Attacks Targeting Georgian Websites Highlight DDoS Threat

Wednesday, August 20, 2008

Priority: LOW

Impact: Distributed Denial of Service (DDoS) attacks may prevent legitimate visitors from accessing the website or may crash the server.

Resolution: Verify network DDoS mitigation capabilities and configure the prevention action for excessive access rate detection within WebDefend to block the offending IP address at a network firewall.

Who: On August 7, 2008, many Republic of Georgia government websites were targeted in a coordinated DDoS attack. Although this particular attack was focused on Georgian sites, U.S. and international cyber-security experts are warning of possible future attacks against other countries.

What: Network-level DDoS attacks target the underlying TCP network stack on the sites and HTTP-level DDoS attacks target the web server or application software.

How: The network-level DDoS attacks utilize both TCP SYN and RST floods which bombard a destination host with requests to initiate a connection, consuming the number of simultaneous connections that the host’s network stack can support.

The HTTP-level DDoS attack works at OSI Layer 7, flooding the target web servers with repeated GET requests.

Both attacks utilize large botnets—collections of computers, or bots, under the control of the attackers—to flood the targeted websites. The bots are mainly home computers compromised by the “Nihaorr1 mass SQL injection.”

Breach Security Labs has also captured data in the wild identifying bot herding attacks where criminals attempt to compromise websites to recruit them into their bot army. In the examples captured, attackers were executing malicious PHP file inclusion attacks which try to trick vulnerable web applications into downloading PHP code from a remote site. If successful, the website will be used as a Command and Control Host for the botnets or participate in the flooding attacks.

Impact: The Georgian government was not able to adequately disseminate data to its citizens during its crisis with the Russian Republic. Should similar attacks expand to other countries, affected websites would be knocked offline to legitimate visitors.

Organizations who have not adequately addressed both networking and web application-layer DDoS countermeasures may be classified as out of compliance with the Payment Card Industry (PCI) Data Security Standard (DSS).

Requirement 6.5.9 of the PCI DSS states that web applications should protect against:

Denial of service:
Hackers can consume web application resources to the point that other users can no longer use the application. Hackers can also lock users out of their accounts or cause the application to fail

Risk: Because these attacks were politically motivated, Breach Security Labs is categorizing these as LOW severity issues for U.S.-based websites.

Resolution:
Network-Level DDoS Mitigation
Organizations should review their current technical strategies for identifying and responding to network-level DDoS attacks. For more information, visit www.sans.org/dosstep/roadmap.php.

HTTP-Level DDoS Mitigation
WebDefend Customers
WebDefend v3.4 customers may utilize the new excessive access rate detection capabilities to identify and respond to automated clients. An excessive access rate is a condition where a single source is issuing a large number of requests in a short period of time. WebDefend detects such events by monitoring each source, which may be a single source IP, a user or a session and determines whether the number of requests generated within a pre-set timeframe is above the pre-set threshold.

To protect against automated sources, configure WebDefend to block them using one of the available blocking options. Since automated source detection is based on a source IP, blocking the source IP on a firewall is the best option.

ModSecurity Pro M1100 Customers
M1100 customers may contact the Breach Security Services Team for assistance in configuring customized rules to help identify and react to automated clients based on the number of requests sent within a specified threshold.

Regardless of the product customers are using, they should verify their security settings to ensure the appropriate prevention mechanisms are active, specifically, that the appliances are configured in a “blocking” mode for these attacks.

Contact: For more information on this alert, please email support@breach.com.