Embed Size (px)
Citation preview
Technical white paper
HP TippingPoint hacktivist survival guide Simplifying the complex
Table of contents
Executive summary 2
Introduction to hacktivism (Anonymous at a glance) 3
Attack methods 8
Defending against Anonymous 20 DDoS mitigation 21 Protection against doxing 36 Web application attack mitigation 37 Geolocation-based blocking 38 Other system attack mitigation 39
Summary 46
2
Executive summary The last decade has seen the rise of crowd-sourced, activist-driven hacker groups.1 The term hacktivist has been coined to describe this group and refers to the nonviolent use of illegal or legally ambiguous digital tools in pursuit of political ends.2
More recently, there have been more attacks on corporations and governments in response to perceived wrongdoings by various groups. Most notable of these hacktivist groups is Anonymous,
Early examples of this activity were seen in a constant stream of attacks between rival Middle Eastern groups spreading messages in support of Israel and Palestine through website defacements during the late 1990s.
3
Anonymous’ underlying beliefs have become visible with the mainstream media since its nefarious activities have touched some of the largest private and public entities worldwide. Take the following example of Jeremy Hammond of Chicago, IL (aka Anarchaos among others), who had a long history of radical social protesting long before he joined LulzSec, an Anonymous offshoot. Hammond’s hacktivist crime spree didn’t begin in earnest until 2011, but his activist activity, rising to a level that warranted his arrest, dates back to 2004, when he was detained during the Republican National Convention in New York City. He was later convicted in 2005 of computer intrusion and stealing credit card numbers with the intent to make donations to liberal organizations, according to the FBI.
a loose collective of individuals borne out of a cybersubculture that has gone mainstream. Its mantra is “We are Anonymous, we are legion, we do not forgive, we do not forget, Expect us.”
4
Though the case of Jeremy Hammond is extreme, groups like Anonymous have given activists like him a digital outlet. The Anonymous platform has gone mainstream and has opened the door to more casual protesters who are aligned with their cause. Anonymous has facilitated their participation in ways that allow the average person to contribute to attacks without being skilled hackers.
Hammond was again arrested in 2009 protesting a Holocaust denier, and again in 2010 protesting a proposal for the 2016 Summer Olympics to be held in Chicago. He has maintained ties with militant leftist and anarchists groups and is a self-described “anarchist communist.” Hammond was eventually arrested March 6, 2012, for attacks carried out by LulzSec as part of Anonymous Operations.
The goal of this paper is to provide a glimpse into the world of hacktivism and, more importantly, the group known as Anonymous. Various sections of this paper will explore the tools and tactics used by Anonymous, as well as techniques for defending against the primary attack vectors that are popular among various hacktivist groups. The primary keys to defending against hacktivist attacks are preparation, awareness, and education. This paper will demonstrate that anyone at any time can find themselves in the sights of a hacktivist group and that the cost of a successful attack, even without data loss, can be immense. The direct financial cost to organizations attacked by a hacktivist group has been in the tens of millions of dollars.
1 www.huffingtonpost.com/2012/01/30/infographic-anonymous-timeline_n_1241829.html 2 “Hacktivism and the Future of Political Participation,” www.alexandrasamuel.com/dissertation/pdfs/Samuel-Hacktivism-entire.pdf 3 http://en.wikipedia.org/wiki/Anonymous_(group) 4 “USA vs. Jeremy Hammond, Sealed Complaint, Violation of 18 U.S.C. §§ 1029, 1030, and 2”
3
Introduction to hacktivism (Anonymous at a glance) With its roots in the IRC channel #4Chan, Anonymous has grown up and is now a force to be reckoned with. Anonymous has come into its own in the past two years, garnering global support from individuals seeking a platform to speak out against corporate greed and government corruption.
The Anonymous mantra
With its close ties with the Occupy movement,5
Several Anonymous attacks have been in direct response to clashes between police and Occupiers. Both have a common ideal of fairness that materializes in a disdain for corporate greed and corruption. Both groups have also adopted a symbolic mask that depicts a stylized image of Guy Fawkes
Anonymous stands against the perceived 1 percent, standing up for the little guy and promoting freedom and justice. However, both groups are driven by social consciousness and revenge, a Yin and Yang of good versus evil.
6 that has also been adopted by other protest groups. On November 5, 1605, Guy Fawkes planned to blow up the House of Lords in London to restore Catholic leadership to the throne of England after religious persecution under King James I. Authorities received an anonymous letter tipping them off about his plans, and he was captured. Eventually, with his execution structure set up, he jumped from the gallows and broke his neck. The mask originates from the 2005 movie “V for Vendetta” and is an allegory of oppression by government.7
Anonymous has executed attacks of various kinds against organizations and individuals for nearly a decade, going mainstream within the past two years. For example, in the most recent large attack, Anonymous (January 2012 in response to the shutdown of Megaupload.com) targeted many corporations and organizations associated with the recording and movie industries as well as government agencies.
This sentiment is the underlying motivator for these groups.
8 These attacks focused primarily on voluntary group-based distributed denial-of-service (DDoS), rather than botnet-driven DDoS. Anonnews reported that this was the largest attack to date by Anonymous, with 5,635 participants.9
Anonymous targets have ranged from individuals to governments across the world. Known victims of recent Anonymous attacks include those shown in table 1.
5 www.fastcompany.com/1788397/the-real-role-of-anonymous-at-occupy-wall-street 6 http://en.wikipedia.org/wiki/Guy_Fawkes_mask 7 http://en.wikipedia.org/wiki/V_for_Vendetta_(film) 8 www.us-cert.gov/cas/techalerts/TA12-024A.html 9 https://twitter.com/#!/YourAnonNews/status/160135858895335424
4
Table 1. Some targets of successful Anonymous attacks
Victim Attack method Reason
FBI FBI.gov DDoS10
FBI-Scotland Yard conference call intercepted, recorded, and placed on YouTube
11, 12
#OpMegaUpload
13
U.S. Department of Justice
Justice.gov DDoS #OpMegaUpload
RIAA RIAA.org DDoS #OpMegaUpload
MPAA MPAA.org DDoS #OpMegaUpload
Former U.S. Senator Chris Dodd Chrisdod.com DDoS #OpMegaUpload
Universal Music Universalmusic.com DDoS #OpMegaUpload
Universal Music France Universalmusic.fr DDoS #OpMegaUpload
Universal Music Portugal Site database dumped, exposing usernames and passwords14
#OpMegaUpload
HADOPI Law Site Hadopi.fr DDoS #OpMegaUpload
Vivendi France Vivendi.fr DDoS #OpMegaUpload
Belgian Anti-Piracy Federation Anti-piracy.be/nl DDoS #OpMegaUpload
U.S. Copyright Office Copyright.gov DDoS #OpMegaUpload
The White House Whitehouse.gov DDoS #OpMegaUpload
BMI Bmi.com #OpMegaUpload
Warner Music Group Wmg.com DDoS #OpMegaUpload
Greece Justice Ministry Protest EU & IMF Greece bailout15, 16
American Nazi Party
Website defacement #OpBlitzkreig17, 18
CBS
Cbs.com site deleted19 #OpMegaUpload
Fox Network X-factor site compromise
Twitter Twitter.com DDoS20 #OpMegaUpload
Brazil Federal District df.gov.br defaced21 #OpMegaUpload
Tangara de Serra www.camaratga.mt.gov.br defaced #OpMegaUpload
Sony Multiple sites down22, 23 #OpPayback 24
Citigroup
#OpSony
Brazilian site outages25 #OpWeeksPayment
PayPal Paypal.com DDoS26
Thepaypalblog.com DDoS
api.paypal.com:443 DDoS
#OpPayback
Visa Visa.com DDoS #OpPayback
MasterCard Mastercard.com DDoS #OpPayback
HBGary Published internal emails #OpPayback
Scientology #OpClambake #OpChanology27
Stratfor
Customer credit card data stolen LulzSec28, 29, 30
10 www.forbes.com/sites/andygreenberg/2012/01/19/anonymous-hackers-claims-attack-on-doj-universal-music-and-riaa-after-megaupload-
takedown/
11 www.telegraph.co.uk/technology/news/9059580/Anonymous-hackers-intercept-conversation-between-FBI-and-Scotland-Yard-on-how-to-deal-with-hackers.html
12 www.youtube.com/watch?v=pl3spwzUZfQ 13 http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html 14 http://thehackernews.com/2012/01/universal-music-portugal-database.html 15 www.huffingtonpost.com/2012/02/03/anonymous-greece-justice-ministry_n_1251880.html 16 http://anonops.blogspot.com/2012/02/anonymous-hack-greek-justice-ministrys.html 17 http://anonops.blogspot.com/2012/02/opblitzkrieg-anonymous-strikes-neo.html 18 www.youtube.com/watch?v=YBkiFnuwZUw 19 http://presstv.com/usdetail/222664.html 20 http://sociable.co/social-media/twitter-goes-down-within-hours-of-anonymous-threat-against-it/ 21 http://thehackernews.com/2012/01/brazil-under-anonymous-attack-tangara.html 22 www.youtube.com/watch?v=2Tm7UKo4IBc 23 http://news.cnet.com/8301-27080_3-20051482-245.html 24 http://en.wikipedia.org/wiki/Operation_Payback 25 http://thehackernews.com/search?updated-max=2012-02-07T08%3A44%3A00%2B14%3A00&max-results=6 26 http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/ 27 http://en.wikipedia.org/wiki/Project_Chanology 28 http://pastebin.com/8yrwyNkt 29 http://mashable.com/2012/02/27/wikileaks-anonymous/
5
Victim Attack method Reason
New York State Association of Chiefs of Police
Website compromise LulzSec
California Statewide Law Enforcement Association
Website compromise LulzSec
specialforces.com Website compromise LulzSec
Lolita City (The Hidden Wiki) Removal of child porn from Tor networks and DDoS PHP and SQL injection attacks at Freedom Hosting31
#OpDarkNet
32
Judge William Adams
Dox after video of him beating his disabled daughter surfaced
#OpDoxTheJudge33
PostFinance
Postfinance.ch34 #OpPayback
Swedish Prosecution Authority Aklagare.se35 #OpPayback
EveryDNS Everydns.com36 #OpPayback
U.S. Senator Joseph Lieberman Lieberman.senate.gov37 #OpPayback
Former Alaska Governor Sarah Palin
Sarahpac.com38
Conservatives4palin.com
39
#OpPayback
Moneybrookers Moneybrookers.com 40 #OpPayback
Oakland Police Department Website hack, email compromise, Dox officers41 Occupy Oakland
West Virginia Chiefs of Police Association
Dox members42 CabinCr3w
Puckett and Faraj Email leak43 Haditha massacre
German Military Server compromise, data leakage44
Swedish Government Website DDoS45
CIA Website DDoS46 #FFF
NASDAQ Website DDoS47
CBOE Website DDoS48
Panama Government Website DDoS49
Tunisia Government Website DDoS50
Egypt Government Website DDoS51
German parliament Server hack52
Yemeni Government System compromise #OpYemen
Prime Minister of Tunisia Website defacement
Algeria Government Website DDoS #OpAlgeria
Zimbabwe Government System compromise #OpZimbabwe
Los Angeles County Police Canine Association
User database compromise, users’ email compromised53
Houston Police Department Dox CabinCr3w
Former U.S. Treasury Secretary Larry Summers
Dox CabinCr3w
30 www.tgdaily.com/security-features/60413-anonymous-denies-stratfor-hack 31 http://arstechnica.com/business/news/2011/10/anonymous-takes-down-darknet-child-porn-site-on-tor-network.ars 32 www.youtube.com/watch?v=rah535JmEI8 33 www.youtube.com/watch?v=0Ktzcjnm4aI 34 www.rawstory.com/rs/2010/12/hackers-website-bank-froze-wikileaks-funds/ 35 www.guardian.co.uk/technology/2010/dec/15/wikileaks-met-police-investigate-anonymous 36 http://pandalabs.pandasecurity.com/operationpayback-broadens-to-operation-avenge-assange 37 http://pandalabs.pandasecurity.com/tis-the-season-of-ddos-wikileaks-editio/ 38 http://blogs.abcnews.com/politicalpunch/2010/12/exclusive-palin-under-cyber-attack-from-wikileaks-supporters-in-operation-payback.html 39 http://conservatives4palin.com/2010/12/were-temporarily-moving-back-to-blogger-as-were-under-attack.html 40 www.reuters.com/article/idUSL3E6N80HH20101210 41 www.reuters.com/article/2012/02/08/us-anonymous-oakland-idUSTRE8170B320120208 42 http://abcnews.go.com/Technology/wireStory/hackers-post-wva-police-officers-personal-info-15538106 43 www.theatlanticwire.com/business/2012/02/how-anonymous-could-destroy-law-firm/48421/ 44 www.panarmenian.net/eng/news/92443/ 45 www.usatoday.com/news/world/story/2012-02-04/hacker-anonymous-swedish-government/52962142/1 46 http://rt.com/usa/news/anonymous-hacked-cia-hackers-049/ 47 http://threatpost.com/en_us/blogs/anonymous-linked-attacks-hit-us-stock-exchanges-021512 48 http://threatpost.com/en_us/blogs/anonymous-linked-attacks-hit-us-stock-exchanges-021512 49 http://english.ruvr.ru/2012/02/12/65891854.html 50 www.bbc.co.uk/news/technology-12110892 51 www.msnbc.msn.com/id/41280813/ns/technology_and_science-security/t/anonymous-hacktivists-attack-egyptian-websites/ 52 www.panarmenian.net/eng/news/92443/ 53 http://pastebin.com/X88wx1aq
6
Victim Attack method Reason
Koch Brothers Dox CabinCr3w
New York City Mayor Michael Bloomberg
Dox CabinCr3w
Oakland Mayor Jean Quan Dox CabinCr3w
Monsanto CEO Hugh Grant Dox CabinCr3w
Newark Police Foundation Dox CabinCr3w
Infragard (Atlanta and Ohio Chapters)
Website defacement54 #FFF
Unveillance Email compromise, dox55
Not all attempted Anonymous operations are successful, however. Recently, there have been some Anonymous operations that could not garner support from the community such as those shown in table 2.
Table 2. Some targets of failed Anonymous attacks
Victim Reason
Facebook Facebook.com #OpFacebook
Amazon Amazon.com DDoS56 #OpPayback
Discovery/TLC ToddlersandTiaras site #OpInnocence57
The Facebook and Discovery/TLC operations faltered because the groundswell of support that so often occurs with Anonymous operations did not materialize. These exposed attacks were not of the level that outraged the public or which directly harmed the Anonymous Legion. The larger outpourings of support for Anonymous attacks tend to occur when members of the Legion are directly impacted, such as happened with the shutdown of MegaUpload.com.
While monitoring the chat rooms for #OpInnocence at the scheduled time of attack, the collapse of support was observed firsthand.
Figure 1. IRC chat log from #OpInnocence
#OpInnocence IRC Log [15:27] <ElieteGh0st> sup [15:27] <ElieteGh0st> guess this op is a dud [15:27] <ElieteGh0st> oh well [15:27] <m0bster> yeah I think it's safe to say it's not gonna happen [15:28] <m0bster> there was some talk about what DJ Tam did to opsony so that's not really surprising [15:30] <ElieteGh0st> ? [15:30] <ElieteGh0st> i must have missed that [15:30] <ElieteGh0st> what happened? [15:30] <m0bster> something about opsony and how djtam apparently trolled everyone [15:31] <m0bster> so this was a few days before he setup this op [15:31] <ElieteGh0st> wow [15:31] <ElieteGh0st> so who is taking leadershitp [15:34] <ElieteGh0st> bsd? [15:34] <ElieteGh0st> deathtoll [15:34] <m0bster> bsd is the one who spoke out against dj tam [15:34] <m0bster> don't think anybody is standing up for this op though
When Anonymous sought to bring down Amazon, with its huge EC2 Web presence, it discovered that its weapons were no match for such a giant. Amazon is estimated to have nearly half a million servers. In this case, David could not topple Goliath. In figure 2, from the AnonOpsNet Twitter feed, we see where the Anonymous leadership redirected the target of attacks from Amazon to PayPal. This was due to the fact that the “hive” wasn’t big enough to topple the Internet giant. The referenced hive is the collective of participants in the DDoS attack being controlled through IRC.
54 http://thehackernews.com/2012/02/another-fuckfbifriday-anonymous-hack.html 55 http://pastebin.com/MQG0a130 56 http://news.netcraft.com/archives/2010/12/09/operation-payback-aborts-attack-against-amazon-com.html 57 www.youtube.com/watch?v=493FfuoLI7A
7
Figure 2. Twitter post from Amazon attack
Other attack victims, however, aren’t so fortunate. On February 10, 2012, CIA.gov was taken offline by Anonymous for the second time in a year. Again, the news spread fast on Twitter, as seen in figure 3.
Figure 3. Twitter post from CIA attack
Figure 4. CIA website unavailable message
It has been reported that the attack on the CIA website ended only after the FBI directed Sabu (head of LulzSec), who was cooperating with the organization as a confidential witness, to have Anonymous cease the DDoS.
8
Again, it is important to stress that Anonymous can choose anyone at any time for the focus of its attacks, and its directed attack at the CIA captures the true essence of this group’s reach. Though Anonymous has been fairly consistent in its attack patterns, the group will use any attack type at its disposal. These attacks can be difficult to defend against without proper preparation and without having the proper tools in place. Everyone with a Web presence, especially those with controversial positions, should take measures to prepare for these types of attacks beforehand. The cost of data loss, website compromise or outage, and damage to reputation can be devastating.
Attack methods With all that is known about Anonymous, there is even more that is not. This is a dynamic group shrouded in anonymity. There is conflicting evidence of centralized leadership,58
Typical attacks by Anonymous begin with a defined operation against an organization or individual in response to some perceived evil the target has perpetrated. The activities associated with these operations fall into two categories. There are attacks carried out by more skilled hackers that are more precise and advanced, as well as public attacks that focus on larger groups carrying out DDoS attacks. In many cases, these activities will occur in conjunction with each other.
but one thing is clear, once ideas are agreed upon, they go viral, spreading through social media, IRC chat rooms, Twitter, and YouTube. Anonymous has been as successful as any marketing firm at leveraging guerilla marketing and social media to spread its message.
Once an operation is defined and opened up to the broader Anonymous community, there is a lag before the attack occurs. This lag can be as little as a week but can be as long as several weeks. Time is required for the idea to go viral and the flash mob to gather. This momentum restricts the flexibility of changing the tools used by the larger group quickly. In the heat of the battle, once these tools are identified, organizations can mount effective defenses, as the adversary is less nimble.
Oftentimes, there will be concurrent attacks against a target leveraging multiple tools, as was the case in #OpSony, where Low Orbit Ion Cannon (LOIC) was used for DDoS and more rudimentary tools were used for the exploitation of SQL injection vulnerabilities. This still allows for a dynamic opponent during an attack. Proper identification of a wide range of attacks is required to defend against the entire threat.
There are generally three methods used in these operations:
� Distributed denial of service (DDoS)—purposeful network traffic is directed to a website, overwhelming the site so that it becomes unavailable
� Dox—slang for the act of unauthorized publication of documents or docs with personally identifiable information such as Social Security Numbers
� System hack—a specific site is targeted for defacement or data theft
DDoS In this attack, a call is put out to the Anonymous followers (Anons) under the operation. At a designated time, these followers will use common tools pointed at a specified target to generate traffic with such volume that the site is overwhelmed and becomes unavailable to normal users. The most common of these tools is LOIC. DDoS attacks are not new, but the techniques have evolved and the attack targets have moved up the stack. This means TCP-based attacks are no longer the primary focus, and attackers are opting to target the Web server and the Web application running on top of it.
Dox A second type of attack method used by Anonymous specifically targets individuals associated with the purported misdeeds. The individual will be identified and the order given to “dox”59
58 http://gawker.com/5783173/inside-anonymous-secret-war-room
them. Dox is a slang term, whose origins come from documents or docs, and means to find personally identifiable information on the individuals and publish it. This information is then used to harass and intimidate the individuals. This information may be collected through public Internet searches and social engineering, or by compromising a system containing personal information.
59 http://en.wikipedia.org/wiki/Dox
9
System hack A third common attack vector is through a direct attack on a website that represents the target organization. More skilled—though still mostly script kiddies—followers will target the site with the purpose of defacing it, stealing credit card or account information, or deleting the site. This is often accomplished through Web application vulnerabilities, such as SQL injection, that are exploited.
Operation Leakspin was a unique operation. After WikiLeaks posted the obtained diplomatic cables and other information allegedly obtained from U.S. Army Pfc. Bradley Manning,60
Figure 5. Operation Leakspin propaganda
Leakspin directed followers to search the wiki content for the most interesting damaging information and begin a campaign of disseminating it. This tactic is similar to, but should be considered separately, from doxing.
The above attack methods are the most common seen so far and should not be considered as the only methods used. The very nature of this activity means that there are not hard and fast rules to define them. The purpose of this paper is to summarize the methods of attack used by Anonymous to date and to provide visibility into the theater of operation. Organizations should be vigilant and remain aware of emerging trends so that plans can be made and/or adjusted to prepare for new threats.
Defense of these threats can be leveraged for security issues beyond Anonymous and should be integrated into your overall security policies and processes. This paper goes into more detail on these three attack methods to help you better understand the goals and challenges in thwarting them.
DDos attacks DDoS is an attack against a common target from multiple sources with the intent to cause service interruption. Often these sources are part of a botnet61
with common direct control. In the case of Anonymous, the common control is accomplished by pointing the LOIC client to a command and control IRC server. The person in control of the chat room will define the destination and other parameters for LOIC to use.
60 http://en.wikipedia.org/wiki/Bradley_Manning 61 http://en.wikipedia.org/wiki/Botnet
10
Figure 6. SYN flood
These DDoS attacks can be SYN floods, HTTP floods, or UDP floods (among other types) with various payloads. There are many available tools that can be used to generate this traffic. The most popular one is LOIC.62
LOIC has been the tool of choice for some time by Anonymous. There are two primary versions, a binary local version and a JavaScript version that can be used within a Web browser. Today there is even an Android-based mobile version.
63
DoS attack traffic observed from Anonymous attacks fall into three categories:
This has been used in developing nations where mobile devices are more prevalent than landline Internet connections.
� SYN floods
� Connection floods
� UDP floods
SYN floods This attack targets a system’s TCP stack to exhaust the connections that are able to be allocated or a system’s (such as a firewall) connection table that is used to track the state of these connections. In either case, a finite resource is fully used to deny service to legitimate connections.
Connection floods (TCP/HTTP GET flood) This attack overwhelms the Web server infrastructure, whether it be the server itself, the load balancer, or the firewall at the front end. This type of attack does not require a large volume to be effective. The payload can be customized by the user in control of the LOIC host.
UDP floods (UDP port flood) In this type of attack, attacks on ports 80, 25, and 53 have been seen, in addition to random ports.
UDP floods are typically more of a volume attack, measured in megabits per second or packets per second. They are normally used to target open ports. Traffic that is not blocked at the perimeter must be processed by more devices penetrating further into the target environment. Border routers, firewalls, intrusion prevention systems, load balancers, and end servers may all have to process this traffic.
62 http://sourceforge.net/projects/loic/ 63 http://thehackernews.com/2012/02/anonymous-hackers-develop-webloic-ddos.html
11
In this kind of attack, the Anonymous follower installs LOIC and, based on orders for the operation, points it to an IRC channel for centralized control. LOIC can be downloaded from SourceForge, an open source development site. In figure 7 there is a spike in the downloads of LOIC64
Figure 7. LOIC download graph
immediately following #OpMegaUpload being established.
Until recently, Anons wishing to participate had to download and run personal copies of LOIC. Now there is a JavaScript tool that allows users to simply visit a website to be able to participate in an attack.
64 http://sourceforge.net/projects/loic/files/loic/stats/timeline?dates=2012-01-16+to+2012-01-22
12
Figure 8. LOIC JavaScript version
Other DDoS tools have been used, but LOIC is the most prevalent today. Expect to see other tools used in attacks, and for new tools to be developed in response to the attacker’s needs. Preparation must evolve with the changing threats, and an organization’s ability to detect attack traffic and identify attack tools must remain current.
Nearly all DDoS attacks initiated by Anonymous to date have been directed at an organization or a group of organizations. In February 2012, Anonymous outlined a plan to bring the Internet down. It planned to do this by DDoSing the root DNS servers in #OpGlobalBlackout. This is a new direction for Anonymous, with the goal of raising the level of awareness to its cause, but it is not a new attack strategy.
Figure 9. Operation Global Blackout’s dossier
----------------------------------------------------------------------- 01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111 01101110 01000111 01101100 01101111 01100010 01100001 01101100 01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100 ----------------------------------------------------------------------- ___ _ _ ___ _ _ _ / _ \ _ __ ___ _ _ __ _| |_(_)___ _ _ / __| |___| |__ __ _| | | (_) | '_ \/ -_) '_/ _` | _| / _ \ ' \ | (_ | / _ \ '_ \/ _` | | \___/| .__/\___|_| \__,_|\__|_\___/_||_| \___|_\___/_.__/\__,_|_| |_| ___ _ _ _ | _ ) |__ _ __| |_____ _ _| |_ | _ \ / _` / _| / / _ \ || | _| |___/_\__,_\__|_\_\___/\_,_|\__| ----------------------------------------------------------------------- 01001111 01110000 01100101 01110010 01100001 01110100 01101001 01101111 01101110 01000111 01101100 01101111 01100010 01100001 01101100 01000010 01101100 01100001 01100011 01101011 01101111 01110101 01110100 -----------------------------------------------------------------------
13
"The greatest enemy of freedom is a happy slave." To protest SOPA, Wallstreet, our irresponsible leaders and the beloved bankers who are starving the world for their own selfish needs out of sheer sadistic fun, On March 31, anonymous will shut the Internet down. ----------------------------------------------------------------------- In order to shut the Internet down, one thing is to be done. Down the 13 root DNS servers of the Internet. Those servers are as follow: A 198.41.0.4 B 192.228.79.201 C 192.33.4.12 D 128.8.10.90 E 192.203.230.10 F 192.5.5.241 G 192.112.36.4 H 128.63.2.53 I 192.36.148.17 J 192.58.128.30 K 193.0.14.129 L 199.7.83.42 M 202.12.27.33 By cutting these off the Internet, nobody will be able to perform a domain name lookup, thus, disabling the HTTP Internet, which is, after all, the most widely used function of the Web. Anybody entering "http://www.google.com" or ANY other url, will get an error page, thus, they will think the Internet is down, which is, close enough. Remember, this is a protest, we are not trying to 'kill' the Internet, we are only temporarily shutting it down where it hurts the most. While some ISPs uses DNS caching, most are configured to use a low expire time for the cache, thus not being a valid failover solution in the case the root servers are down. It is mostly used for speed, not redundancy. We have compiled a Reflective DNS Amplification DDoS tool to be used for this attack. It is based on AntiSec's DHN, contains a few bugfix, a different dns list/target support and is a bit stripped down for speed. The principle is simple; a flaw that uses forged UDP packets is to be used to trigger a rush of DNS queries all redirected and reflected to those 13 IPs. The flaw is as follow; since the UDP protocol allows it, we can change the source IP of the sender to our target, thus spoofing the source of the DNS query. The DNS server will then respond to that query by sending the answer to the spoofed IP. Since the answer is always bigger than the query, the DNS answers will then flood the target ip. It is called an amplified because we can use small packets to generate large traffic. It is called reflective because we will not send the queries to the root name servers, instead, we will use a list of known vulnerable DNS servers which will attack the root servers for us. DDoS request ---> [Vulnerable DNS Server ] <---> Normal client requests \ | ( Spoofed UDP requests | will redirect the answers | to the root name server ) | [ 13 root servers ] * BAM Since the attack will be using static IP addresses, it will not rely on name server resolution, thus enabling us to keep the attack up even while the Internet is down. The very fact that nobody will be able to make new requests to use the Internet will slow down those who will try to stop the attack. It may only lasts one hour, maybe more, maybe even a few days. No matter what, it will be global. It will be known. -----------------------------------------------------------------------
14
download link in #opGlobalBlackout ----------------------------------------------------------------------- The tool is named "ramp" and stands for Reflective Amplification. It is located in the \ramp\ folder. ----------> Windows users In order to run "ramp", you will need to download and install these two applications; WINPCAP DRIVER - http://www.winpcap.org/install/default.htm TOR - http://www.torproject.org/dist/vidalia-bundles/ The Winpcap driver is a standard library and the TOR client is used as a proxy client for using the TOR network. It is also recommended to use a VPN, feel free to choose your own flavor of this. To launch the tool, just execute "\ramp\launch.bat" and wait. The attack will start by itself. ----------> Linux users The "ramp" linux client is located under the \ramp\linux\ folder and needs a working installation of python and scapy. ----------------------------------------------------------------------- "He who sacrifices freedom for security deserves neither." Benjamin Franklin We know you wont' listen. We know you won't change. We know it's because you don't want to. We know it's because you like it how it is. You bullied us into your delusion. We have seen you brutalize harmless old womans who were protesting for peace. We do not forget because we know you will only use that to start again. We know your true face. We know you will never stop. Neither are we. We know. We are Anonymous. We are Legion. We do not Forgive. We do not Forget. You know who you are, Expect us.
This type of attack is implausible for an organization such as Anonymous, aside from the technical challenges, because its method of operation relies on the Internet for communication and to spread its ideas. It is likely that any attempt at this attack would have limited success, as the ramp rate of impact would be slow, and typical operations against an individual target are short lived. Without the Internet to continue the support across the organization, support for the attack would dissipate. Expect to see any impact of this attack to be small and short lived.
The escalation of attacks and targeting of U.S. Government agencies and national infrastructure has led Gen. Keith B. Alexander,65
DDoS attacks are not only menacing but can also have real impacts. Service interruptions in the modern connected society in which we live can have tangible consequences. Business and consumer transactions can be interrupted, medical information cannot be reviewed, and the government can be cut off from the public in its information-sharing efforts. Consider the case of a remote radiologist doing X-ray reviews for a network of hospital emergency rooms. Without network access, this function could not be done, and this could lead to delayed or diminished healthcare. Even in
commander of the U.S. Cyber Command and National Security Agency Director, to warn in White House briefings that Anonymous could have the ability to attack the nation’s power grids and cause limited power outages within two years. The assessment of Anonymous as a threat to national security is increasing, though the U.S. Government has stopped short of referring to the group as a terrorist organization. Anonymous has responded by denying these claims as political rhetoric and fear mongering.
65 www.nsa.gov/about/leadership/bio_alexander.shtml
15
cases where the measurable direct financial or business impact is reduced, the impact to the organization’s reputation still exists. Proper preplanning for these attacks can limit the impact of an attack in all areas.
Doxing As previously explained, doxing is widely used by Anonymous to identify targets for direct retribution. As defined by UrbanDictionary,66
When #OpMegaUpload was launched, the names, addresses, and other personal information for Senator Chris Dodd (current President of MPAA) and his family were posted on pastebin.
“Doxing is a technique of tracing someone or gathering information about an individual using sources on the Internet. Its name is derived from ‘Documents’ or ‘Docx’. Doxing method is based purely on the ability of the hacker to recognize valuable information about a target and use this information for benefit. It is also based around the idea that, ‘The more you know about your target, the easier it will be to find his or her flaws.’ ” Doxing will be used in conjunction with other attack methods to accomplish the goal of identifying wrongdoers and paying them back.
67, 68
Figure 10. Dox of U.S. Senator Chris Dodd
This site and others like it are common places where information is dumped due to open use policies. Figure 10 shows a redacted version of the dox on Senator Chris Dodd.
The amount of personal information for most individuals that can be easily obtained is disconcerting. Using Google and other online search tools, including social media, one can quickly build a profile of a target. There are entire books dedicated to Google hacking, showing ways to leverage search engines to find this type of information.
66 www.urbandictionary.com/define.php?term=doxing 67 http://pastebin.com/WEydcBVV# 68 http://pastebin.com/mvLYNdWB
16
A common practice in doxing operations is leveraging cross-site password compromises to gain unauthorized access to systems full of personal information. A tenant of information security is to restrict the reuse of passwords across applications, especially those with varying trust levels. Passwords to critical systems or data stores (such as internal corporate email) that are reused on external systems open up a huge risk window because if the external site is compromised, the user may now have access to internal systems leveraging user names and passwords gained from the initial compromise. In this way, the end user is extending the organization’s attack surface to an external organization for which there is no business relationship or contract in place to govern minimum security requirements. There are many public examples of this.
Case study: Los Angeles County Police Canine Association In February 2012, CabinCr3w (a hacker group closely associated with Anonymous), in support of a continual string of law enforcement attacks carried out by Anonymous, hacked into the website of the Los Angeles County Police Canine Association (LACPCA) and was able to dump the site member database, including lots of personally identifiable information such as:
� Names
� Addresses
� Phone numbers
� Email addresses used to register
� Passwords
� Employers
The group was then able to leverage the fact that many users had reused passwords across both their personal and work emails, as well as this site, to break into users’ email and other sites. In this case, the hacktivist group found child pornography in the personal email of one of the police officers. They after the fact labeled this operation as #OpPedoCop.
Figure 11. Dox of Police—LAPCA
17
Many of these users registered with government or law enforcement agency email addresses and reused passwords from work systems. Some users even had three-letter passwords and simple passwords such as “password1.” It is somewhat frightening to think that these were shared with the users’ work systems.
Case study: Infragard Atlanta Infragard is an organization promoting cooperation between the FBI and corporations involved with critical infrastructure. Karim Hijazi, CEO of Unveillance—a company that monitors and attempts to take over botnets—was a member of the Atlanta, GA, chapter of Infragard. On May 25, 2011, Hijazi began detecting an increased level of attacks against its systems. The attacks were unsuccessful. But as a member of Infragard, he had reused his password from his corporate account and the Infragard site. Following a successful compromise of the Infragard site, LulzSec was able to dump the email addresses and passwords for users. Using this information, the group was able to gain access to Hijazi’s email. The next day he received an email with his password as the subject line. The attackers attempted to extort money and control of botnets that Unveillance had taken control of. He didn’t give in to the group’s demands, and his personal and work emails were published online.69 He reported detecting firsthand the ongoing activity as he watched his emails go from unread to read. One week later, the group released a recording of a conference call he was on.70
Case study: HB Gary Federal
This incident falls under the category of doxing, as personal information was gained through system compromise and used for harassment and exploitation of the target.
In yet another very public case, Aaron Barr, CEO of HB Gary Federal, a government contractor, was targeted by Anonymous after claiming he had infiltrated its ranks and indicated that he was going to out its leadership. Beginning in February 2011, Anonymous launched an all-out attack that combined social engineering, doxing, publishing of confidential information, and website and Twitter defacement.71 The episode finally concluded with Barr’s public humiliation and resignation of his position. In addition to HB Gary Federal, its sister company HB Gary and another site, rootkit.com72, 73
Figure 12. Twitter announcement of rootkit.com database
(owned by Greg Hoglund), were caught up in the fallout.
74
As the attacks quickly unfolded, the back-end database at rootkit.com was stolen and dumped for the public to see. The user information was extracted from the database and the passwords decrypted.
69 www.it-networks.org/2011/06/21/official-statement-karim-hijazi-ceo-unveillance/ 70 www.csoonline.com/article/684093/when-lulzsec-attacks-a-survivor-s-story 71 www.forbes.com/sites/andygreenberg/2011/02/28/hbgary-federals-aaron-barr-resigns-after-anonymous-hack-scandal/ 72 http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars 73 http://thehackernews.com/2011/02/rootkitcom-database-leaked-by-anonymous.html 74 https://twitter.com/BarrettBrownLOL/statuses/34408118184054784
18
Figure 13. Redacted user accounts for rootkit.com 75
Figure 13 shows a snippet of the data dump that we have redacted. The HB Gary account is clearly shown as shared across rootkit.com and HB Gary’s systems. This information provided access to HB Gary’s systems.
In the case of HB Gary, technical attacks such as SQL injection were used in conjunction with social engineering attacks that ultimately yielded root-level access to critical systems. That access provided a treasure trove of information for attackers to dox their victim.
Dox summary As we have shown, doxing can be frightening, as it targets individuals as well as users’ personal lives. The reasons these individuals are targeted can stem from actions in either their personal or professional lives. And the results can be quite devastating. Career, reputation, and personal safety can be on the line. In another section, this paper will discuss ways to prevent doxing and limit its impact.
Website compromise An organization’s Internet presence is akin to its public face. It is also oftentimes used to provide tools and information through Web applications. Web application security can be challenging to maintain in dynamic environments, but it must be undertaken to prevent the types of compromises discussed here.
Common methods of compromising a Web application are SQL injection (SQLi) and Cross Site Scripting (XSS). SQL injection is a class of attack that leverages a security vulnerability in a website to attack a back-end database. In this attack, user input is improperly validated, allowing improper statements to be passed through the Web application to the database.
75 www.wired.com/threatlevel/2011/02/anonymous/all/1
19
Figure 14. SQL injection examples from a Web server log
> 1149454610.276 %478 www -> 172.24.48.96/tcp 10.20.30.40/80/tcp L GET /default.asp?search=638';exec sp_executesql N'create view dbo.test as select * from master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update dbo.test set xstatus=18 where name=''sa''','xx' exec sp_executesql N'drop view dbo.test';-- (200 "OK" [3033])
> 1149454616.160 %478 www -> 172.24.48.96/tcp 10.20.30.40/80/tcp L GET /default.asp?search=638';exec master..sp_addsrvrolemember 'ptclickadmin',sysadmin;-- (200 "OK" [2810])
> 1149454622.365 %478 www -> 172.24.48.96/tcp 10.20.30.40/80/tcp L GET /default.asp?search=638';create table zjbvlvcub7g(fkey int identity,fvalue varchar(1000));-- (200 "OK" [2818])
> 1149454623.577 %478 www -> 172.24.48.96/tcp 10.20.30.40/80/tcp L GET /default.asp?search=638';insert into zjbvlvcub7g exec master..xp_cmdshell 'dir /o-d/a "C:\"';-- (200 "OK" [2821])
> 1149454624.203 %478 www -> 172.24.48.96/tcp 10.20.30.40/80/tcp L GET /default.asp?search=638' and (1=(select top 1 fvalue from zjbvlvcub7g where (fkey>0)));-- (200 "OK" [1290])
Web applications are constantly evolving to keep up with business needs and consumer demand. Many factors contribute to a growing number of vulnerabilities in the applications. These vulnerabilities can be difficult to prevent during development without proper tools, and even more difficult to protect against once in production.
SQL is a very robust language, and many possible evasion techniques exist for bypassing detection. For example, it is possible to insert C-style comments in SQL injection attacks such as:
> SELECT/* */column/* */FROM/* */database/* */where/* */column/* */=/* */‘value’
This will be interpreted by the database as:
> SELECT column FROM database where column = ‘value’
It is also possible to break SQL statements into multiple variables, then reassemble them such as follows:
> @SQL1 = “Select * from”
> @SQL2 = “database where column = ‘a’”
> Execute @SQL1 + @SQL2
Fortunately, most evasion techniques make SQL injection more suspicious for the IPS inspecting this traffic.
Despite the various methods of attack used by Anonymous, proper planning and preparation can help organizations deploy the appropriate defenses to protect their valuable information, Web presence, and reputation. The internal information gleaned from these Web application attacks can be used for financial fraud, identity theft, and doxing, among other cybercrimes.
The vulnerabilities present in Web applications pose a critical risk to the enterprise beyond the threat of Anonymous. The impact from loss of data, exposure of confidential data, or site defacement can be severe. Businesses have been forced to pay fines, post public notice, and have even been shuttered as a result of this class of attack. These vulnerabilities exist in commercial off-the-shelf products as well as custom-designed software. The resolution to the problem requires a multipronged approach that combines offensive and defensive security strategies.
Attack methods summary The attack types described here comprise the majority of Anonymous activity that has been observed. Most of this activity has occurred over the previous two years, and it is increasing at a rapid pace. Each operation is unique, and the
20
techniques are constantly evolving. Security best practices should always be used, but a focused strategy thoughtfully planned out before an incident occurs will yield the most effective defense. In the next section, this paper will walk through the best way to detect and defend against these attacks.
Defending against Anonymous The attack methods and tools used by Anonymous are not new. The group’s motivation is fairly unique in the realm of cyber threats and has been adopted by many the world over. Its ability to amass support and collectively unite globally on operations and attract supporters who are not “hackers” has made for a powerful and effective force. A common approach should be defined to defend against this class of attacks and requires proper preparation.
When dealing with Anonymous, there are a variety of attacks against multiple attack vectors. No single approach or tool will secure the entire attack surface or defend against all attacks. An information security incident response team should have a plan in place to manage the various attacks discussed here. This plan should be reviewed regularly and modified as tactics change.
The United States Computer Emergency Readiness Team (US-CERT) has defined standard mitigation strategies for DDoS attacks such as those from Anonymous. The organization also suggests developing a plan prior to an attack and identifying resources helpful in defending against the attacks. HP TippingPoint should be a key component of this arsenal, providing the ability to protect critical assets while they are under fire.
Figure 15. US-CERT DDoS attack mitigation strategies
There are a number of mitigation strategies available for dealing with DDoS attacks, depending on the type of attack as well as the target network infrastructure. In general, the best practice defense for mitigating DDoS attacks involves advanced preparation.
� Develop a checklist or Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One critical point in a checklist or SOP is to have contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity.
� The ISP or hosting provider may provide DDoS mitigation services. Ensure your staff is aware of the provisions of your service level agreement (SLA).
� Maintain contact information for firewall teams, IDS teams, and network teams and ensure that it is current and readily available.
� Identify critical services that must be maintained during an attack as well as their priority. Services should be prioritized beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack.
� Have current network diagrams, IT infrastructure details, and asset inventories. This will assist in determining actions and priorities as the attack progresses.
� Understand your current environment and have a baseline of daily network traffic volume, type, and performance. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required.
� Harden the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function.
� Implement a bogon block list at the network boundary. � Employ service screening on edge routers wherever possible in order to decrease the
load on stateful security devices such as firewalls.
� Separate or compartmentalize critical services: o Separate public and private services o Separate intranet, extranet, and internet services o Create single purpose servers for each service such as HTTP, FTP, and DNS
� Review the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks.
Source: http://www.us-cert.gov/cas/techalerts/TA12-024A.html
21
Identifying the attack methods used will help in mounting the most appropriate defense. As shown earlier, the most often observed attacks are:
� DDoS attacks
� Doxing
� Web application attacks
Identification of the tools and techniques used in attacks is often more valuable than identifying the source. The sources are dynamic and can be many. They can also be anonymized by various means. The tools used by Anonymous in the voluntary DDoS attacks, however, cannot be changed quickly due to the preparation required for the flash mob-style attacks. Often there is a week or more of lead time before an attack occurs as the message is propagated through social media. Knowing the attacker and its methods can help to rapidly mount the most effective defense. Rarely does a situation arise where more information is less helpful when performing this type of analysis. The next section outlines the tools necessary to identify these attacks and understand the various defenses.
The HP TippingPoint IPS provides multiple tools to deal the with attacks executed by Anonymous:
� Vulnerability filters that protect against directed attacks
� More generic filters to identify other patterns in attack traffic
� Custom Web application protection via HP TippingPoint Web Application Digital Vaccine (WebAppDV) Service
� Custom filters via HP TippingPoint Digital Vaccine (DV) Toolkit
� Reputation Digital Vaccine Service (RepDV), which provides IPv4, IPv6, and Domain Name System (DNS) security intelligence feeds from a global reputation database
� ACLs—traditional firewall-like functionalities within the IPS provide good solutions to combat this imminent threat
� SYN Proxy
The HP TippingPoint Next Generation Intrusion Prevention System (NGIPS) acts as an enforcement point, inspecting traffic in real time, identifying “known bad” traffic, and enforcing RepDV security policies. RepDV is a feature of IPS and SMS that enforces actions on traffic to or from hosts based on their reputation score. The reputation can be user provided or delivered through a RepDV service subscription. The RepDV service tracks millions of IPv4 and IPv6 IP addresses and DNS names. When used in conjunction with the other IPS features, they provide a powerful layer of defense.
DDoS mitigation There are many different types of DDoS attacks. By definition, the sources are distributed, so identification of a source is often of less value than effectively managing the traffic received. The number of sources can number from a handful to tens of thousands. Identification of the payloads or the behavioral characteristics of the traffic patterns can aide in determining the type of DDoS attack and the tool used to generate the traffic.
DDoS attacks seek to overwhelm a constrained resource. This can range from a service constraint such as TCP sockets or Web server process allocation to the perimeter connection bandwidth. Depending on the target of the attack, the volume of traffic may not necessarily be large. Only a relatively small amount of traffic is required to deplete the open HTTP connections supported by a Web server. The primary goal in mitigating these attacks is to separate the legitimate users from the attackers.
As part of its preplanning, organizations should identify emergency contacts at their ISPs. An ISP can often offer mitigation services for large-scale DDoS attacks. This is critical because if the volume of the attack overwhelms the Internet connection, access to resources will be interrupted and there is little that can be done to mitigate the attack from the receiving end. Organizations must work with the upstream provider to scrub traffic before it reaches the site. Identification of the type of attack and the tools used will help tailor the response and more surgically remove the offending traffic.
22
SYN flood One of the oldest DDoS attacks is the SYN flood,76
SYN Proxy
where TCP connections are opened partially, but the three-way handshake is never completed. This is an old type of attack, but one that is still used due to its effectiveness. It is targeted at any systems that maintain state, overwhelming the state engine so that new connections cannot be opened.
The HP TippingPoint NGIPS provides a built-in SYN Proxy system leveraging SYN cookies to validate hosts. The feature set offered across different HP TippingPoint IPS products and TOS versions differs. Refer to the respective data sheet and release notes for specific details.
The SYN Proxy serves to absorb SYN flood traffic, allowing service to continue for normal users. Figure 16 shows how the SYN Proxy functions when this feature is enabled. When a TCP SYN packet is received and an initial lookup is performed on the destination IP address. If it matches one of the 16 CIDR blocks defined by preconfigured rules, the packet proceeds to the next stage. Next, the source IP address is checked against a whitelist and a list of known valid hosts. If the IP is on the whitelist, then the flow bypasses the proxy and proceeds to the Threat Suppression Engine (TSE) for additional security inspection. If this IP has not been observed recently, then the proxy will respond with a SYN-ACK, containing a SYN cookie. At this stage, the IPS does not maintain state of the session.
In the case of a SYN flood, the packet progression will be stopped here and does not proceed to the end system. There is no state kept at this point on the IPS, so it is not vulnerable to connection exhaustion. If the original SYN was from a legitimate user, their machine will respond in kind with an ACK containing the SYN cookie. The SYN Proxy is able to validate the authenticity of the cookie and, after determining whether the session is legitimate, it will build another TCP connection on the other side to the end server, connecting the two proxied sessions together. This will continue for the life of the session. After several proxied sessions have been completed by a source IP, that IP will be placed on a list of validated hosts. After this point, sessions originating from the IP address will bypass the proxy. This allows the overhead of proxying connections to be focused on malicious traffic with minimal impact on legitimate users. The number of sessions required for a source IP to be validated is configurable.
Figure 16. HP TippingPoint IPS DDoS protection flow chart
76 www.cert.org/advisories/CA-1996-21.html
23
Figure 17. HP TippingPoint IPS DDoS protection chart
Advanced DDoS features require the IPS to be in symmetric mode. As both sides of the session must be seen by the IPS, asymmetric mode is not supported by this feature. This can be configured in the SMS under Device Configuration -> TSE settings. Make sure the Asymmetric Network Enabled box is unchecked. This is enabled by default.
Figure 18. HP TippingPoint IPS asymmetric network configuration
Configuration of SYN Proxy settings in SMS To configure SYN Proxy settings in SMS, select Infrastructure Protection -> Advanced DDoS under the profile for that IPS segment. Then follow these steps:
1. Click New to create a new entry
2. Name the DDoS filter
3. Select action, Block or Block + Notify
4. Define the destination IPs to be protected
5. Select direction of traffic to be protected Note: The IPS applies inspection bidirectionally, so normally A and B ports do not matter. However, in this case, you must know whether port A or port B is internal or external. The best practice is to consistently allocate A and B in the same way.
6. Define any exceptions
7. Enable SYN Proxy and configuration options for the appropriate TOS your device is running
8. Save and distribute the profile
24
Figure 19. HP TippingPoint IPS DDoS filter configuration in SMS
The default settings for the SYN Proxy will whitelist a source after three established connections, as it is a known valid host. LOIC has an evasion capability, whereby it will make 10 complete connections prior to sending its DoS traffic. The HP TippingPoint settings are configurable as shown in figure 19.
Figure 20. HP TippingPoint IPS SYN Proxy CLI configuration options
keyName Value -------------------------------- -------------- ddosTaskPriority 231 ddosMsgQEntries 2500 ddosQueueMaxLoops 25 ddosQueueDelay 5 synProxyMasterEnable 1 synProxySecretLen 4 synProxySecretTimeout 300 synProxyWhitelistEnable 1 synProxyWhitelistThreshold 3 synProxyGenPacketTTL 64 synProxyGenPacketWin 5840 synProxyEarlyAckDelay 1 synProxyNumBitsMSS 6 synProxyMSSTimeout 180 synProxyAlertSmoothing 2 synProxyTrace 0 synProxyPerfTrace 0 synProxyBufferEarlyPackets 1 synProxyMaxBufferedPackets 5000 synProxyBufferedPcbTimeout 30
25
To configure this setting, enter the follow command on the IPS CLI:
debug modify ini-cfg netpal.ini.handle ddos synProxyWhitelistThreshold 11
reboot
The HP TippingPoint IPS can also be used to limit TCP connections per source. In these attacks, the TCP handshake is completed, as this serves to bypass SYN flood protections. You can use the IPS to limit the total connections one source can open or limit the rate at which they can be opened. Some models provide for connection limiting and connection-per-second flood protection as part of the Advanced DDoS feature set.
Figure 21. HP TippingPoint IPS DDoS Filter configuration options
The IPS Reputation feature can also be used in conjunction with Quarantine to limit the number of open connections per source to a system using the following steps:
1. Determine which IP addresses you want to protect
2. Create a Quarantine action:
� Example: permit 100 hits per 1 minute, block HTTP and other traffic
3. Create a new Reputation group
� Add all IP(s) of protected servers as reputation entries
4. Create Reputation filter �
� Choose the group you created in step 3
� Choose the action you created in step 2
Quarantined addresses will show all source IP(s) that are issuing a DDoS attack against the protected servers.
Note: This is a system-heavy approach, as all connections will be logged. This method can be better refined by using a custom IPS filter that will only monitor an affected portion of a website, for example.
IPS filters HP TippingPoint offers IPS filters that provide visibility and protection against many different attack vectors related to DDoS. These filters detect identifiable sequences within attack traffic and can be used to block that traffic.
26
Source IP address filters Many SYN flood tools will spoof the source address from sufficiently random IP address space. A pseudorandom generator will often spread the spoofed addresses across reserved net blocks. Source IP filtering77
Where the source IP address used falls into certain reserved net blocks, these filters can be used to identify and block that traffic:
can help to block this traffic at the source, but it is not implemented widely enough to prevent these attacks completely.
0051: IP: Source IP Address Spoofed (Impossible Packet) 0052: IP: Source IP Address Spoofed (Loopback) 0053: IP: Source IP Address Spoofed (IANA Reserved) 0054: IP: Source IP Address Spoofed (Multicast) 0055: IP: Source IP Address Spoofed (Reserved for Testing)
Invalid packet filters Other filters can detect invalid traffic based on Layer 3 or 4 information. Oftentimes, when a tool generates raw traffic outside of a typical IP stack or replays traffic directly to the wire, the packets will have anomalies that can be detected. Even tools that generate traffic leveraging the OS IP stack can specify parameters that result in pack formations that would not normally occur in live applications.
These filters can detect these occurrences:
0058: Invalid IP Traffic: Unknown IP Protocol 0290: Invalid TCP Traffic: Possible Recon Scan (SYN FIN) 0291: Invalid TCP Traffic: Possible nmap Scan (FIN no ACK) 0292: Invalid TCP Traffic: Possible nmap Scan (No Flags) 0293: Invalid TCP Traffic: Possible nmap Scan (XMAS (FIN PSH URG)) 0324: Invalid TCP Traffic: Impossible Flags (SFRPAU) 0334: Invalid TCP Traffic: Destination Port 0 0558: IP: Invalid IP Traffic (Destination IP Address set to Loopback) 0559: Invalid TCP Traffic: Source Port 0 7102: IP: Fragment Invalid, e.g., Boink, Fawx 2, Newtear, or Teardrop DoS 7105: IP: Length Invalid, e.g., Whisker 7107: IPv6: Fragment Invalid, e.g., Boink, Fawx 2, Newtear, or Teardrop DoS 7115: IPv6: Length Invalid, e.g., Whisker 7121: TCP: Header Length Invalid, e.g., Fragroute 7125: TCP: Length Invalid 7126: TCP: Checksum Invalid 7152: UDP: Length Invalid 7170: ARP: Address Invalid 7172: ARP: Length Invalid
DDoS tool-specific filters There are filters that have been written to detect traffic from specific DoS tools. These filters can be used to help identify the weapon being used in an attack as well as to protect against the attack. More knowledge of the attacker will put you in a position to defend yourself more effectively against the attacks.
4259: UDP: Saihyousen Denial of Service 4365: UDP: UDP Flood Denial of Service 4374: UDP: UDP Flood Denial of Service 5208: UDP: UDPFlood Attack Tool 10725: TCP: LOIC DDoS Tool 10727: UDP: LOIC DDoS Tool 10736: HTTP: LOIC DDoS Web Access
77 www.ietf.org/rfc/rfc2827.txt
27
10846: TCP: Denial of Service Attack 10847: UDP: UDP Flood Denial of Service 11872: UDP: UDP Flood Attack Tool (Net Tools 5) 11349: HTTP: Default Page Request (Only enable when under DoS attack) 12026: HTTP: LOIC DDoS Tool (ONLY enable when under DoS attack) 12027: HTTP: PenTBox DDoS Tool (ONLY enable when under DoS attack)
Note: This category of filters grows as new tools are developed. Organizations should monitor HP TippingPoint DV notifications from the Threat Management Center (TMC) for new filters covering DDoS tools.
UDP flood Another method of DDoS very popular with Anonymous is UDP flooding, which is typically used to open ports such as 25, 53, and 80. This attack is easily accomplished with readily available tools such as LOIC. Figure 22 shows the various configuration options allowed by LOIC.
Figure 22. LOIC user interface
When defending against a tool such as this, there are several filters that can be used to detect and block the traffic the tool generates:
10724: IRC: LOIC DDoS IRC Communication 10725: TCP: LOIC DDoS Tool 10727: UDP: LOIC DDoS Tool 12026: HTTP: LOIC DDoS Tool (ONLY enable when under DoS attack)
For UDP floods against ports typically used for TCP applications, such as those documented against ports 25 and 80, ACLs can be applied at the border or upstream to block this traffic. The HP TippingPoint NGIPS allows for this capability using Traffic Management Filters (TMFs). These filters are implemented in the hardware and have very little impact on the system because very little traffic inspection must be done to match. TMFs are directional. You must know the direction (A->B or B->A) of traffic you wish to block. Figure 23 shows the configuration options for TMF filters in SMS. They are configured under the appropriate profile for the affected IPS segment.
Note: The IPS applies inspection bidirectionally, so normally A and B ports do not matter. However, in this case, you must know whether port A or port B is internal or external. The best practice is to consistently allocate ports A and B in the same way.
28
Figure 23. HP TippingPoint IPS Traffic Management Filter configuration options
HP TippingPoint Digital Vaccine Toolkit For traffic patterns that do not currently have shipping filters to detect them, organizations can write custom filters using HP TippingPoint Digital Vaccine Toolkit (DVToolkit). DVToolkit is a desktop application used to create custom filters for the HP TippingPoint NGIPS using strings and regular expressions. The latest version o DVToolkit allows snort rules to be imported. The imported snort filters are converted for use by the Threat Suppression Engine (TSE).
Using DVTookit, filters can quickly be created to block unique application-layer DoS attacks and to detect lower-layer attack patterns. When LOIC strings are changed or attacks occur against Web applications, custom filters can be written to identify and block this traffic. Custom filters can also be used to quarantine hosts, rate limit traffic, or assign reputation. This feature greatly increases the flexibility of the system.
DVToolkit can be downloaded from the TMC, and documentation is available within the application once it is installed. Multiple filter examples can be found in the manual.
Figure 24 shows an example of bleeding-edge snort filters being imported to create a .csw package.
29
Figure 24. HP TippingPoint DVToolkit
Figure 25 shows some of the many options DVToolkit offers when writing filters. String matches and regular expressions are supported.
Figure 25. TippingPoint DVToolkit filter details
Note: Please use consideration when creating filters for the IPS, as these can cause significant impact on network traffic.
Application-level DDoS Moving up the stack, beyond Layer 4 connection exhaustion attacks, HP TippingPoint is able to detect and block HTTP-GET flooding. A two-pronged approach is taken here. The first is to detect packets crafted by known attack tools by their identifiable characteristics. The second is to detect the behavior of these tools by distinguishing between attackers and legitimate clients, then blocking the attacker or limiting the number of connections that can be made per source.
30
Pyloris is a python implementation of Slowloris, which was originally written in Perl. Both tools work by creating a connection flood on Web servers with many opened connections that are kept open for an extended period. It is indeed an evolution of Slowloris and does offer more features. The following section covers these tools in more depth.
The DVToolkit can be used to:
� Detect packets crafted by specific tools
� Detect behavior of specific tools
Slowloris Slowloris sends a recognizable initial HTTP request and follow-up headers, which is what the filter identifies. The IPS filter does not detect the growing number of open HTTP connections. Connection limiting on the IPS or elsewhere should be used to detect and control that aspect of the attack. Figure 26 shows a snippet of the Slowloris source code. The areas highlighted show the payload data that is recurrent and detectable. The HP TippingPoint IPS filters detect these patterns in network traffic and can be used to block attacks from this tool.
Figure 26. Code Snippet From Slowloris attack tool
~~~~~~ slowloris.pl snippet ~~~~~~ my $primarypayload = "GET /$rand HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; if ( print $sock $primarypayload ) { print "Connection successful, now comes the waiting game...\n"; } else { print "That's odd - I connected but couldn't send the data to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } } else { print "Uhm... I can't connect to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; } for ( my $i = 0 ; $i <= $#times ; $i++ ) { print "Trying a $times[$i] second delay: \n"; sleep( $times[$i] ); if ( print $sock "X-a: b\r\n" ) { print "\tWorked.\n"; $delay = $times[$i];
IPS filter 8262: HTTP Slowloris DoS tool
This filter detects a DoS attack via the slowloris.pl tool. The tool performs a Denial of Service attack by exhausting available connections. The tool will open a connection to an http server which waits for the complete header to be received. The tool will continue sending bogus header lines which keep the connection allocated.
31
Bojan Zdrnja describes the tool as "the HTTP equivalent of a SYN flood" (http://isc.sans.org/diary.html?storyid=6601).
Pyloris Pyloris operates similarly. Figure 27 shows the default options in the source code.
Figure 27. Code Snippit from Pyloris attack tool
~~~~~~ pyloris.py snippet ~~~~~~ self.options['request'] = Text(df, foreground="white", background="black", highlightcolor="white", highlightbackground="purple", wrap=NONE, height = 28, width = 80) self.options['request'].grid(row = 0, column = 1) self.options['request'].insert(END, 'GET / HTTP/1.1\r\nHost: www.example.com\r\nKeep-Alive: 300\r\nConnection: Keep-Alive\r\nReferer: http://www.demonstration.com/\r\n') self.options['request'].insert(END, 'User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like Gecko) Chrome/4.1.249.1045 Safari/532.5\r\n') self.options['request'].insert(END, 'Cookie: data1=' + ('A' * 100) + '&data2=' + ('A' * 100) + '&data3=' + ('A' * 100) + '\r\n')
Pyloris also provides a graphical user interface that is shown here in figure 28. The left pane is for configuration of the tool. The right pane will show the body of the request sent.
Figure 28. Pyloris user interface
Pyloris can also be run from the command line. It requires Python to be installed on the system. Figure 29 shows the command-line options.
32
Figure 29. Pyloris command-line options
Usage: pyloris.py [options] www.host.com Options: -h, --help show this help message and exit -c COUNT, --count=COUNT Number of requests to perform (default = 50) -f, --finish Complete each session rather than leave them unfinished (lessens the effectiveness) -g GET, --get=GET Page to request from the server (default = /) -l, --loop Loop indefinitely (overrides -c) -p PORT, --port=PORT Port to initiate attack on (default = 80) -s SIZE, --size=SIZE Size of data segment to attach in cookie (default = 0) -t THROTTLE, --throttle=THROTTLE Throttle each request, bytes per second (default = 1) -u USERAGENT, --useragent=USERAGENT The User-Agent string for connections (defaut = pyloris) -w WAIT, --wait=WAIT Seconds between starting sessions (default = 1)
Figure 30 shows the defaults for the configurable options.
Figure 30. Pyloris default options
self.options['host'].set('localhost') self.options['port'].set(80) self.options['ssl'].set(False) self.options['attacklimit'].set(500) self.options['connectionlimit'].set(500) self.options['threadlimit'].set(50) self.options['connectionspeed'].set(0.3) self.options['timebetweenthreads'].set(0.3) self.options['timebetweenconnections'].set(1) self.options['quitimmediately'].set(False) self.options['socksversion'].set('NONE') self.options['sockshost'].set('localhost') self.options['socksport'].set(9050) self.options['socksuser'].set('') self.options['sockspass'].set('')
Shipping filter 11349 will catch Pyloris (as long as the default GET request string is used). This filter looks for a default GET request matching “GET / HTTP/1.1” or “GET /index.html HTTP/1.1”.
Note: This filter can match on legitimate traffic, which can cause performance issues. The filter should only be enabled while under a DoS attack.
33
11349: HTTP: Default Page Request (ONLY enable when under DoS attack)
This filter looks for a HTTP default page request like: 'GET / HTTP\1.1' or 'GET /index.html HTTP\1.1' which, due to its small size, was generated by an attack tool instead of a typical web browser. These are the typical requests used in HTTP DoS attacks, since a request for the default page will work regardless of the web server content. NOTE: You should only enable this filter if you are under a DoS attack and need to protect your network infrastructure. Enabling this filter to block or rate limiting can help alleviate the traffic issues. Do NOT enable with alert or alert+trace. NOTE2: This filter can also match on valid requests to your web server, including web crawlers. Setting the filter to block can block valid requests as well as the DoS requests.
Other defense techniques There are several other things that can be done to defend against an attack like this beyond the existing IPS filters that detect the packets these tools generate. These revolve around managing connections to the Web server and limiting connections per source. This should be used in conjunction with payload content identification where possible because proxies (TOR) can mask the sources. Identifying payload identifiers is sometimes of limited use, as the source code is available and the identifiable characteristics can be easily modified.
To identify abuse of connections during an attack and limit its impact, there are several steps that should be taken.
1. Apache offers connection limiting through module mod_limitipconn. This will limit the connections per source IP.
2. HP TippingPoint E-series IPS units support connection flood protection as part of their Advanced DDoS implementation. This will also limit the connections per source IP.
3. HP TippingPoint N platform does not implement connection limiting directly in TSE as of TOS 3.2.
a. The alternative solution for connection limiting is to use Rep + Q
i. Determine the IP addresses to protect
ii. Create a Quarantine action: permit 100 hits per 1 minute, block HTTP and other traffic; this can be tuned as needed
iii. Create a new Reputation group
iv. Add IP addresses for protected servers as reputation entries
v. Configure a Reputation filter in the appropriate profile
1. Choose the group you created in step 3
2. Choose the action you created in step 2
vi. The Quarantine address will show all source IP(s) that are issuing DDoS attacks against the protected IP addresses.
b. ArcSight can also be used to detect this activity, and HP TippingPoint can be used to block the source
i. ArcSight can monitor the connection from firewall or load balancer logs, or from the Web server logs (/var/log/access).
ii. When it detects this condition [open conn (src IP) > limit], it can connect to HP TippingPoint SMS to implement a quarantine action that is enforced on the IPS.
4. Firewalls and load balancers that are managing session state provide an ideal place to implement this type of protection.
a. IPtables supports this, for example (iptables -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 100 -j DROP)
34
HP TippingPoint integrates with ArcSight to detect and block attacks against a Web application using an HTTP-GET flood. Here are the steps of this integration using an example of an attack identified in Web server logs as shown in figure 31.
Step 1: Attacker sends HTTP-GET flooding to the target system.
Step 2: ArcSight monitors Apache Web server access log (/var/log/access) and determines the attacker IP is 16.151.66.199.
(Threshold base : HTTP-GET request for 20 seconds, if it hits more than 30 HTTP-GET requests, Arcsight considers it as an attacker .)
Step 3: ArcSight sends TippingPoint IPS (through SMS) to block the attacker IP 16.151.66.199 using IPS quarantine.
Figure 31. Web server logs used to identify attacker
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.geocities.com/TelevisionCity/Stage/2950/az/P.html HTTP/1.0" 404 261 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/epguides.com/SignificantOthers/index.htm HTTP/1.0" 404 248 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/TargetTheCorruptors/index.htm HTTP/1.0" 404 254 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/epguides.com/Legend/index.htm HTTP/1.0" 404 237 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/EllenShow/index.htm HTTP/1.0" 404 244 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.movieprop.com/Production/specialeffects.htm HTTP/1.0" 404 255 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/Closer/index.htm HTTP/1.0" 404 241 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/epguides.com/Three/index.htm HTTP/1.0" 404 236 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/Woops/index.htm HTTP/1.0" 404 240 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/epguides.com/FinderofLostLoves/index.htm HTTP/1.0" 404 248 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/members.aol.com/RWACEMAR/XFiles.html HTTP/1.0" 404 244 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/HollywoodSafari/index.htm HTTP/1.0" 404 250 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/Visitor/index.htm HTTP/1.0" 404 242 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/LifeandStuff/index.htm HTTP/1.0" 404 247 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET /epguides2/www.epguides.com/BigfootandWildboy/index.htm HTTP/1.0" 404 252
The HP TippingPoint Security Management System (SMS) API connection to block the attacker IP would be formatted like this:
https://<TippingPoint_SMS_IP>/quarantine/quarantine?ip=16.151.66.199&policy=dd&timeout=10&smsuser=SuperUser&smspass=password
Note: Full documentation for the SMS API can be found on ThreatLinQ and on SMS.
Reputation as an action Using SMS and the Reputation feature filters can add entries to RepDV as an action. An earlier section described how Reputation can be used on the IPS to block attacks against a server. IPS filters can be used in conjunction with Reputation to block even more types of attacks. The integration between these features makes the IPS very flexible.
35
Example: HTTP attack using abnormal “Firefox 2.1” user agent
� DVT custom filter created and distributed
� “Active responder” rule created to fire filter after 20 requests in 10 seconds
� Further packets from these entries will be blocked in hardware (up to 5 million total entries)
Figure 32 shows how a Reputation leveraging IPS filters would look in SMS.
Figure 32. HP TippingPoint IPS RepDV Configuration in SMS
A primary goal of Anonymous attacks is to send a message. This notion remains true regardless of the tactics used. In the tool LOIC, messages can be defined that are delivered as part of the payload. A recent US-CERT Technical Cyber Security Alert78
"GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200 99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0 (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"
shows how the message “We are Legion!” referring to the Anonymous slogan is observed in Web server logs from a victim:
When these patterns are discovered, DVToolkit can be used to quickly write filters to block the traffic.
Today DDoS attacks come in many forms. Organizations must have the ability to detect the attacks, identify the tools used in the attack, and isolate the attack traffic. No one solution can provide complete coverage across all areas and meet every need. HP TippingPoint, however, does offer a robust toolset to identify and mitigate these attacks.
78 www.us-cert.gov/cas/techalerts/TA12-024A.html
36
Protection against doxing Protecting against doxing is a difficult challenge. In the modern age, users have personal and private information of every nature on systems across the Internet. Consider what information could be obtained from doctors, retailers where you have made purchases using your credit card, or the DMV. Law enforcement agencies and state agencies are routinely being targeted for compromise to harvest personal information. There is little that can be done to protect such personal information that is in private systems. Some level of trust in the provider and the regulations meant to mandate certain protection levels must be assumed.
Personal information that is made public can be curtailed, though. Even information that is believed to be restricted can often be accessed. Once personal details are captured in digital form and listed in the ether, it must be assumed that it is no longer private and will never go away. Facebook had a recent authorization bypass vulnerability79
Defending against doxing and the accompanying harassment requires legal support that is beyond the scope of this paper. Every effort to protect personal information should be made before this becomes an issue, especially for those in high-profile positions.
that allowed anyone to view a private profile of another user they were not friends with. Users should limit the information on these sites, limiting their online footprint and shrinking the risk window.
There are steps that should be taken to limit the exposure for an organization. Users must be educated about the dangers of reusing passwords. A recent study at Cambridge University doing comparative analysis of the password compromises at rootkit.com and gawker.com found that even in a tech-savvy group, up to half of the passwords were reused.80
When Sabu, the leader of LulzSec and arguably of Anonymous, was outed March 6, 2012, by the FBI as an informant who had betrayed the group by working for them for nine months, he became the target of a dox campaign.
Minimum password requirements must also be enforced. Two-factor authentication can be used to limit the access to systems, even when passwords are compromised.
81
Figure 33. Dox of Sabu
79 http://online.wsj.com/article/SB10001424052748703730804576315682856383872.html 80 www.theregister.co.uk/2011/02/10/password_re_use_study/ 81 http://pastebin.com/CmntFktF
37
Doxing is a complex issue to defend against and is not always a cyber threat. There are measures that can be taken to prepare for this type of personal attack and limit the scope of its damage. Preplanning and being vigilant about privacy are critical.
Web application attack mitigation Web applications can be developed, hosted, and administered by third parties or at other sites, or they can be run internally. Either way, these sites often do not receive the same scrutiny of back-end systems that have been deemed more valuable due to the data they contain. The risk, however, to an organization’s public reputation is grave. A defaced website brings bad press and lowered expectations.
Today’s IT environments are rapidly evolving to keep up with the changing times. Security cannot be overlooked in this evolution. Building the proper security controls into the development and operation of these Web applications can significantly reduce the chances of falling victim to these attacks.
HP TippingPoint provides significant coverage of OWASP Top 10 through hundreds of DV filters. Several other techniques can be used to go beyond these filters. These are highlighted below.
Dynamic and static application testing If an attack occurs and the organization is not quite prepared, there are things that can help. HP WebInspect82
WebAppDV
is an industry-leading Web application security assessment solution designed to thoroughly analyze today’s complex Web applications. It delivers broad technology coverage, fast scanning capabilities, extensive vulnerability knowledge, and accurate Web application-scanning results. HP WebInspect is an integral part of the HP integrated security testing technologies that uncover real and relevant security vulnerabilities in a way that siloed security testing cannot. HP WebInspect easily tackles today’s most complex Web application technologies—including JavaScript, Adobe® Flash, Ajax, and SOAP, utilizing HP’s break-through testing innovations for fast and accurate application security tests. The HP WebInspect solution’s intuitive interface and interactive test results enable areas of an organization that are new to application security to leverage security testing automation to cover more applications. When vulnerabilities are found, the results feed the HP TippingPoint WebAppDV service to provide immediate solutions.
When faced with targeted attacks against a custom Web application, standard defenses may not be comprehensive. The HP WebAppDV Service will provide custom protection in these cases. This service enables the NGIPS to serve as a dynamic Web application firewall through the following steps:
� Scan of your Web application
� Identification of vulnerabilities
� Creation by DVLabs of custom filters to protect against attempts to exploit the Web applications
� Filters are delivered and once deployed a follow-up scan help ensure complete coverage
SQL injection HP TippingPoint also provides many filters out of the box to detect common SQL injection commands and evasion techniques.
Details of some SQL injection evasion filters:
� 3807: inline comment evasion
– This filter detects inline comments between SQL statements in an HTTP request. It is very important to enable this filter because of the popularity of this evasion technique.
� 3808: variable declaration evasion
– This filter detects when attackers split SQL statements apart and concatenate them together later. This is a less common evasion tactic.
� 3809: comment terminator evasion
– This is the single most effective generic SQL injection filter.
– This tactic relies on SQL statements that are terminated with -- or /*.
82 www.fortify.com/products/web_inspect.html
38
Figure 34. HP TippingPoint IPS General SQL injection filters
Current list of SQLi filters 3593: HTTP: SQL Injection (UNION) 3624: HTTP: SQL Injection (SELECT) 3625: HTTP: SQL Injection (OPENROWSET) 3626: HTTP: SQL Injection (WAITFOR) 3630: HTTP: SQL Injection (Boolean Identity) 3798: HTTP: SQL Injection (Boolean Identity) 3799: HTTP: SQL Injection (Boolean Identity) 3800: HTTP: SQL Injection (Boolean Identity) 3801: HTTP: SQL Injection (EXECUTE) 3802: HTTP: SQL Injection (DROP/CREATE) 3803: HTTP: SQL Injection (INSERT) 3804: HTTP: SQL Injection (UPDATE) 3805: HTTP: SQL Injection (ALTER) 3806: HTTP: SQL Injection (DELETE) 3807: HTTP: SQL Injection Evasion Inline SQL Comment 3808: HTTP: SQL Injection Variable Declaration Evasion 3809: HTTP: SQL Injection Evasion SQL Comment Terminator 3810: HTTP: SQL Injection Evasion (System Variables) 3936: HTTP: SQL Injection Evasion (Oracle PL/SQL Block) 3986: HTTP: SQL Injection (Oracle GRANT TO) 4001: HTTP: SQL Injection MySQL Show Function 5669: HTTP: SQL Injection (UNION) 5670: HTTP: SQL Injection (SELECT) 5671: HTTP: SQL Injection (OPENROWSET) 5672: HTTP: SQL Injection (WAITFOR) 5673: HTTP: SQL Injection (Boolean Identity) 5674: HTTP: SQL Injection (Boolean Identity) 5675: HTTP: SQL Injection (Boolean Identity) 5719: HTTP: SQL Injection (CAST) 5772: HTTP: SQL Injection (Boolean Identity) 5773: HTTP: SQL Injection (EXECUTE) 5774: HTTP: SQL Injection (DROP/CREATE) 5775: HTTP: SQL Injection (INSERT) 5776: HTTP: SQL Injection (UPDATE) 5777: HTTP: SQL Injection (ALTER) 5778: HTTP: SQL Injection (DELETE) 6103: HTTP: SQL Injection (RESTORE) 6115: HTTP: SQL Injection (CONVERT) 6116: HTTP: SQL Injection (CAST) 6236: HTTP: SQL Injection (RESTORE) 6321: HTTP: SQL Injection (CONVERT) 6388: HTTP: SQL Injection (Benchmark) 6392: HTTP: SQL Injection (Benchmark) 6568: HTTP: SQL Injection (CAST) 11171: HTTP: SQL Injection (UNION) 11897: Oracle: SQL Function SQL Injection 11902: Oracle: SQL Function SQL Injection 11938: HTTP: SQL Injection (Boolean Identity)
HP TippingPoint has delivered filters that look for SQL syntax in HTTP parameters. This is unusual behavior and can safely be blocked for most users. There are Web applications that use SQLi for normal operation, so these filters are disabled by default. The best practice is to initially enable these filters to Permit + Notify to verify that normal Web application traffic is not blocked.
This is not a complete list of IPS filters that can address these issues. There are hundreds of filters that detect other attack vectors and which can protect against vulnerabilities in common Web applications.
Geolocation-based blocking For organizations with a generally local presence and limited need for access from outside that region during periods of heightened threat or attack, you can leverage geolocation data to block foreign sources. This is an aggressive posture and not likely one that would be appropriate all of the time. For example, a municipal police department in the United States being targeted may choose to block traffic from B.R.I.C. nations or everywhere outside the U.S. for a limited time.
39
This approach limits the aperture of the risk window. However, though Anonymous is global, often the attacks originate locally. We have observed this with attacks in Oakland, CA, in retaliation to the Occupy clashes there; in Greece; and in Panama. If you have attackers in Greece attacking the Greek government, geolocation-based blocking will be of little value.
HP TippingPoint provides a simple tool to leverage open source geographic IP data to help classify the reputation of systems. MaxMind provides an open source database of IP addresses and DNS names, along with their physical location. The free open source version of the database is called the GeoLite Country database. HP TippingPoint leverages this database to enhance its ReputationDV service by allowing data to be converted into a format that can be imported to the HP TippingPoint SMS.
Note: MaxMind also offers a more accurate, for-fee database called the GeoIP Country database.
Although the following instructions assume use of the open source GeoLite Country database, the GeoIP Country database is also supported. Refer to the MaxMind website to research the differences between the two versions and note that the differences will also manifest themselves in SMS.
To update the SMS ReputationDV database with GeoIP-originated entries, security administrators will:
� Need access to the MaxMind website, the HP TippingPoint ThreatLinQ website, and the SMS into which the converted database will be imported
� Obtain the GeoLite Country database from MaxMind and convert it into a format acceptable to an HP TippingPoint SMS
� Import the converted GeoLite Country database into an HP TippingPoint SMS
To convert the MaxMind database and import it into an SMS, the following is needed:
� Internet access to the open source MaxMind website (www.maxmind.com/app/geolitecountry)
� A login account to a beta version of the HP TippingPoint ThreatLinQ GeoReputation tool
� An SMS login account that has sufficient rights to import ReputationDV entries
Geolocation-based filter policies can be configured by selecting a country from the drop-down menu. It is also recommended that the administration assigns a reputation score to make the filter policy more effective. Use caution when using geolocation blocking and always place filters with a “Permit + Notify” action set below filters with a “Block + Notify” action set.
Note: For complete instructions on how to implement geolocation-based blocking, please refer to the HP TippingPoint GeoReputation Usage Note.
Other system attack mitigation Detecting a compromised system HP TippingPoint provides filters that can detect enumeration and scanning. If a host has been compromised, it is possible to see this activity from an internal host to another internal host.
Brute force login 1224: SNMP: Community Name Brute Force Attempt 2796: SMB: Windows Repeated Logon Failure (Possible Brute Force) 3525: MySQL: MySQL Brute Force Attack 10957: RDP: Windows Remote Desktop Brute Force Attempt by NCrack 1400: SMB: Windows Logon Failure
Network system scanning 7000: TCP: Port Scan 7001: UDP: Port Scan
0292: Invalid TCP Traffic: Possible nmap Scan (No Flags) 0293: Invalid TCP Traffic: Possible nmap Scan (XMAS (FIN PSH URG)) 0302: IPeye Scanner: TCP FIN Probe
40
0303: IPeye Scanner: TCP NULL Probe 0304: IPeye Scanner: TCP XMAS Probe 0317: Nmap scanner: NULL OS Fingerprinting Probe 0321: Nmap scanner: FUP OS Fingerprinting Probe 0325: SynScan: TCP SYN-FIN Probe 0526: HTTP: pfdisplay.cgi Access (Scanner Probe) 1205: HTTP: sadmind IIS Scan 1225: SNMP: PROTOS Scan (Version Too Long) 1227: SNMP: PROTOS Scan (Malformed Request) 1232: SNMP: PROTOS Scan (Baseline Packet) 1233: SNMP: PROTOS Scan (Bad Error Status or Generic Trap Length) 1234: SNMP: PROTOS Scan (Bad Error Index or Specific Trap Length) 1235: SNMP: PROTOS Scan (Bad Error Status or Generic Trap Value) 1236: SNMP: PROTOS Scan (Bad Error Index or Specific Trap Value) 1237: SNMP: PROTOS Scan (NULL Community String) 1238: SNMP: PROTOS Scan (Overlong Community String) 1239: SNMP: PROTOS Scan (Community String Contains %) 1240: SNMP: PROTOS Scan (Community String Contains NULL) 1242: SNMP: PROTOS Scan (Bad Object ID) 1243: SNMP: PROTOS Scan (Object ID Too Short) 1244: SNMP: PROTOS Scan (Object ID Too Long) 1271: SNMP: PROTOS Scan (Bad Version Number) 3770: HTTP: IIS ISAPI Anomaly Scan 4081: Oracle: PL/SQL Random Connection Scanning 5149: SIP: SiVuS Vulnerability Scanner (TCP) 10711: HTTP: ZmEu Vulnerability Scanner 10714: HTTP: Netsparker Security Scanner 10767: HTTP: Acunetix Security Scanner 10993: HTTP: Morfeus Scanner Scanning Attempt 11949: HTTP: Gootkit Auto-Rooter Scanner
Enumeration 1388: SMB: Windows SAM Access 1390: SMB: Windows Registry Access 1391: SMB: Windows Local Security Authority Access 1393: SMB: Windows Service Control Access 1259: SMB: nbtstat Query 2176: SMB: Null Session SetUp 2177: SMB: Null Session SetUp 2178: SMB: ADMIN$ Hidden Share Access 2179: SMB: User Enumeration 2180: SMB: User Session Enumeration 2181: SMB: Share Enumeration 2182: SMB: Transport Parameter Enumeration 2183: SMB: Network Service Enumeration 2806: SMB: Disk Enumeration 4720: SMB: Null Session SetUp
HTTP shell RepDV can be used to detect communication to outbound to known malicious sites. There are additional IPS filters that can be used to detect command shell traffic occurring over HTTP.
0340: HTTP: Shell Command Execution (ls -l) 0341: HTTP: Shell Command Execution (cd ..) 0343: HTTP: Shell Command Execution (/bin/ps) 0345: HTTP: Shell Command Execution (uname -a) 0346: HTTP: Shell Command Execution (id command)
41
0347: HTTP: Shell Command Execution (;id command) 0348: HTTP: Shell Command Execution (echo command) 0349: HTTP: Shell Command Execution (kill command) 0350: HTTP: Shell Command Execution (chmod command) 0351: HTTP: Shell Command Execution (chgrp command) 0352: HTTP: Shell Command Execution (chown command) 0353: HTTP: Shell Command Execution (chsh command) 0356: HTTP: Shell Command Execution (mail) 0358: HTTP: Shell Command Execution (ls|) 0359: HTTP: Shell Command Execution (ls) 0367: HTTP: Shell Command Execution (gcc) 0369: HTTP: Shell Command Execution (cc) 0371: HTTP: Shell Command Execution (cpp) 0373: HTTP: Shell Command Execution (g++) 0375: HTTP: Shell Command Execution (nasm) 0377: HTTP: Shell Command Execution (python) 0379: HTTP: Shell Command Execution (tclsh) 0384: HTTP: Shell Command Execution (ping) 0387: HTTP: Shell Command Execution (xterm command) 0495: HTTP: Shell Command Execution (cmd.exe) 0496: HTTP: Shell Command Execution (ftp.exe) 0499: HTTP: Shell Command Execution (wsh.exe) 0500: HTTP: Shell Command Execution (rcmd.exe) 0501: HTTP: Shell Command Execution (telnet.exe) 0502: HTTP: Shell Command Execution (net.exe) 0503: HTTP: Shell Command Execution (tftp.exe) 0504: HTTP: Shell Command Execution (net localgroup) 0928: HTTP: Shell Command Execution (csh) 0929: HTTP: Shell Command Execution (zsh) 0930: HTTP: Shell Command Execution (rsh) 0931: HTTP: Shell Command Execution (ash) 0932: HTTP: Shell Command Execution (bash) 0933: HTTP: Shell Command Execution (ksh) 0934: HTTP: Shell Command Execution (rksh) 0935: HTTP: Shell Command Execution (tcsh) 1279: HTTP: Shell Command Execution (winnt/system32/cmd.exe) 1383: HTTP: Shell Command Execution (root.exe)
Data leakage detection To detect whether information was leaked after a breach has occurred, various tactics can be employed. The primary tactics are to detect the content of the sensitive data traversing the network or connections to known bad destinations.
RepDV
RepDV can be implemented to detect data transmissions to questionable destinations. Often this is an alert about potential data leakage as an attacker may not chose to send the data directly to systems they control, and may instead choose to use more anonymous shared systems.
DLP filters
HP TippingPoint offers DLP filters delivered through a CSW package. These can detect personally identifiable and proprietary data.
42
Figure 35. HP TippingPoint DLP CSW
Leak Sensor Leak Sensor83, 84
Salting of data
is an interesting concept. Using this program, it is possible to monitor pastebin for sensitive data or personal information that may have been leaked. This provides early notification of doxing and data leakage in the event of a compromise.
Another method that has been effective to detect data exfiltration has been the salting of sensitive data stores. Within a given database, tables or rows can be added with salted data. This data would not be the result of normal queries in daily activities. If the database is dumped by an attacker, the NGIPS system can be configured to detect this data being transferred and send a notification about the intrusion.
Detecting participation in your network For organizations that have many users or relatively open environments, such as universities, it may be necessary to monitor for related activity that would indicate if a user is participating in these attacks.
83 http://chaptersinwebsecurity.blogspot.com/2012/01/leak-sensor-pastebin-data-leakage.html 84 www.hybridsec.com/resource.html
43
Attack tool filters There are IPS filters that can detect the download and communication of tools used in these attacks and others. These filters can be used in conjunction with RepDV to detect Anonymous activity as well as botnet participation.
8262: HTTP: Slowloris DoS Tool 10728: HTTP: LOIC DDoS Program Download 10736: HTTP: LOIC DDoS Web Access 11349: HTTP: Default Page Request (ONLY enable when under DoS attack) 6387: HTTP: Satellite-RAT Trojan Download 10138: Backdoor: Zeus Botnet Command and Control Cyber Flash 10483: Backdoor: Zeus Botnet 2.0 Client Registration 10487: Backdoor: Zeus Botnet 2.0 Phone Home Request 10631: Backdoor: Rustock.E Variant Phone Home Attempt 10632: Backdoor: Rustock.B Variant Phone Home Attempt 10834: Backdoor: NightDragon Trojan Communication Attempt 10861: Backdoor: Alureon.DG Trojan Communication Attempt 10862: Backdoor: Zlob.P/Alureon.DV Trojan Communication Attempt 11734: Backdoor: Aldi Bot Communication Attempt via HTTP 11879: Backdoor: Poison Ivy Server/Client Communication 11882: Backdoor: Zero Access Trojan Communication Attempt 11884: Backdoor: Zero Access Trojan Communication Attempt 11889: Backdoor: Poison Ivy Remote Administration Tool 11904: Backdoor: Poison Ivy Remote Administration Tool
Tor detection Sources of attacks that require a completed TCP handshake will often in part be anonymized using proxies or onion-routed networks such as Tor. More advanced directed attacks have a higher likelihood of originating from anonymized sources.
Traffic to/from Tor networks is not in and of itself malicious, but the reasons behind protecting an IP should be understood. Detecting traffic bound for a Tor network is at a minimum suspicious and should be monitored. Based on security policy, it may be advisable to block this traffic.
Using these methods, it is possible to detect internal users using Tor in an effort to hide their identities, or attackers hiding their identities. Events from both detection methods are consolidated in the SMS Event view, as shown in figure 36.
Figure 36. HP TippingPoint IPS Events for Tor network traffic
44
Tor filters DVLabs has created several filters to detect Tor traffic. Filters 4373 and 8039 detect the certificate exchange that occurs as a client connects to the Tor network. This will identify the source and destination IPs for a Tor circuit that can have actions beyond the permit or block applied to it. Use these filters for actions such as rate limit.
4373: TOR: Certificate Exchange 8039: TOR: Certificate Exchange 12144: TOR: Certificate Exchange
Filters 4812 and 4813 detect lookups to the Tor directory servers. Hidden services are provided within the Tor network through a special top-level domain (TLD) of .onion. This TLD is not recognized by the official root DNS servers and requires special configuration by the client for use. As DNS cannot resolve this domain, Tor provides the directory servers for lookup.
4812: TOR: The Onion Router (Directory Server) 4813: TOR: The Onion Router (Directory Server)
Using ReputationDV to detect Tor HP TippingPoint DVLabs tracks Tor exit nodes through RepDV. These can be found in the DVLabs feed under the Miscellaneous category. Currently, all entries in that category are Tor exit nodes. These entries default to a score of 1 but may be scored higher due to other metrics for that IP address. There are currently more than 5,000 nodes being tracked.
Figure 37. HP TippingPoint SMS Configuration of RepDV used to identify Tor traffic
45
To configure the IPS to use this feature, you need to follow these steps:
1. Create a Reputation filter under your profile
2. Name it “Tor”
3. Under Entry Selection Criteria
� Select Tag Criteria -> Reputation DV Exploit Type -> Miscellaneous
� Select Tag Criteria -> Reputation DV Source -> DVLabs
Figure 38. HP TippingPoint SMS Configuration of RepDV used to identify Tor traffic and create filter
IRC filter There are several filters that can detect IRC activity. Use of IRC is not malicious in and of itself, but as we have shown here, these tools use IRC to control clients, and Anonymous specifically uses IRC to coordinate its activities.
10728: HTTP: LOIC DDoS Program Download 2810: IRC: USER Registration Response 2811: IRC: DCC File Transfer Request 3291: IRC: DCC Chat Request 3293: IRC: NICK/USER Registration Request 3294: IRC: PRIVMSG Request 5333: IRC: JOIN Request 6626: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel) 6628: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel) 6629: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel) 6631: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel)
46
6817: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel) 6818: IRC: Suspicious IRC Traffic (Possible Bot Net Command and Control Channel) 10724: IRC: LOIC DDoS IRC Communication
This final section has shown how organizations can detect and protect against various attack types as well as detect post-compromise activity. This provides for coverage of the entire attack surface throughout the lifecycle of an incident. It can be argued that a defensive strategy is just as important as an offensive strategy. No system that is functional will be able to be completely secured. All organizations should begin preplanning with the perspective that they will be attacked and compromised. The preplan will address the “what-now?” considerations. Consider what mitigations you can leverage before, during, and after an attack.
Summary The attacks from Anonymous are varied and ever changing. Expect them to mature over time and to continue for some time. The group is just hitting its stride despite recent arrests, and its tactics constitute an ongoing threat for many organizations. To adequately defend against these attacks, organizations must be diligent in securing their Internet presence and have a plan in place to move into action quickly when the time arises.
Preplan requirements
� Plan ahead
– Develop a response plan with your information security incident response team
– If there is not one currently in place, CERT provides great resources for starting one. Check out the following website: www.cert.org/csirts/csirt_faq.html
– Make contacts within the upstream ISP; these organizations may offer DDoS mitigation services
– Know the network topology and the location of critical or exposed systems
– Have firewall and IPS deployed between zones of different trust levels
� Identify the type of attack
– Identifying the attack method will help in mounting the most appropriate defense
– Identifying the tool used in an attack may prove more valuable than identifying the source of the attack itself
� Deploy customized defenses
– Multiple methods of defense can offer a gauntlet to an attacker and increase the ability to stop their actions
– Monitor for data exfiltration
A defensive strategy must be part of an organization’s overall plan.
Following these steps in preplanning will help your organization prepare for the various attacks that hacktivists are using. Consider HP TippingPoint and the other HP Enterprise Security solutions to help quickly fortify your security defenses. Together they provide a highly intelligent dynamic defense that, used in conjunction with other capabilities within and outside the organization, can help maintain a secure enterprise.
47
About HP Enterprise Security
HP is a leading provider of security and compliance solutions for the modern enterprise that wants to mitigate risk in their hybrid environment and defend against advanced threats. Based on market-leading products from ArcSight, Fortify, and HP TippingPoint, the HP Security Intelligence and Risk Management (SIRM) platform uniquely delivers the advanced correlation, application protection, and network defenses to protect today’s hybrid IT infrastructure from sophisticated cyber threats. Learn more at www.hpenterprisesecurity.com.
To read more about HP TippingPoint products, go to hpenterprisesecurity.com/networksecurity.
Get connected hp.com/go/getconnected
Current HP driver, support, and security alerts delivered directly to your desktop
© Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.
Adobe is a trademark of Adobe Systems Incorporated.
4AA4-xxxxENW, Created June 2012
![Trend Micro TIPPINGPOINT SECURITY … micro tippingpoint ® security ... tippingpoint security management system advanced policy ... sms_tippingpoint_160601us] sms technical](https://img.pdfslide.net/doc/110x75/5ac3d5097f8b9aa0518cd632/trend-micro-tippingpoint-security-micro-tippingpoint-security-tippingpoint.jpg)
