dos cyber attack on an european organization march 2012 an ... · fragmented flood, http...
TRANSCRIPT
1
DoS Cyber Attack on an European organization – March 2012
An exotic attack: HTTP fingerprinting
2
Table of Content
Preamble ...............................................................................................................................3
About Radware’s DefensePro...................................................................................................... 3
About Radware’s Emergency Response Team (ERT) ................................................................... 3
Summary ...............................................................................................................................3
Executive Summary ..................................................................................................................... 3
Timeline ....................................................................................................................................... 5
Attack Details ........................................................................................................................6
Attack Vector I: PSH+ACK Garbage Flood port 80 ....................................................................... 6
Attack Vector II: SYN Flood to port 80. ........................................................................................ 7
Attack Vector III: IP fragment flood to port 80. ........................................................................... 9
Attack Vector IV: HTTP fingerprinting. ...................................................................................... 11
Attack Vector V: UDP Flood to Random Ports ........................................................................... 12
Chronological Description .................................................................................................... 14
Day 1 .......................................................................................................................................... 14
Day 2 .......................................................................................................................................... 14
Day 3 .......................................................................................................................................... 14
Next few days ............................................................................................................................ 14
3
Preamble
This attack case summary describes one of the real life attacks which was experienced by a
Radware customer and successfully mitigated thanks to Radware’s DefensePro product and
Radware’s ERT expertise. The customer’s name is undisclosed for privacy purposes and is
referenced by “customer” in this report.
About Radware’s DefensePro Radware's award-winning DefensePro is a real-time network attack prevention device that
protects the application infrastructure against network & application downtime, application
vulnerability exploitation, malware spread, network anomalies, information theft and other
emerging network attacks. It combines a set of security modules which altogether provide a
complete attack mitigation solution: Intrusion Prevention System (IPS), Network Behavioral
Analysis (NBA), Denial-of-Service (DoS) Protection and Reputation Engine. The vast majority of
the attacks are successfully mitigated and stopped by DefensePro alone.
About Radware’s Emergency Response Team (ERT) Radware's Emergency Response Team (ERT) is a service, complementary to Radware’s
DefensePro, designed to provide 24x7 security services for customers facing a denial-of-service
(DoS) attack or a malware outbreak. Often, these attacks require immediate assistance. The ERT
provides instantaneous, expert security assistance in order to restore network and service
operational status. The ERT is staffed by experts that have vast knowledge and experience with
network threats, their detection and mitigation, and in-depth experience of the DefensePro
family of products. In addition, the ERT takes information from each customer engagement and
simulates the same scenario internally for further analysis and proactive implementation of
defense techniques for other customers facing a similar security threat.
Summary
Executive Summary
Background
The customer is a religious entity which was targeted by an hacktivist group for its “doctrine”
and “concepts”. According to some sources, the attack also appears to have been triggered by a
security firm report explaining its ability to protect the customer from DDoS attacks.
The attack campaign lasted for three days and comprised of five attack vectors; one of the
attack vectors was particularly exotic using a HTTP fingerprinting attack vector.
Day 1:
The victim comes under attack in late afternoon hours and suffers an outage for several hours.
During the attack, the Radware local team is invoked, and places the DefensePro product inline,
4
then contacts the Radware’s Emergency Response Team (ERT) which starts configuring the
device.
Day 2:
ERT continues to configure the device prior to the next attack strike. When the attack starts
again, the ERT monitors the attacks and conducts some fine tuning. This attack comprises of
five different attack vectors, which is above the average: PSH+ACK garbage flood, SYN flood, IP
fragmented flood, HTTP fingerprinting and UDP flood.
Day 3:
More attacks are launched. The attacks start with a massive IP fragmented flood together with a
PSH+ACK flood. The attacks peak at 700Mbps.
ERT is invoked again due to an impact on the Juniper router resulting in an outage. To resolve
this issue, ERT provides juniper a blacklist that is used in their router’s ACL’s. In addition, the
customer improves the router configuration which keeps the site up and running for the rest of
the day. The customer is now protected by both the DefensePro which is successfully mitigating
the attacks, and a router which is correctly configured.
Attacks continue throughout the next few days but are successfully and automatically blocked
by DefensePro without requiring further assistance from the ERT.
5
Timeline
Date Event
Day 1 Customer website is taken down by anonymous.
Later, Radware is invoked, ERT receives heads-up.
DefensePro is deployed, ERT starts building configuration.
Day2 ERT continues refining configuration moving the device to an aggressive
configuration.
Attacks begin and are mitigated by DefensePro. ERT monitors and
conducts minor fine tuning.
Attacks end.
Day3 Attacks start again. ERT is initiated due to outage.
ERT concludes the Juniper router (not protected by DefensePro) is the
cause. ERT provides a blacklist to be used by the router’s ACL.
The customer employs blacklist and Juniper improves the router’s
configuration. This resolves the issue, and the site is up.
Attacks continue but are mitigated, and there is no need for further ERT
support.
6
Attack Details
Attack Vector I: PSH+ACK Garbage Flood port 80
Summary
This attack vector was used throughout the attack.
Attack Description
The flood was composed of TCP PSH+ACK packets that contain garbage data (as seen below).
They were not initiated with a proper TCP handshake. The garbage data was exactly the same in
all packets.
Figure 1 shows the attacking packet (PSH+ACK garbage flood).
Figure 1 - Attacking packets
Attack Vector Motivation
Bandwidth saturation of the pipe which could also cause IPS devices to crash.
Attack Mitigation
Syn protection with Out of Sate (OOS) protection
The attack was mitigated by SYN Protection which also enforces the OOS protection.
7
Attack Vector II: SYN Flood to port 80.
Summary
SYN floods occurred on day 1 and day 2 of the campaign. The SYN flood was not from a spoofed
SRC IP. This attack vector was easily identifiable and immediately mitigated, there were roughly
460 attackers.
Attack Description
Here is a snapshot of the attacking packets, notice the SRC IP’s and time on the left (SYN flood).
Figure 2 – Attacking packets
Motivation for SYN Flood
Exhausting resources of Firewall/IPS/etc
Exhausting resources of the web server
Attack Mitigation
BDOS:
BDOS mitigated this attack with the footprint you see below.
Below is a snapshot from the BDOS ongoing attack on Day 2 of the attack (SYN flood).
Figure 3 - BDOS ongoing attack
8
9
Attack Vector III: IP fragment flood to port 80.
Attack Description
This flood was used on all days of the attack campaign. The fragmented packets all had the
following in common.
TCP Protocol
Frag offset = 512
TTL = 244
Same SRC IP (unusual for this attack)
Figure 4 shows the attacking packets (IP fragment flood).
Figure 4 – Attacking packets
Motivation
Motivation for this attack:
Saturate bandwidth.
Attempt to bypass other protection mechanisms by fragmenting TCP packets.
Possibly impact other server resources such as CPU and memory.
10
Attack Mitigation
BDOS:
The “TCP fragmentation” module (part of BDOS) mitigated this attack.
Figure 5 - discards on day 3 (IP fragment flood + PSH ACK flood).
Figure 6 shows the discards on day 3, notice the attack continues until late in the afternoon (IP
fragment flood + PSH ACK flood).
Figure 6 – Discards on day 3
11
Attack Vector IV: HTTP fingerprinting.
Attack Description
ERT found the following exotic attack: A certain IP was fingerprinting the site with “HEAD”
requests, possibly for a distributed GET / or some targeted download/resource saturation type
attack. You can see this below:
Figure 7 - Attacking packets (HTTP fingerprinting)
Motivation for a HEAD fingerprint scan
Verify URL’s to use for other GET flood.
Evade IPD/IDS by randomizing URL’s.
Attack Mitigation
Custom Signature: ERT composed a signature that rate-limited the number of HEAD requests
per IP. An IP that would make more than 5 such requests would be temporarily blacklisted
(suspended). One of the considerations was to completely block any HEAD request, but it is not
always practical as some customers require the HEAD command for certain caching solutions.
12
Attack Vector V: UDP Flood to Random Ports
Summary
The UDP packets had garbage in them and this time there was a mix of spoofed IP’s and real IP’s
once again.
Attack description
The flood was composed of UDP packets in which the SRC and DST ports were constantly
changing. Each packet contained garbage data (same data in each packet). The attack came
from a limited number of IPs most of which were probably not spoofed.
The attack rate peaked to 700Mbps. The router limited upstream to only 80Mbps which was
then blocked by the DefensePro. The attack lasted only 5 minutes.
Figure 8 - Attack (UDP flood)
Figure 9 shows the attack from APSolute Vision management and monitoring tool - from day 2
of the Attack, notice the rate (80Mbit) (UDP flood).
Figure 9 – Snapshot from APSolute Vision
13
Motivation for using a UDP flood
Saturate bandwidth upstream
Possibly tie up web servers processing resources for replying with ICMP Destination
unreachable packets.
This type of flood can also cause other stateful devices to crash.
Attack Mitigation
BDOS:
BDOS mitigated this attack successfully with its UDP module.
14
Chronological Description
Day 1 Attack starts. There are 3 attacks that run simultaneously:
Attack Vector I: PSH+ACK Garbage Flood port 80
Attack Vector II: SYN Flood to port 80.
Attack Vector III: IP fragment flood to port 80.
Attacks come simultaneously for a combined rate of 200Mbps and a PPS rate of greater than
350K PPS. They are all targeting port 80 in hopes it will crash the HTTP service. The reason these
attacks are not blocked initially is because the DefensePro device is not deployed yet; ERT gets
DefensePro deployed and correctly configures it to mitigate these attacks later that day.
Day 2 ERT continues to configure the DefensePro device with an aggressive configuration. Later, the
attacks start again. The attacks vectors comprise of the following attacks:
Attack Vector I: PSH+ACK Garbage Flood port 80
Attack Vector II: SYN Flood to port 80.
Attack Vector III: IP fragment flood to port 80.
Attack Vector IV: HTTP fingerprinting.
Attack Vector V: UDP Flood to Random Ports
ERT monitors the attacks and does minor fine tuning during that time. There is no impact on the
web site.
Day 3 Two attacks on this day:
Attack Vector II: SYN Flood to port 80.
Attack Vector III: IP fragment flood to port 80.
The rate on this day is 700Mbps.
Customer invokes ERT during the day due to an experienced outage. ERT finds the reason to be
the Juniper router is unable to sustain the attack. After the router, the DefensePro is installed
and therefore not configured to protect it.
To resolve this issue, ERT provides juniper a blacklist that is used in their router’s ACL’s. In
addition, the customer improves the router configuration and the site remains up for the rest of
the day. The router is healthy and DP continues to successfully mitigate attacks. The attack
continues for more than 5 hours at a rate of 300Mbit without affecting the site at all.
Next few days There are attacks during the next few days (and probably also during the weekend). They are
blocked automatically by the DefensePro and do not require ERT invocation.