[oagitm] FW: UPDATE: MS-ISAC CYBER ALERT: Recent DDoS Attacks on State/Local Government Websites

• From: "MASSE Theresa A * EISPD ESO" <theresa.a.masse@xxxxxxxxxxx>
• To: <oagitm@xxxxxxxxxxxxx>
• Date: Mon, 23 Apr 2012 08:11:51 -0700

Please review the message below and consider the recommendations.

 

Regards,

 

Theresa A. Masse

State Chief Information Security Officer

Department of Administrative Services

Enterprise Security Office

503-378-4896

Data Classification 2 - Limited

 

Confidentiality Notice: This message, including any attachments or
links, may contain privileged, confidential and/or legally protected
information.  Any distribution or use of this communication by anyone
other than the

intended recipient(s) is strictly prohibited.  If you have received this
communication in error, please notify the sender immediately by replying
to this message and then delete all copies of the original
communication, including any attachments and/or links.

 

From: MS-ISAC Advisory [mailto:MS-ISAC.Advisory@xxxxxxxxxx] 
Sent: Saturday, April 21, 2012 4:32 AM
To: William Pelgrin
Subject: UPDATE: MS-ISAC CYBER ALERT: Recent DDoS Attacks on State/Local
Government Websites
Importance: High

 

MS-ISAC CYBER ALERT

  

DATE ISSUED:

April 19, 2012 

April 21, 2012 - UPDATED

 

SUBJECT: Recent DDoS Attacks on State/Local Government Websites

 

The MS-ISAC received two reports over the past 24 hours of targeted
Distributed Denial of Service (DDoS) attacks against local government
related websites. 

 

April 21 UPDATE:

The MS-ISAC has received an additional report of a targeted DDoS attack
against a state government website and it has been reported that more
attacks will be launched.

 

A DDoS attack is an attempt to make any system unavailable to the
intended users, such as preventing access to a website. This can be done
by multiple systems sending numerous random communication request
packets to a targeted IP address. DDoS attack methods include bandwidth
consumption and resource exhaustion. DDoS attacks can be mounted by
using a BOTNET to send hundreds of thousands of packets to a destination
address with the goal of using all available bandwidth, leaving none for
legitimate users. Example of these types of attack could be Land attack,
SYN Flood, UDP Flood, ICMP Flood, Teardrop attack, Smurf attack, or the
Ping of Death.

 

The reported DDoS attacks against the local governments appear to be
originating from a Botnet identified as "the Impact Bot" which has the
following capabilities:

1.      A UDP packet flood that uses randomly sized packets. This attack
does not use sophisticated techniques, instead relying only on a volume
of packets.
2.      A TCP flood using unspecified types of TCP traffic. This attack
creates a small number of connections to a remote port and then
increases the number greatly if the initial connections are successful. 
3.      An HTTP flood using GET requests. In this attack, the bot sends
requests to a specified script with a delay, generating user agent and
referrer data from a set of 124 patterns contained in the bot (based on
Firefox, Opera and Safari).
4.      An HTTP flood using POST requests, which works similarly to the
GET flood, generating random, meaningless data packets.
5.      A slow HTTP POST attack that keeps multiple connections open as
long as possible to overload the server's resources.

 

Effective use of DDoS mitigation strategies can mitigate any harmful
effects, and allow your website to work through a DDoS attack, or resume
normal operations in a short amount of time after an attack is detected.


 

RECOMMENDATIONS:

Some key mitigation techniques are:

Define strict "TCP keepalive" and "maximum connection" on all parameter
devices, such as firewalls and proxy servers.

                *      Consider establishing relationships with
companies who offer DDOS mitigation services.

                *      Establish and maintain effective partnerships
with your Internet Service Provider (ISP) or upstream provider.

                *      Implement SYN Flood prevention mechanisms at the
border routers and other perimeter devices.

Provide attacking IP addresses to your ISP in order to implement
restrictions at that level.

Enable firewall logging of accepted and denied traffic in order to
determine where the DDoS may be originating.

 

Additionally, we recommend that the following actions be considered:   

Establish and regularly validate baseline traffic patterns (volume and
type) for public facing websites.

Configure firewalls and intrusion detection/prevention devices to alarm
on traffic anomalies.

Configure firewalls to accept only that traffic detailed in your
organization's security policy as required for business purposes.

Configure firewalls to block, as a minimum, inbound traffic sourced from
IP addresses that are reserved (0/8), loopback (127/8), private (RFC
1918 blocks 10/8, 172.16/12, and 192.168/16), and otherwise listed in
RFC 5735.  This should be requested at the ISP level as well.

Tune public-facing server processes to allow the minimum amount of
processes or connections necessary to effectively conduct business.

Apply all vendor patches after appropriate testing.

 

If you believe you are experiencing a Distributed Denial of Service
attack, please notify MS-ISAC by sending an email to soc@xxxxxxxxxx
<mailto:soc@xxxxxxxxxx>  and provide sample webserver logs where
possible.

 

REFERENCES:

United States Computer Emergency Readiness Team (US-CERT)

http://www.us-cert.gov/reading_room/UnderstandingDDoSAttacks.pdf
<http://www.us-cert.gov/reading_room/UnderstandingDDoSAttacks.pdf> 

  

Carnegie Mellon University/Software Engineering Institute

http://www.cert.org/archive/pdf/10tr010.pdf
<http://www.cert.org/archive/pdf/10tr010.pdf> 

 

Damballa

http://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DDo
S_attack.pdf
<http://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DD
oS_attack.pdf> 

   

Network World

http://www.networkworld.com/news/2011/030611-ddos-hall-shame-wordpress.h
tml
<http://www.networkworld.com/news/2011/030611-ddos-hall-shame-wordpress.
html> 

 

DOS-ATTACKS.COM

http://dos-attacks.com <http://dos-attacks.com/> 

 

Multi-State Information Sharing and Analysis Center

31 Tech Valley Drive, Suite 2

East Greenbush, NY 12061

(518) 266-3488

1-866-787-4722

soc@xxxxxxxxxx

 

 
This message and attachments may contain confidential information. If it
appears that this message was sent to you by mistake, any retention,
dissemination, distribution or copying of this message and attachments
is strictly prohibited. Please notify the sender immediately and
permanently delete the message and any attachments.

Other related posts:

• » [oagitm] FW: UPDATE: MS-ISAC CYBER ALERT: Recent DDoS Attacks on State/Local Government Websites - MASSE Theresa A * EISPD ESO

1. Home
2. oagitm
3. Archive
4. 04-2012

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---