully with its UDP module.

14

Chronological Description

Day 1 Attack starts. There are 3 attacks that run simultaneously:

Attack Vector I: PSH+ACK Garbage Flood port 80

Attack Vector II: SYN Flood to port 80.

Attack Vector III: IP fragment flood to port 80.

Attacks come simultaneously for a combined rate of 200Mbps and a PPS rate of greater than

350K PPS. They are all targeting port 80 in hopes it will crash the HTTP service. The reason these

attacks are not blocked initially is because the DefensePro device is not deployed yet; ERT gets

DefensePro deployed and correctly configures it to mitigate these attacks later that day.

Day 2 ERT continues to configure the DefensePro device with an aggressive configuration. Later, the

attacks start again. The attacks vectors comprise of the following attacks:

Attack Vector I: PSH+ACK Garbage Flood port 80

Attack Vector II: SYN Flood to port 80.

Attack Vector III: IP fragment flood to port 80.

Attack Vector IV: HTTP fingerprinting.

Attack Vector V: UDP Flood to Random Ports

ERT monitors the attacks and does minor fine tuning during that time. There is no impact on the

web site.

Day 3 Two attacks on this day:

Attack Vector II: SYN Flood to port 80.

Attack Vector III: IP fragment flood to port 80.

The rate on this day is 700Mbps.

Customer invokes ERT during the day due to an experienced outage. ERT finds the reason to be

the Juniper router is unable to sustain the attack. After the router, the DefensePro is installed

and therefore not configured to protect it.

To resolve this issue, ERT provides juniper a blacklist that is used in their router’s ACL’s. In

addition, the customer improves the router configuration and the site remains up for the rest of

the day. The router is healthy and DP continues to successfully mitigate attacks. The attack

continues for more than 5 hours at a rate of 300Mbit without affecting the site at all.

Next few days There are attacks during the next few days (and probably also during the weekend). They are

blocked automatically by the DefensePro and do not require ERT invocation.