Akamai Security Advisory€¦ · Akamai Security Advisory VERSION: 2013-0001-G UPDATE: Jan 11,...
Transcript of Akamai Security Advisory€¦ · Akamai Security Advisory VERSION: 2013-0001-G UPDATE: Jan 11,...
hhhhhhhhhhhhhh
Akamai Security Advisory VERSION: 2013-0001-G UPDATE: Jan 11, 2013, 1200 EST Recent Financial Services DDoS Attacks: Ababil Phase II
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 2 of 4
Akamai Technologies, Inc. (TLP GREEN)
OVERVIEW From December 10, 2012 through the week of January 11, 2013, several financial institutions have been targeted by large DDoS attacks. This is the second phase of the Operation Ababil campaign waged by the hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters (QCF for short). Akamai has been actively defending customers against this attack campaign. The BroBot botnet is being leveraged by QCF to launch these attacks. This advisory is intended to provide a summary of what Akamai is able to share as of this writing, including techniques that have worked to mitigate the impacts of the BroBot/QCF Phase II attacks. Information regarding this attack may have changed since the writing of this summary.
ABABIL CAMPAIGN HISTORY Motivation The QCF claims to be launching these attacks in an effort to have the “Innocence of Muslims” video, considered to contain anti-Islamic rhetoric, removed from YouTube. The http://hilf-ol-fozoul.blogspot.com/ documents apparent snapshots of multiple U. S. banking sites made unavailable by these attacks while implying a QCF quote of “Attacks will be over only if film is removed.” The US Office of the Comptroller of the Currency (OCC) has issued an alert related to these attacks linked here: (http://occ.gov/news-issuances/alerts/2012/alert-2012-16.html). It is interesting to note that OCC maintains the view that there may be criminal motivations for these attacks.
Ababil Phase I (September – November 2012) In September of 2012, U. S. banks started to experience a range of DDoS attacks impacting online application availability. The attacks used various attack techniques to cause site availability and performance disruptions. Attack vectors observed include:
• Volumetric DNS DDoS • Volumetric Layer 3/4 DDoS • Volumetric Layer 5-7 DDoS • SSL resource attacks
As a recipient of some of the first attack traffic during Operation Ababil Phase I, Akamai immediately noticed that the attack patterns were heterogeneous in nature which is very unlike the highly diversified attack traffic seen with other hacktivist attacks. At the same time, Akamai noticed the lack of English-language recruitment—flyers, Facebook, Twitter, Internet relay chat (IRC), and bulletin boards—which is often seen associated with hacktivist-related DDoS attacks. The QCF used the BroBot botnet extensively throughout Operation Ababil Phase I. BroBot consists of compromised Virtual Private Servers (VPS) and cloud servers running vulnerable versions of WordPress and Joomla content management systems (CMS) and related plugins that have been compromised. The effective lethality of BroBot is increased in comparison to other botnets due to a high amount of bandwidth per server (100 Mbps v/s 1Mbps for home users) and a seemingly endless supply of vulnerable servers.
Ababil Phase II (late December 2012 – current writing) After a pause from the beginning of November through the first 3 weeks of December, the attacks resumed on Christmas day December 10. The QCF have continued to use BroBot and have varied the attacks to evade filtering, primarily through the use of altering query strings, user-agents, and targeted URLs. During Phase II of the campaign, BroBot nodes have been observed sending high volume bursts of traffic (as many as 10,000 requests per minute per node), and have been observed sending as many as 18 million aggregate attack requests per second. These volumetric attacks will burst for a short period of time and then go dormant, sometimes for hours or days, before resuming attacks.
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 3 of 4
Akamai Technologies, Inc. (TLP GREEN)
MITIGATION DETAILS Some effective mitigation techniques for this attack have included:
• IP Blacklisting - The most recent iteration of this list is available for Akamai customers as part of their security configuration or through the FS-ISAC.
• User-Agent Blacklisting - BroBot has been observed using a handful of User-Agent strings that are unique to them.
• Query String Blacklisting - This technique uses a list of query string argument names that have been observed in use by the attackers. Deploying rules like this in a “negative security” model leads to a measure/counter-measure arms race between the attackers and the defenders.
• IP Rate Controls – Rate controls count the number of requests per IP address and block additional requests when one of a set of thresholds is exceeded.
REFERENCES & RELATED READING • Qassam Cyber Fighter Pastebin - http://pastebin.com/u/QassamCyberFighters • Hilf-ol-Fozoul (The Global Movement) - http://hilf-ol-fozoul.blogspot.com/ • OCC Alert: http://occ.gov/news-issuances/alerts/2012/alert-2012-16.html • Gartner blog on OCC alert http://blogs.gartner.com/avivah-litan/2012/12/21/bank-regulator-issues-
informative-alert-on-ddos-attacks/ • Interview with CSIRT Director Michael Smith on his thoughts and theories behind the DDoS attacks being the
first signs of fraud http://www.bankinfosecurity.com/interviews/ddos-attacks-first-signs-fraud-i-1705 • Traffic Light Protocol: http://www.us-cert.gov/tlp/ • Prolexic Advisory on itsoknoproblembro - http://www.prolexic.com/knowledge-center-ddos-threat-
advisory-itsok/pr.html
CONTACTS Existing customers that desire additional information can contact Akamai directly through CCare at 1-877-4-AKATEC (US And Canada) or 617-444-4699 (International), their Engagement Manager, or their account team. Non-customers can submit inquiries through Akamai’s hotline at 1.877.425.2624, the contact form on our website at http://www.akamai.com/html/forms/sales_form.html , the chat function on our website at http://www.akamai.com/ or on twitter @akamai .
TLP Green: Recipients may share TLP: GREEN information with peers and partner organizations within their sector or community, but not via publicly accessible channels.
Page 4 of 4
Akamai Technologies, Inc. (TLP GREEN)
Akamai® is the leading cloud platform for helping enterprises provide secure, high-‐performing user experiences on any device, anywhere. At the core of the Company’s solutions is the Akamai Intelligent Platform™ providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit www.akamai.com and follow @Akamai on Twitter.
Akamai Technologies, Inc.
International Offices Unterfoehring, Germany Paris, France Milan, Italy London, England Madrid, Spain Stockholm, Sweden
U.S. Headquarters 8 Cambridge Center Cambridge, MA 02142 Tel 617.444.3000 Fax 617.444.3001 U.S. toll-free 877.4AKAMAI 877.425.2624
www.akamai.com
Bangalore, India Sydney, Australia Beijing, China Tokyo, Japan Seoul, Korea Singapore
©2013 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its publication date; such information is subject to change without notice.
The Akamai Difference