Please review the message below and consider the recommendations. Regards, Theresa A. Masse State Chief Information Security Officer Department of Administrative Services Enterprise Security Office 503-378-4896 Data Classification 2 - Limited Confidentiality Notice: This message, including any attachments or links, may contain privileged, confidential and/or legally protected information. Any distribution or use of this communication by anyone other than the intended recipient(s) is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this message and then delete all copies of the original communication, including any attachments and/or links. From: MS-ISAC Advisory [mailto:MS-ISAC.Advisory@xxxxxxxxxx] Sent: Saturday, April 21, 2012 4:32 AM To: William Pelgrin Subject: UPDATE: MS-ISAC CYBER ALERT: Recent DDoS Attacks on State/Local Government Websites Importance: High MS-ISAC CYBER ALERT DATE ISSUED: April 19, 2012 April 21, 2012 - UPDATED SUBJECT: Recent DDoS Attacks on State/Local Government Websites The MS-ISAC received two reports over the past 24 hours of targeted Distributed Denial of Service (DDoS) attacks against local government related websites. April 21 UPDATE: The MS-ISAC has received an additional report of a targeted DDoS attack against a state government website and it has been reported that more attacks will be launched. A DDoS attack is an attempt to make any system unavailable to the intended users, such as preventing access to a website. This can be done by multiple systems sending numerous random communication request packets to a targeted IP address. DDoS attack methods include bandwidth consumption and resource exhaustion. DDoS attacks can be mounted by using a BOTNET to send hundreds of thousands of packets to a destination address with the goal of using all available bandwidth, leaving none for legitimate users. Example of these types of attack could be Land attack, SYN Flood, UDP Flood, ICMP Flood, Teardrop attack, Smurf attack, or the Ping of Death. The reported DDoS attacks against the local governments appear to be originating from a Botnet identified as "the Impact Bot" which has the following capabilities: 1. A UDP packet flood that uses randomly sized packets. This attack does not use sophisticated techniques, instead relying only on a volume of packets. 2. A TCP flood using unspecified types of TCP traffic. This attack creates a small number of connections to a remote port and then increases the number greatly if the initial connections are successful. 3. An HTTP flood using GET requests. In this attack, the bot sends requests to a specified script with a delay, generating user agent and referrer data from a set of 124 patterns contained in the bot (based on Firefox, Opera and Safari). 4. An HTTP flood using POST requests, which works similarly to the GET flood, generating random, meaningless data packets. 5. A slow HTTP POST attack that keeps multiple connections open as long as possible to overload the server's resources. Effective use of DDoS mitigation strategies can mitigate any harmful effects, and allow your website to work through a DDoS attack, or resume normal operations in a short amount of time after an attack is detected. RECOMMENDATIONS: Some key mitigation techniques are: Define strict "TCP keepalive" and "maximum connection" on all parameter devices, such as firewalls and proxy servers. * Consider establishing relationships with companies who offer DDOS mitigation services. * Establish and maintain effective partnerships with your Internet Service Provider (ISP) or upstream provider. * Implement SYN Flood prevention mechanisms at the border routers and other perimeter devices. Provide attacking IP addresses to your ISP in order to implement restrictions at that level. Enable firewall logging of accepted and denied traffic in order to determine where the DDoS may be originating. Additionally, we recommend that the following actions be considered: Establish and regularly validate baseline traffic patterns (volume and type) for public facing websites. Configure firewalls and intrusion detection/prevention devices to alarm on traffic anomalies. Configure firewalls to accept only that traffic detailed in your organization's security policy as required for business purposes. Configure firewalls to block, as a minimum, inbound traffic sourced from IP addresses that are reserved (0/8), loopback (127/8), private (RFC 1918 blocks 10/8, 172.16/12, and 192.168/16), and otherwise listed in RFC 5735. This should be requested at the ISP level as well. Tune public-facing server processes to allow the minimum amount of processes or connections necessary to effectively conduct business. Apply all vendor patches after appropriate testing. If you believe you are experiencing a Distributed Denial of Service attack, please notify MS-ISAC by sending an email to soc@xxxxxxxxxx <mailto:soc@xxxxxxxxxx> and provide sample webserver logs where possible. REFERENCES: United States Computer Emergency Readiness Team (US-CERT) http://www.us-cert.gov/reading_room/UnderstandingDDoSAttacks.pdf <http://www.us-cert.gov/reading_room/UnderstandingDDoSAttacks.pdf> Carnegie Mellon University/Software Engineering Institute http://www.cert.org/archive/pdf/10tr010.pdf <http://www.cert.org/archive/pdf/10tr010.pdf> Damballa http://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DDo S_attack.pdf <http://www.damballa.com/downloads/r_pubs/WP_Understanding_the_Modern_DD oS_attack.pdf> Network World http://www.networkworld.com/news/2011/030611-ddos-hall-shame-wordpress.h tml <http://www.networkworld.com/news/2011/030611-ddos-hall-shame-wordpress. html> DOS-ATTACKS.COM http://dos-attacks.com <http://dos-attacks.com/> Multi-State Information Sharing and Analysis Center 31 Tech Valley Drive, Suite 2 East Greenbush, NY 12061 (518) 266-3488 1-866-787-4722 soc@xxxxxxxxxx This message and attachments may contain confidential information. If it appears that this message was sent to you by mistake, any retention, dissemination, distribution or copying of this message and attachments is strictly prohibited. Please notify the sender immediately and permanently delete the message and any attachments.