Avatar

Prologue

On April 10, 2013, a collective of politically motivated hacktivists announced a round of planned attacks called #OPUSA. These attacks, slated to begin May 7, 2013, are to be launched against U.S.-based targets. #OPUSA is a follow-up to #OPISRAEL, which were a series of attacks carried out on April 7 against Israeli-based targets. Our goal here is to summarize and inform readers of resources, recommendations, network mitigations, and best practices that are available to prevent, mitigate, respond to, or dilute the effectiveness of these attacks. This blog was a collaborative effort between myself, Kevin TimmJoseph KarpenkoPanos Kampanakis, and the Cisco TRAC team.

Analysis

If the attackers follow the same patterns as previously witnessed during the #OPISRAEL attacks, then targets can expect a mixture of attacks. Major components of previous attacks consisted of denial of service attacks and web application exploits, ranging from advanced ad-hoc attempts to simple website defacements. In the past, attackers used such tools as LOICHOIC, and Slowloris.

Publicly announced attacks of this nature can have highly volatile credibility. In some cases, the announcements exist only for the purpose of gaining notoriety. In other cases, they are enhanced by increased publicity. Given the lack of specific details about participation or capabilities, the exact severity of the attack can’t be known until it (possibly) happens.

Likely Avenues of Attack

Using previous attacks as indicators, there are three major categories in which likely attacks can be placed.

Vulnerable Software Exploitation
Some of the lowest-hanging fruit for attackers are systems that aren’t patched against current, well-known, or even old vulnerabilities. Always make sure your software and firmware are upgraded to the most recent vendor-recommended releases, and make doubly sure your edge devices are patched. For Cisco software and hardware, you can always check our PSIRT page for the latest information on Cisco security advisories and our Applied Mitigation Bulletin page for up-to-date information on techniques that use Cisco product abilities to detect and mitigate exploits.

Bandwidth Saturation
Against such common distributed denial of service (DDoS) attack tools as LOIC and HOIC, there are a few suitable mitigations, including the following:

These mitigations will be discussed in more detail below.

Moreover, the reader should note that some mitigations might only be able to drop attack traffic after it has saturated the victim’s link to the Internet. For example, we can block traffic at the Internet edge of the network of the web resource under attack. Even when that is achieved, the mitigation has not succeeded in protecting the infrastructure or resource under attack, since the Internet edge link is already saturated. In these situations, traffic must be blocked with the upstream Internet service provider (ISP). With this in mind, the mitigations below will prevent any internally compromised devices from triggering an attack, and the mitigations should be deployed close to the edge of these devices.

  • Unicast Reverse Path Forwarding (uRPF)
  • Reputation-based blocking (of compromised servers)
  • Access control list (ACL) filtering from the upstream provider

The mitigations themselves will be discussed in more detail below.

DNS amplification attacks, also known as DNS reflection attacks, leverage DNS ANY queries and Internet-based open DNS resolvers to amplify denial of service (DoS) traffic and overwhelm targets. Additionally, you make sure your DNS infrastructure adheres to industry best practice and your DNS servers should not function as open resolvers.

DNS amplification attacks should be expected in the event the operation takes place. Cisco has the following additional recommendations:

Resource Starvation
In contrast to the bandwidth consumption denial of service attacks, attackers can also starve off resources using so-called “low and slow” techniques. Tools in the Slowloris family, in addition to tools like R.U.D.Y., work by exhausting web server resources. The tools typically open a large number of connections to the target and slowly trickle small amounts of traffic using never-ending streams of data. Note that these attacks have been shown to use HTTPS as well as HTTP and in some cases odd port and protocol combinations such as UDP port 80.

Mitigating these attacks against affected web servers can prove challenging, but some of the methods to use include:

  • Increasing the maximum number of clients the web server will allow (you would want to ensure the web server can handle this increased load)
  • Reducing the number of concurrent connections a single IP address can have (this can cause problems for customers behind Network Address Translation [NAT] or proxied connections)
  • Imposing restrictions on the minimum transfer speed a connection is allowed to have (this can cause problems for customers on unreliable or very remote networks)
  • Reducing the amount of a time a client can stay connected (this too can cause problems for customers transferring large files or working in long interactive sessions)

Some of these mitigations can be enforced using network devices (firewalls) and will be discussed in more detail below.  The best defense will probably be to use a blended approach and utilize a combination of the above methods.  Finally, we even recommended moving affected web servers to software that is unaffected by this form of attack. It is worth noting that while the above mitigations can help, volumetric attacks can overwhelm any of these stateful devices used for mitigation.

Other network devices that can help in mitigating these types of attacks are:

  • Intrusion prevention systems
  • Web Application Firewalls ensuring web application conformance

Network Identification and Mitigation Technologies

The following technologies are extremely helpful in many different forms of attack detection and mitigation.

NetFlow
NetFlow is a protocol for collecting IP-based telemetry information about traffic flowing through a network. NetFlow offers a treasure trove of security-related information about who is doing what on the network and can be one of the early warning indicators of network misuse.
A few resources are below:

Source-Based Remotely Triggered Black Hole Routing
Remotely triggered black hole (RTBH) routing is a BGP-based DDoS mitigation technique for service providers and large enterprises. It works by injecting a NULL BGP route into the network, forcing all BGP routers to drop malicious traffic based on destination. This technique is effective at filtering attack traffic to Internet hosts, but it is also considered quite heavy handed. It some cases it is better to block only certain source IP ranges (blocking based on source address) rather than blocking all traffic intended for a single target (blocking based on destination address). Combining uRPF with RTBH routing, (known as Source-Based RTBH routing or S/RTBH routing) allows the network to null route based on source address, which will only block attacking source addresses. For more information, you can read our white paper and some additional resources can be found here:

Global Resources
For organizations that can leverage global data centers, geographical resource distribution can be an important DDoS protection. This can be achieved using global server load balancing (GSLB) or anycast. Anycast is a network addressing and routing methodology that provides an increase of speed and resilience. Using anycast, a single server is replicated in several physically disparate locations, all with the same IP address. Using GSLB or anycast, when a client wants to connect to the server, it is routed to the topologically closest node out of the group. Thus, by leveraging an HTTP/HTTPS termination point in each location, users throughout the globe will always reach the resource closest to them as shown in the figure below.

DNS_MS

While complicated to set up, anycast presents a larger attack surface against would-be DDoS attacks. If one server is taken offline, users in other parts of the world will not be affected and mitigation can be deployed on the location that is attacked. Additionally, it would require many more resources for the attackers to take down all the locations. Of course, the requirement for this scheme to work is for a global infrastructure that can distribute the load.

In March 2013, anti-spam juggernaut Spamhaus came under a massive 75Gb/s DDoS attack. To mitigate the attack, they turned to Cloudflare and its massive anycast network.

Unicast Reverse Path Forwarding
Unicast Reverse Path Forwarding (uRPF) is a security feature enabled on the router that helps to limit the propagation of spoofed IP addresses. Please refer to a comprehensive white paper on what uRPF is and how configure it on a Cisco router and a paper on using uRPF to deter DoS attacks.

Tightening Connection Limits and Timeouts
For those of you with Cisco Adaptive Security Appliance (ASA) deployments, you can tighten connection limits and timeouts, which will reduce your susceptibility to some of the attacks mentioned above. For example, if the normal traffic to a web server is a quick connection of a few seconds, we may want to drop connections that are open for more than 5 minutes. Cisco provides a document explaining Cisco ASA connection limits and timeouts, such as how to set maximum TCP and UDP connections, maximum embryonic connections, maximum per-client connections, connection timeouts, and dead connection detection. When enabling embryonic connection limits, the Cisco ASA leverages its TCP intercept feature in order to enforce TCP SYN cookies that are used to mitigate the threat of TCP SYN flood attacks. TCP SYN cookies practically complete the TCP handshake before allowing the connection to the server, which ensures that spoofed traffic cannot waste TCP connections to the server. Resources are available for learning about SYN flood attacks and several mitigations. Readers should note that before changing connection limits, you must have a good understanding of the normal traffic profiles and baselines to ensure you do not inadvertently cause issues.

Reputation-Based Blocking
All Internet traffic must originate from an IP address. A plethora of organizations use various criteria and methods to rank, rate, and score IP addresses with respect to how “notorious” they are. More specifically, if a given IP address is known to be that of a spammer, distributing malware or a part of a botnet army, it can be flagged in one of the ill repute databases, often with a numeric score contextual to the rating system. For example, Cisco Email and Web Security and ASA Botnet Traffic Filter use an integral system from -10 for the worst offenders to +10 for the most angelic. Integrating with one of many IP reputation products or services available can help to reduce the malicious traffic generated by compromised servers.

Web Application Firewalls
A Web Application Firewall (WAF) is a device that provides firewall-like functionality to web-based applications. For organizations with substantial web-based applications, WAFs are recommended as a front-line defense against attackers. There is a thorough best practices document on WAF deployment.

Intrusion Prevention Systems
Intrusion prevention systems (IPS) are appliances that monitor the network for malicious activity. When malicious activity is detected, the IPS can alert or block the traffic and prevent it from entering your network.

Access Control Lists
Access control lists (ACLs) are used by network devices to restrict network traffic flows. Most of the time, ACLs are focused on filtering ingress traffic at network edge devices, specifically traffic that is considered provocative or malicious. A common but effective ACL methodology is to adopt a doctrine of least privilege where only what is absolutely necessary is allowed in. Cisco offers a detailed paper on how to configure ACLs on Cisco IOS Software. Note that using ACLs to block DDoS traffic can be challenging due to the dynamic nature of the attack and the management overhead it would introduce. Additionally, you can read up on transit ACLs and infrastructure ACLs.

Conclusion

Distributed denial of service attacks are a moving target. We may be familiar with many of the tools and how they look on a network, but until the actual attack we don’t know all of its characteristics. Now is a good time to re-evaluate your defenses and determine where they can be improved. When preparing for possible attacks it is best to cover as many possible attack vectors as possible. Yes, this means simple things like patching, monitoring NetFlow, working with Internet service providers, and having a strong incident response and contingency plan.