DDOS

What we learned from Anonymous/AntiSec

May 1, 2012

In late 2010, the hacktivist group Anonymous made headlines around the world with high-profile, politically motivated distributed denial-of-service (DDoS) attacks. IT vendors learned valuable lessons during the attacks and today many data centers have been hardened against DDoS attacks. But Anonymous learned lessons as well. In 2011, they changed their attack profile from a grassroots DDoS campaign to a series of targeted smash-and-grab operations designed to discredit their targets (including HBGary, Sony and STRATFOR). An examination of the evolution from the 2010 campaign to the 2011 operations provides some hints about what IT vendors might expect from Anonymous and AntiSec in 2012.

What we learned from Anonymous attacks of 2010

In November of 2010, during the WikiLeaks crisis, Anonymous launched a series of diverse network attacks against the perceived enemies of WikiLeaks, including VISA, PayPal and Amazon. They had deployed among their members (rumored to be at least 15,000) a voluntary botnet. What was new about this particular campaign was the diversity of the attack types and their effect over time. In the attack against one of their targets, Anonymous initially targeted one of the lightly provisioned applications, a social media portal, with an HTTP flood. The portal went offline and Anonymous quickly issued a press release claiming that they had taken the company offline, even though all other services were still functioning. 

The next day, Anonymous launched a clever two-step attack starting with a connection flood that overwhelmed the firewall modules (for PCI compliance) in front of the target's applications. When the connection flood passed the 2,000,000 concurrent-connection limit of the firewall modules, the firewalls began a reboot loop. With the firewall modules out of action, the site became unavailable, so the staff routed traffic around the looping firewalls. When the services came back online, the attackers (who may have been waiting for just this signal) launched a vicious ICMP fragmentation attack directly at the now-unprotected services behind them. This attack almost succeeded in tying up the CPUs of all the internal routers, which would have effectively disabled all applications in the data center.

The combination of HTTP-flood, connection-flood and ICMP attacks (in that order) was something new in the threat spectrum. Using a connection-flood to get the firewall out of the way opens up back-end services to attacks that firewalls would normally mitigate, in this case the ICMP fragmentation attack. The lesson learned is that the new security posture is not just firewalls (which, in this case, became their own denial-of-service vector), but security integrated throughout the core services as well. 

What Anonymous learned in 2011

Several of the companies assaulted in the WikLeaks attacks recorded the incoming IP addresses of the HTTP floods and turned this information over to law enforcement agencies.  Because the first Anonymous botnet did not mask the source IP addresses of the botnet clients, the attacks were traced back to several of the hackers and multiple arrests were made, including the well-publicized brief incarceration of 20-year-old student Mercedes Haefer. 

Though Anonymous continued its DDoS attacks through 2011, a splinter group, calling itself LulzSec, launched 50 days of targeted penetration attacks. Its activities involved hacking into systems and retrieving account information and passwords (often through simple SQL injections). LulzSec would then post the information publicly, usually with a screed of snide comments about their victims' security posture. The personal information disclosures caused worse public relations than the WikiLeaks DDoS attacks. The damage that LulzSec caused in its 50 days of mayhem was a wake-up call for IT that SQL injections are still embarrassingly prevalent.

LulzSec dissolved when several of its core members were apprehended on serious charges. Sabu is still at large and the various #Occupy movements around the world still consider him a rallying point and a Robin Hood. He moved back into the unofficial spokesman role for Anonymous when an SSL attack against Facebook was scheduled in the summer of 2011. Sabu informed everyone that this was a hoax and was not associated with  Anonymous. For a supposedly “leaderless” movement, Sabu is the closest thing they have to a marketing director.

What's the next step for defense

Now that Arab Spring, Occupy Wall Street and other Occupy (insert your municipality) movements have begun to wind down, conjecture is that the Stop Online Piracy Act (SOPA) bill will become the next Anonymous and AntiSec flashpoint if it either resurrects somehow or if the Senate's PIPA Act passes. If that happens, expect to see both DDoS attacks and more smash-and-grab SQL penetrations against the perceived perpetrators: members of congress, senators and pro-SOPA industry backers.

An Android application named BoycottSOPA lists more than 800 supposed SOPA-backers. This would be a good place to check first for IT security staff who may be wondering if they need to start hardening, provisioning and defending.

The original Anonymous botnet is old news now and has been replaced by two new tools: RefRef and the High Orbit Ion Cannon (HOIC). RefRef uses an interesting surgical technique to insert a malicious script on the server and then activates the script from a mobile device. The script uses a common Java flaw that causes the server to DOS itself. The author of RefRef states:

I send two packets from my iPhone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, it's all a local connection."

In addition to more network DDoS attacks, expect to see more surgical penetrations using cross-site scripting (XSS) and remote file include (RFI) – the top two techniques used by LulzSec.

If and when the attacks do come, expect to see Anonymous and AntiSec retargeting rapidly as they discover which targets have replaced old firewalls with better, faster, high-capacity data center firewall technology.

Conclusion

While the story for 2010 was broad-spectrum DDoS, in 2011 the attack profile has changed to include targeted SQL injection penetrations. Both attack types are likely to continue in 2012, and there is no lack of political or ideological movements which the group can rally behind. To stay ahead of the Anonymous and AntiSec threat spectrum, companies need to monitor their vulnerability to these social issues, re-provision their data centers and keep increasing their security posture from layer 4 all the way to the databases and applications on the back end.


David Holmes is a technical marketing manager at F5 Networks

prestitial ad