[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

US-CERT Technical Cyber Security Alert TA12-024A -- "Anonymous" DDoS Activity



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


                    National Cyber Alert System

              Technical Cyber Security Alert TA12-024A


"Anonymous" DDoS Activity

   Original release date: January 24, 2012
   Last revised: --
   Source: US-CERT


Overview

   US-CERT has received information from multiple sources about
   coordinated distributed denial-of-service (DDoS) attacks with
   targets that included U.S. government agency and entertainment
   industry websites. The loosely affiliated collective "Anonymous"
   allegedly promoted the attacks in response to the shutdown of the
   file hosting site MegaUpload and in protest of proposed U.S.
   legislation concerning online trafficking in copyrighted
   intellectual property and counterfeit goods (Stop Online Piracy
   Act, or SOPA, and Preventing Real Online Threats to Economic
   Creativity and Theft of Intellectual Property Act, or PIPA).


I. Description

   US-CERT has evidence of two types of DDoS attacks: One using HTTP
   GET requests and another using a simple UDP flood.

   The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
   associated with previous Anonymous activity. US-CERT has reviewed
   at least two implementations of LOIC. One variant is written in
   JavaScript and is designed to be used from a web browser. An
   attacker can access this variant of LOIC on a website and select
   targets, specify an optional message, throttle attack traffic, and
   monitor attack progress. A binary variant of LOIC includes the
   ability to join a botnet to allow nodes to be controlled via IRC or
   RSS command channels (the "HiveMind" feature).

   The following is a sample of LOIC traffic recorded in a web server
   log:

     "GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200
     99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0
     (Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

   The following sites have been identified in HTTP referrer headers
   of suspected LOIC traffic. This list may not be complete. Please do
   not visit any of the links as they may still host functioning LOIC
   or other malicious code.

     "hxxp://3g.bamatea.com/loic.html"
     "hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
     "hxxp://chatimpacto.org/Loic/"
     "hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
     "hxxp://event.seeho.co.kr/loic.html"
     "hxxp://pastehtml.com/view/bl3weewxq.html"
     "hxxp://pastehtml.com/view/bl7qhhp5c.html"
     "hxxp://pastehtml.com/view/blafp1ly1.html"
     "hxxp://pastehtml.com/view/blakyjwbi.html"
     "hxxp://pastehtml.com/view/blal5t64j.html"
     "hxxp://pastehtml.com/view/blaoyp0qs.html"
     "hxxp://www.lcnongjipeijian.com/loic.html"
     "hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
     vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
     fnorefer"
     "hxxp://www.tandycollection.co.kr/loic.html"
     "hxxp://www.zgon.cn/loic.html"
     "hxxp://zgon.cn/loic.html"
     "hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"

   The following are the A records for the referrer sites as of
   January, 20, 2012:

     3g[.]bamatea[.]com                A    218[.]5[.]113[.]218
     cybercrime[.]hostzi[.]com         A    31[.]170[.]161[.]36
     event[.]seeho[.]co[.]kr           A    210[.]207[.]87[.]195
     chatimpacto[.]org                 A    66[.]96[.]160[.]151
     anonymouse[.]org                  A    193[.]200[.]150[.]125
     pastehtml[.]com                   A    88[.]90[.]29[.]58
     lcnongjipeijian[.]com             A    49[.]247[.]252[.]105
     www[.]rotterproxy[.]info          A    208[.]94[.]245[.]131
     www[.]tandycollection[.]co[.]kr   A    121[.]254[.]168[.]87
     www[.]zgon[.]cn                   A    59[.]54[.]54[.]204
     www[.]turbytoy[.]com[.]ar         A    190[.]228[.]29[.]84

   The HTTP requests contained an "id" value based on UNIX time and
   user-defined "msg" value, for example:

     GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20

   Other "msg" examples:

     msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
     msg=:)
     msg=:D
     msg=Somos%20Legion!!!
     msg=Somos%20legi%C3%B3n!
     msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406
     "http://pastehtml.com/view/bl7qhhp5c.html";
     msg=We%20Are%20Legion!
     msg=gh
     msg=open%20megaupload
     msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer
     %20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
     msg=stop%20SOPA!!
     msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20
     forgive.%20We%20do%20not%20forget.%20Expect%20us!

   The "msg" field can be arbitrarily set by the attacker.

   As of January 20, 20012, US-CERT has observed another attack that
   consists of UDP packets on ports 25 and 80. The packets contained a
   message followed by variable amounts of padding, for example:

     66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood.........

   Target selection, timing, and other attack activity is often
   coordinated through social media sites or online forums.

   US-CERT is continuing research efforts and will provide additional
   data as it becomes available.


II. Solution

   There are a number of mitigation strategies available for dealing
   with DDoS attacks, depending on the type of attack as well as the
   target network infrastructure. In general, the best practice
   defense for mitigating DDoS attacks involves advanced preparation.

   * Develop a checklist or Standard Operating Procedure (SOP) to
     follow in the event of a DDoS attack. One critical point in a
     checklist or SOP is to have contact information for your ISP and
     hosting providers. Identify who should be contacted during a
     DDoS, what processes should be followed, what information is
     needed, and what actions will be taken during the attack with
     each entity.
   
   * The ISP or hosting provider may provide DDoS mitigation services.
     Ensure your staff is aware of the provisions of your service
     level agreement (SLA).
   
   * Maintain contact information for firewall teams, IDS teams,
     network teams and ensure that it is current and readily available.
   
   * Identify critical services that must be maintained during an
     attack as well as their priority. Services should be prioritized
     beforehand to identify what resources can be turned off or
     blocked as needed to limit the effects of the attack. Also,
     ensure that critical systems have sufficient capacity to
     withstand a DDoS attack.
   
   * Have current network diagrams, IT infrastructure details, and
     asset inventories. This will assist in determining actions and
     priorities as the attack progresses.
   
   * Understand your current environment and have a baseline of daily
     network traffic volume, type, and performance. This will allow
     staff to better identify the type of attack, the point of attack,
     and the attack vector used. Also, identify any existing
     bottlenecks and remediation actions if required.
   
   * Harden the configuration settings of your network, operating
     systems, and applications by disabling services and applications
     not required for a system to perform its intended function.
   
   * Implement a bogon block list at the network boundary.
   
   * Employ service screening on edge routers wherever possible in
     order to decrease the load on stateful security devices such as
     firewalls.
   
   * Separate or compartmentalize critical services:

      * Separate public and private services
      * Separate intranet, extranet, and internet services
      * Create single purpose servers for each service such as HTTP,
        FTP, and DNS
      * Review the US-CERT Cyber Security Tip Understanding
        Denial-of-Service Attacks.


III. References

 * Cyber Security Tip ST04-015 -
   <http://www.us-cert.gov/cas/tips/ST04-015.html>

 * Anonymous&apos;s response to the seizure of MegaUpload according to
   CNN -
   <http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm>

 * The Internet Strikes Back #OpMegaupload -
   <http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html>

 * Twitter Post from the author of the JavaScript based LOIC code -
   <http://www.twitter.com/#!/mendes_rs>

 * Anonymous Operations tweets on Twitter -
   <http://twitter.com/#!/anonops>

 * @Megaupload Tweets on Twitter -
   <http://twitter.com/#!/search?q=%2523Megaupload>

 * LOIC DDoS Analysis and Detection -
   <http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html>

 * Impact of Operation Payback according to CNN -
   <http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm>

 * OperationPayback messages on YouTube -
   <http://www.youtube.com/results?search_query=operationpayback>

 * The Bogon Reference - Team Cymru -
   <http://www.team-cymru.org/Services/Bogons/>

 ____________________________________________________________________

   The most recent version of this document can be found at:

     <http://www.us-cert.gov/cas/techalerts/TA12-024A.html>
 ____________________________________________________________________

   Feedback can be directed to US-CERT Technical Staff. Please send
   email to <cert@xxxxxxxx> with "TA12-024A Feedback INFO#919868" in
   the subject.
 ____________________________________________________________________

   For instructions on subscribing to or unsubscribing from this
   mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
 ____________________________________________________________________

   Produced 2012 by US-CERT, a government organization.

   Terms of use:

     <http://www.us-cert.gov/legal.html>
 ____________________________________________________________________

Revision History

  January 24, 2012: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTx9v3z/GkGVXE7GMAQJvTQf+J3rSHG60QPyNunnw9E7ifrGoY0ib+GvV
Z1y2NvfwdxStka5xaq7KVmGXd7yExwdhDhWJrfmfXTjA+9Ac18xHdDn+FwdzqueY
qF1+P+LevwJM1gNI/g2RdJDna/ij5M7+eCpk03olRcieMtANZgolh07yCiuJDodm
utleV2m/PYXVNbNsZw74x3dZcxxpYlCdBojV4jpeYSvVG5Qf7uYgQ6/Q9WHY6j4D
Z7UTIQlkA/YULjTNFcDqjdSv4DHMSJsXcmkP0BLM1n11mfRpbToSZVkKZuCZUlqI
wag8ZkuGVwiXt93hIfMpWhgfPzjAbYGeeRpt3sVivBfNyzmME1FIvw==
=A0+U
-----END PGP SIGNATURE-----


[Fedora Announce]     [Linux Crypto]     [Kernel]     [Netfilter]     [Video for Linux]     [Bugtraq]     [USB]     [Fedora Security]

Add to Google Powered by Linux