Technical white paper HP TippingPoint hacktivist survival guide Simplifying the complex Table of contents Executive summary 2 Introduction to hacktivism (Anonymous at a glance) 3 Attack methods 8 Defending against Anonymous 20 DDoS mitigation 21 Protection against doxing 36 Web application attack mitigation 37 Geolocation-based blocking 38 Other system attack mitigation 39 Summary 46
Table of contents
Executive summary 2
Attack methods 8
Defending against Anonymous 20 DDoS mitigation 21 Protection
against doxing 36 Web application attack mitigation 37
Geolocation-based blocking 38 Other system attack mitigation
39
Summary 46
2
Executive summary The last decade has seen the rise of
crowd-sourced, activist-driven hacker groups.1 The term hacktivist
has been coined to describe this group and refers to the nonviolent
use of illegal or legally ambiguous digital tools in pursuit of
political ends.2
More recently, there have been more attacks on corporations and
governments in response to perceived wrongdoings by various groups.
Most notable of these hacktivist groups is Anonymous,
Early examples of this activity were seen in a constant stream of
attacks between rival Middle Eastern groups spreading messages in
support of Israel and Palestine through website defacements during
the late 1990s.
3
Anonymous’ underlying beliefs have become visible with the
mainstream media since its nefarious activities have touched some
of the largest private and public entities worldwide. Take the
following example of Jeremy Hammond of Chicago, IL (aka Anarchaos
among others), who had a long history of radical social protesting
long before he joined LulzSec, an Anonymous offshoot. Hammond’s
hacktivist crime spree didn’t begin in earnest until 2011, but his
activist activity, rising to a level that warranted his arrest,
dates back to 2004, when he was detained during the Republican
National Convention in New York City. He was later convicted in
2005 of computer intrusion and stealing credit card numbers with
the intent to make donations to liberal organizations, according to
the FBI.
a loose collective of individuals borne out of a cybersubculture
that has gone mainstream. Its mantra is “We are Anonymous, we are
legion, we do not forgive, we do not forget, Expect us.”
4
Though the case of Jeremy Hammond is extreme, groups like Anonymous
have given activists like him a digital outlet. The Anonymous
platform has gone mainstream and has opened the door to more casual
protesters who are aligned with their cause. Anonymous has
facilitated their participation in ways that allow the average
person to contribute to attacks without being skilled
hackers.
Hammond was again arrested in 2009 protesting a Holocaust denier,
and again in 2010 protesting a proposal for the 2016 Summer
Olympics to be held in Chicago. He has maintained ties with
militant leftist and anarchists groups and is a self-described
“anarchist communist.” Hammond was eventually arrested March 6,
2012, for attacks carried out by LulzSec as part of Anonymous
Operations.
The goal of this paper is to provide a glimpse into the world of
hacktivism and, more importantly, the group known as Anonymous.
Various sections of this paper will explore the tools and tactics
used by Anonymous, as well as techniques for defending against the
primary attack vectors that are popular among various hacktivist
groups. The primary keys to defending against hacktivist attacks
are preparation, awareness, and education. This paper will
demonstrate that anyone at any time can find themselves in the
sights of a hacktivist group and that the cost of a successful
attack, even without data loss, can be immense. The direct
financial cost to organizations attacked by a hacktivist group has
been in the tens of millions of dollars.
1
www.huffingtonpost.com/2012/01/30/infographic-anonymous-timeline_n_1241829.html
2 “Hacktivism and the Future of Political Participation,”
www.alexandrasamuel.com/dissertation/pdfs/Samuel-Hacktivism-entire.pdf
3 http://en.wikipedia.org/wiki/Anonymous_(group) 4 “USA vs. Jeremy
Hammond, Sealed Complaint, Violation of 18 U.S.C. §§ 1029, 1030,
and 2”
3
Introduction to hacktivism (Anonymous at a glance) With its roots
in the IRC channel #4Chan, Anonymous has grown up and is now a
force to be reckoned with. Anonymous has come into its own in the
past two years, garnering global support from individuals seeking a
platform to speak out against corporate greed and government
corruption.
The Anonymous mantra
With its close ties with the Occupy movement,5
Several Anonymous attacks have been in direct response to clashes
between police and Occupiers. Both have a common ideal of fairness
that materializes in a disdain for corporate greed and corruption.
Both groups have also adopted a symbolic mask that depicts a
stylized image of Guy Fawkes
Anonymous stands against the perceived 1 percent, standing up for
the little guy and promoting freedom and justice. However, both
groups are driven by social consciousness and revenge, a Yin and
Yang of good versus evil.
6 that has also been adopted by other protest groups. On November
5, 1605, Guy Fawkes planned to blow up the House of Lords in London
to restore Catholic leadership to the throne of England after
religious persecution under King James I. Authorities received an
anonymous letter tipping them off about his plans, and he was
captured. Eventually, with his execution structure set up, he
jumped from the gallows and broke his neck. The mask originates
from the 2005 movie “V for Vendetta” and is an allegory of
oppression by government.7
Anonymous has executed attacks of various kinds against
organizations and individuals for nearly a decade, going mainstream
within the past two years. For example, in the most recent large
attack, Anonymous (January 2012 in response to the shutdown of
Megaupload.com) targeted many corporations and organizations
associated with the recording and movie industries as well as
government agencies.
This sentiment is the underlying motivator for these groups.
8 These attacks focused primarily on voluntary group- based
distributed denial-of-service (DDoS), rather than botnet-driven
DDoS. Anonnews reported that this was the largest attack to date by
Anonymous, with 5,635 participants.9
Anonymous targets have ranged from individuals to governments
across the world. Known victims of recent Anonymous attacks include
those shown in table 1.
5
www.fastcompany.com/1788397/the-real-role-of-anonymous-at-occupy-wall-street
6 http://en.wikipedia.org/wiki/Guy_Fawkes_mask 7
http://en.wikipedia.org/wiki/V_for_Vendetta_(film) 8
www.us-cert.gov/cas/techalerts/TA12-024A.html 9
https://twitter.com/#!/YourAnonNews/status/160135858895335424
Victim Attack method Reason
FBI-Scotland Yard conference call intercepted, recorded, and placed
on YouTube
11, 12
Universal Music Universalmusic.com DDoS #OpMegaUpload
Universal Music France Universalmusic.fr DDoS #OpMegaUpload
Universal Music Portugal Site database dumped, exposing usernames
and passwords14
#OpMegaUpload
Vivendi France Vivendi.fr DDoS #OpMegaUpload
Belgian Anti-Piracy Federation Anti-piracy.be/nl DDoS
#OpMegaUpload
U.S. Copyright Office Copyright.gov DDoS #OpMegaUpload
The White House Whitehouse.gov DDoS #OpMegaUpload
BMI Bmi.com #OpMegaUpload
Greece Justice Ministry Protest EU & IMF Greece bailout15,
16
American Nazi Party
Twitter Twitter.com DDoS20 #OpMegaUpload
Sony Multiple sites down22, 23 #OpPayback 24
Citigroup
#OpSony
Scientology #OpClambake #OpChanology27
10
www.forbes.com/sites/andygreenberg/2012/01/19/anonymous-hackers-claims-attack-on-doj-universal-music-and-riaa-after-megaupload-
takedown/
11
www.telegraph.co.uk/technology/news/9059580/Anonymous-hackers-intercept-conversation-between-FBI-and-Scotland-Yard-on-how-to-deal-with-
hackers.html
Website compromise LulzSec
Website compromise LulzSec
specialforces.com Website compromise LulzSec
Lolita City (The Hidden Wiki) Removal of child porn from Tor
networks and DDoS PHP and SQL injection attacks at Freedom
Hosting31
#OpDarkNet
32
Dox after video of him beating his disabled daughter surfaced
#OpDoxTheJudge33
PostFinance
EveryDNS Everydns.com36 #OpPayback
Former Alaska Governor Sarah Palin
Sarahpac.com38
Conservatives4palin.com
39
#OpPayback
Oakland Police Department Website hack, email compromise, Dox
officers41 Occupy Oakland
West Virginia Chiefs of Police Association
Dox members42 CabinCr3w
German Military Server compromise, data leakage44
Swedish Government Website DDoS45
CIA Website DDoS46 #FFF
Prime Minister of Tunisia Website defacement
Algeria Government Website DDoS #OpAlgeria
Zimbabwe Government System compromise #OpZimbabwe
Los Angeles County Police Canine Association
User database compromise, users’ email compromised53
Houston Police Department Dox CabinCr3w
Former U.S. Treasury Secretary Larry Summers
Dox CabinCr3w
Dox CabinCr3w
Newark Police Foundation Dox CabinCr3w
Infragard (Atlanta and Ohio Chapters)
Website defacement54 #FFF
Unveillance Email compromise, dox55
Not all attempted Anonymous operations are successful, however.
Recently, there have been some Anonymous operations that could not
garner support from the community such as those shown in table
2.
Table 2. Some targets of failed Anonymous attacks
Victim Reason
Amazon Amazon.com DDoS56 #OpPayback
Discovery/TLC ToddlersandTiaras site #OpInnocence57
The Facebook and Discovery/TLC operations faltered because the
groundswell of support that so often occurs with Anonymous
operations did not materialize. These exposed attacks were not of
the level that outraged the public or which directly harmed the
Anonymous Legion. The larger outpourings of support for Anonymous
attacks tend to occur when members of the Legion are directly
impacted, such as happened with the shutdown of
MegaUpload.com.
While monitoring the chat rooms for #OpInnocence at the scheduled
time of attack, the collapse of support was observed
firsthand.
Figure 1. IRC chat log from #OpInnocence
#OpInnocence IRC Log [15:27] <ElieteGh0st> sup [15:27]
<ElieteGh0st> guess this op is a dud [15:27]
<ElieteGh0st> oh well [15:27] <m0bster> yeah I think
it's safe to say it's not gonna happen [15:28] <m0bster>
there was some talk about what DJ Tam did to opsony so that's not
really surprising [15:30] <ElieteGh0st> ? [15:30]
<ElieteGh0st> i must have missed that [15:30]
<ElieteGh0st> what happened? [15:30] <m0bster>
something about opsony and how djtam apparently trolled everyone
[15:31] <m0bster> so this was a few days before he setup this
op [15:31] <ElieteGh0st> wow [15:31] <ElieteGh0st> so
who is taking leadershitp [15:34] <ElieteGh0st> bsd? [15:34]
<ElieteGh0st> deathtoll [15:34] <m0bster> bsd is the
one who spoke out against dj tam [15:34] <m0bster> don't
think anybody is standing up for this op though
When Anonymous sought to bring down Amazon, with its huge EC2 Web
presence, it discovered that its weapons were no match for such a
giant. Amazon is estimated to have nearly half a million servers.
In this case, David could not topple Goliath. In figure 2, from the
AnonOpsNet Twitter feed, we see where the Anonymous leadership
redirected the target of attacks from Amazon to PayPal. This was
due to the fact that the “hive” wasn’t big enough to topple the
Internet giant. The referenced hive is the collective of
participants in the DDoS attack being controlled through IRC.
54
http://thehackernews.com/2012/02/another-fuckfbifriday-anonymous-hack.html
55 http://pastebin.com/MQG0a130 56
http://news.netcraft.com/archives/2010/12/09/operation-payback-aborts-attack-against-amazon-com.html
57 www.youtube.com/watch?v=493FfuoLI7A
Figure 2. Twitter post from Amazon attack
Other attack victims, however, aren’t so fortunate. On February 10,
2012, CIA.gov was taken offline by Anonymous for the second time in
a year. Again, the news spread fast on Twitter, as seen in figure
3.
Figure 3. Twitter post from CIA attack
Figure 4. CIA website unavailable message
It has been reported that the attack on the CIA website ended only
after the FBI directed Sabu (head of LulzSec), who was cooperating
with the organization as a confidential witness, to have Anonymous
cease the DDoS.
Again, it is important to stress that Anonymous can choose anyone
at any time for the focus of its attacks, and its directed attack
at the CIA captures the true essence of this group’s reach. Though
Anonymous has been fairly consistent in its attack patterns, the
group will use any attack type at its disposal. These attacks can
be difficult to defend against without proper preparation and
without having the proper tools in place. Everyone with a Web
presence, especially those with controversial positions, should
take measures to prepare for these types of attacks beforehand. The
cost of data loss, website compromise or outage, and damage to
reputation can be devastating.
Attack methods With all that is known about Anonymous, there is
even more that is not. This is a dynamic group shrouded in
anonymity. There is conflicting evidence of centralized
leadership,58
Typical attacks by Anonymous begin with a defined operation against
an organization or individual in response to some perceived evil
the target has perpetrated. The activities associated with these
operations fall into two categories. There are attacks carried out
by more skilled hackers that are more precise and advanced, as well
as public attacks that focus on larger groups carrying out DDoS
attacks. In many cases, these activities will occur in conjunction
with each other.
but one thing is clear, once ideas are agreed upon, they go viral,
spreading through social media, IRC chat rooms, Twitter, and
YouTube. Anonymous has been as successful as any marketing firm at
leveraging guerilla marketing and social media to spread its
message.
Once an operation is defined and opened up to the broader Anonymous
community, there is a lag before the attack occurs. This lag can be
as little as a week but can be as long as several weeks. Time is
required for the idea to go viral and the flash mob to gather. This
momentum restricts the flexibility of changing the tools used by
the larger group quickly. In the heat of the battle, once these
tools are identified, organizations can mount effective defenses,
as the adversary is less nimble.
Oftentimes, there will be concurrent attacks against a target
leveraging multiple tools, as was the case in #OpSony, where Low
Orbit Ion Cannon (LOIC) was used for DDoS and more rudimentary
tools were used for the exploitation of SQL injection
vulnerabilities. This still allows for a dynamic opponent during an
attack. Proper identification of a wide range of attacks is
required to defend against the entire threat.
There are generally three methods used in these operations:
• Distributed denial of service (DDoS)—purposeful network traffic
is directed to a website, overwhelming the site so that it becomes
unavailable
• Dox—slang for the act of unauthorized publication of documents or
docs with personally identifiable information such as Social
Security Numbers
• System hack—a specific site is targeted for defacement or data
theft
DDoS In this attack, a call is put out to the Anonymous followers
(Anons) under the operation. At a designated time, these followers
will use common tools pointed at a specified target to generate
traffic with such volume that the site is overwhelmed and becomes
unavailable to normal users. The most common of these tools is
LOIC. DDoS attacks are not new, but the techniques have evolved and
the attack targets have moved up the stack. This means TCP-based
attacks are no longer the primary focus, and attackers are opting
to target the Web server and the Web application running on top of
it.
Dox A second type of attack method used by Anonymous specifically
targets individuals associated with the purported misdeeds. The
individual will be identified and the order given to “dox”59
58 http://gawker.com/5783173/inside-anonymous-secret-war-room
them. Dox is a slang term, whose origins come from documents or
docs, and means to find personally identifiable information on the
individuals and publish it. This information is then used to harass
and intimidate the individuals. This information may be collected
through public Internet searches and social engineering, or by
compromising a system containing personal information.
59 http://en.wikipedia.org/wiki/Dox
9
System hack A third common attack vector is through a direct attack
on a website that represents the target organization. More
skilled—though still mostly script kiddies—followers will target
the site with the purpose of defacing it, stealing credit card or
account information, or deleting the site. This is often
accomplished through Web application vulnerabilities, such as SQL
injection, that are exploited.
Operation Leakspin was a unique operation. After WikiLeaks posted
the obtained diplomatic cables and other information allegedly
obtained from U.S. Army Pfc. Bradley Manning,60
Figure 5. Operation Leakspin propaganda
Leakspin directed followers to search the wiki content for the most
interesting damaging information and begin a campaign of
disseminating it. This tactic is similar to, but should be
considered separately, from doxing.
The above attack methods are the most common seen so far and should
not be considered as the only methods used. The very nature of this
activity means that there are not hard and fast rules to define
them. The purpose of this paper is to summarize the methods of
attack used by Anonymous to date and to provide visibility into the
theater of operation. Organizations should be vigilant and remain
aware of emerging trends so that plans can be made and/or adjusted
to prepare for new threats.
Defense of these threats can be leveraged for security issues
beyond Anonymous and should be integrated into your overall
security policies and processes. This paper goes into more detail
on these three attack methods to help you better understand the
goals and challenges in thwarting them.
DDos attacks DDoS is an attack against a common target from
multiple sources with the intent to cause service interruption.
Often these sources are part of a botnet61
with common direct control. In the case of Anonymous, the common
control is accomplished by pointing the LOIC client to a command
and control IRC server. The person in control of the chat room will
define the destination and other parameters for LOIC to use.
60 http://en.wikipedia.org/wiki/Bradley_Manning 61
http://en.wikipedia.org/wiki/Botnet
Figure 6. SYN flood
These DDoS attacks can be SYN floods, HTTP floods, or UDP floods
(among other types) with various payloads. There are many available
tools that can be used to generate this traffic. The most popular
one is LOIC.62
LOIC has been the tool of choice for some time by Anonymous. There
are two primary versions, a binary local version and a JavaScript
version that can be used within a Web browser. Today there is even
an Android-based mobile version.
63
DoS attack traffic observed from Anonymous attacks fall into three
categories:
This has been used in developing nations where mobile devices are
more prevalent than landline Internet connections.
• SYN floods
• Connection floods
• UDP floods
SYN floods This attack targets a system’s TCP stack to exhaust the
connections that are able to be allocated or a system’s (such as a
firewall) connection table that is used to track the state of these
connections. In either case, a finite resource is fully used to
deny service to legitimate connections.
Connection floods (TCP/HTTP GET flood) This attack overwhelms the
Web server infrastructure, whether it be the server itself, the
load balancer, or the firewall at the front end. This type of
attack does not require a large volume to be effective. The payload
can be customized by the user in control of the LOIC host.
UDP floods (UDP port flood) In this type of attack, attacks on
ports 80, 25, and 53 have been seen, in addition to random
ports.
UDP floods are typically more of a volume attack, measured in
megabits per second or packets per second. They are normally used
to target open ports. Traffic that is not blocked at the perimeter
must be processed by more devices penetrating further into the
target environment. Border routers, firewalls, intrusion prevention
systems, load balancers, and end servers may all have to process
this traffic.
62 http://sourceforge.net/projects/loic/ 63
http://thehackernews.com/2012/02/anonymous-hackers-develop-webloic-ddos.html
11
In this kind of attack, the Anonymous follower installs LOIC and,
based on orders for the operation, points it to an IRC channel for
centralized control. LOIC can be downloaded from SourceForge, an
open source development site. In figure 7 there is a spike in the
downloads of LOIC64
Figure 7. LOIC download graph
immediately following #OpMegaUpload being established.
Until recently, Anons wishing to participate had to download and
run personal copies of LOIC. Now there is a JavaScript tool that
allows users to simply visit a website to be able to participate in
an attack.
Figure 8. LOIC JavaScript version
Other DDoS tools have been used, but LOIC is the most prevalent
today. Expect to see other tools used in attacks, and for new tools
to be developed in response to the attacker’s needs. Preparation
must evolve with the changing threats, and an organization’s
ability to detect attack traffic and identify attack tools must
remain current.
Nearly all DDoS attacks initiated by Anonymous to date have been
directed at an organization or a group of organizations. In
February 2012, Anonymous outlined a plan to bring the Internet
down. It planned to do this by DDoSing the root DNS servers in
#OpGlobalBlackout. This is a new direction for Anonymous, with the
goal of raising the level of awareness to its cause, but it is not
a new attack strategy.
Figure 9. Operation Global Blackout’s dossier
-----------------------------------------------------------------------
01001111 01110000 01100101 01110010 01100001 01110100 01101001
01101111 01101110 01000111 01101100 01101111 01100010 01100001
01101100 01000010 01101100 01100001 01100011 01101011 01101111
01110101 01110100
-----------------------------------------------------------------------
___ _ _ ___ _ _ _ / _ \ _ __ ___ _ _ __ _| |_(_)___ _ _ / __| |___|
|__ __ _| | | (_) | '_ \/ -_) '_/ _` | _| / _ \ ' \ | (_ | / _ \ '_
\/ _` | | \___/| .__/\___|_| \__,_|\__|_\___/_||_|
\___|_\___/_.__/\__,_|_| |_| ___ _ _ _ | _ ) |__ _ __| |_____ _ _|
|_ | _ \ / _` / _| / / _ \ || | _| |___/_\__,_\__|_\_\___/\_,_|\__|
-----------------------------------------------------------------------
01001111 01110000 01100101 01110010 01100001 01110100 01101001
01101111 01101110 01000111 01101100 01101111 01100010 01100001
01101100 01000010 01101100 01100001 01100011 01101011 01101111
01110101 01110100
-----------------------------------------------------------------------
13
"The greatest enemy of freedom is a happy slave." To protest SOPA,
Wallstreet, our irresponsible leaders and the beloved bankers who
are starving the world for their own selfish needs out of sheer
sadistic fun, On March 31, anonymous will shut the Internet down.
-----------------------------------------------------------------------
In order to shut the Internet down, one thing is to be done. Down
the 13 root DNS servers of the Internet. Those servers are as
follow: A 198.41.0.4 B 192.228.79.201 C 192.33.4.12 D 128.8.10.90 E
192.203.230.10 F 192.5.5.241 G 192.112.36.4 H 128.63.2.53 I
192.36.148.17 J 192.58.128.30 K 193.0.14.129 L 199.7.83.42 M
202.12.27.33 By cutting these off the Internet, nobody will be able
to perform a domain name lookup, thus, disabling the HTTP Internet,
which is, after all, the most widely used function of the Web.
Anybody entering "http://www.google.com" or ANY other url, will get
an error page, thus, they will think the Internet is down, which
is, close enough. Remember, this is a protest, we are not trying to
'kill' the Internet, we are only temporarily shutting it down where
it hurts the most. While some ISPs uses DNS caching, most are
configured to use a low expire time for the cache, thus not being a
valid failover solution in the case the root servers are down. It
is mostly used for speed, not redundancy. We have compiled a
Reflective DNS Amplification DDoS tool to be used for this attack.
It is based on AntiSec's DHN, contains a few bugfix, a different
dns list/target support and is a bit stripped down for speed. The
principle is simple; a flaw that uses forged UDP packets is to be
used to trigger a rush of DNS queries all redirected and reflected
to those 13 IPs. The flaw is as follow; since the UDP protocol
allows it, we can change the source IP of the sender to our target,
thus spoofing the source of the DNS query. The DNS server will then
respond to that query by sending the answer to the spoofed IP.
Since the answer is always bigger than the query, the DNS answers
will then flood the target ip. It is called an amplified because we
can use small packets to generate large traffic. It is called
reflective because we will not send the queries to the root name
servers, instead, we will use a list of known vulnerable DNS
servers which will attack the root servers for us. DDoS request
---> [Vulnerable DNS Server ] <---> Normal client requests
\ | ( Spoofed UDP requests | will redirect the answers | to the
root name server ) | [ 13 root servers ] * BAM Since the attack
will be using static IP addresses, it will not rely on name server
resolution, thus enabling us to keep the attack up even while the
Internet is down. The very fact that nobody will be able to make
new requests to use the Internet will slow down those who will try
to stop the attack. It may only lasts one hour, maybe more, maybe
even a few days. No matter what, it will be global. It will be
known.
-----------------------------------------------------------------------
14
download link in #opGlobalBlackout
-----------------------------------------------------------------------
The tool is named "ramp" and stands for Reflective Amplification.
It is located in the \ramp\ folder. ----------> Windows users In
order to run "ramp", you will need to download and install these
two applications; WINPCAP DRIVER -
http://www.winpcap.org/install/default.htm TOR -
http://www.torproject.org/dist/vidalia-bundles/ The Winpcap driver
is a standard library and the TOR client is used as a proxy client
for using the TOR network. It is also recommended to use a VPN,
feel free to choose your own flavor of this. To launch the tool,
just execute "\ramp\launch.bat" and wait. The attack will start by
itself. ----------> Linux users The "ramp" linux client is
located under the \ramp\linux\ folder and needs a working
installation of python and scapy.
-----------------------------------------------------------------------
"He who sacrifices freedom for security deserves neither." Benjamin
Franklin We know you wont' listen. We know you won't change. We
know it's because you don't want to. We know it's because you like
it how it is. You bullied us into your delusion. We have seen you
brutalize harmless old womans who were protesting for peace. We do
not forget because we know you will only use that to start again.
We know your true face. We know you will never stop. Neither are
we. We know. We are Anonymous. We are Legion. We do not Forgive. We
do not Forget. You know who you are, Expect us.
This type of attack is implausible for an organization such as
Anonymous, aside from the technical challenges, because its method
of operation relies on the Internet for communication and to spread
its ideas. It is likely that any attempt at this attack would have
limited success, as the ramp rate of impact would be slow, and
typical operations against an individual target are short lived.
Without the Internet to continue the support across the
organization, support for the attack would dissipate. Expect to see
any impact of this attack to be small and short lived.
The escalation of attacks and targeting of U.S. Government agencies
and national infrastructure has led Gen. Keith B.
Alexander,65
DDoS attacks are not only menacing but can also have real impacts.
Service interruptions in the modern connected society in which we
live can have tangible consequences. Business and consumer
transactions can be interrupted, medical information cannot be
reviewed, and the government can be cut off from the public in its
information-sharing efforts. Consider the case of a remote
radiologist doing X-ray reviews for a network of hospital emergency
rooms. Without network access, this function could not be done, and
this could lead to delayed or diminished healthcare. Even in
commander of the U.S. Cyber Command and National Security Agency
Director, to warn in White House briefings that Anonymous could
have the ability to attack the nation’s power grids and cause
limited power outages within two years. The assessment of Anonymous
as a threat to national security is increasing, though the U.S.
Government has stopped short of referring to the group as a
terrorist organization. Anonymous has responded by denying these
claims as political rhetoric and fear mongering.
65 www.nsa.gov/about/leadership/bio_alexander.shtml
15
cases where the measurable direct financial or business impact is
reduced, the impact to the organization’s reputation still exists.
Proper preplanning for these attacks can limit the impact of an
attack in all areas.
Doxing As previously explained, doxing is widely used by Anonymous
to identify targets for direct retribution. As defined by
UrbanDictionary,66
When #OpMegaUpload was launched, the names, addresses, and other
personal information for Senator Chris Dodd (current President of
MPAA) and his family were posted on pastebin.
“Doxing is a technique of tracing someone or gathering information
about an individual using sources on the Internet. Its name is
derived from ‘Documents’ or ‘Docx’. Doxing method is based purely
on the ability of the hacker to recognize valuable information
about a target and use this information for benefit. It is also
based around the idea that, ‘The more you know about your target,
the easier it will be to find his or her flaws.’ ” Doxing will be
used in conjunction with other attack methods to accomplish the
goal of identifying wrongdoers and paying them back.
67, 68
Figure 10. Dox of U.S. Senator Chris Dodd
This site and others like it are common places where information is
dumped due to open use policies. Figure 10 shows a redacted version
of the dox on Senator Chris Dodd.
The amount of personal information for most individuals that can be
easily obtained is disconcerting. Using Google and other online
search tools, including social media, one can quickly build a
profile of a target. There are entire books dedicated to Google
hacking, showing ways to leverage search engines to find this type
of information.
66 www.urbandictionary.com/define.php?term=doxing 67
http://pastebin.com/WEydcBVV# 68 http://pastebin.com/mvLYNdWB
16
A common practice in doxing operations is leveraging cross-site
password compromises to gain unauthorized access to systems full of
personal information. A tenant of information security is to
restrict the reuse of passwords across applications, especially
those with varying trust levels. Passwords to critical systems or
data stores (such as internal corporate email) that are reused on
external systems open up a huge risk window because if the external
site is compromised, the user may now have access to internal
systems leveraging user names and passwords gained from the initial
compromise. In this way, the end user is extending the
organization’s attack surface to an external organization for which
there is no business relationship or contract in place to govern
minimum security requirements. There are many public examples of
this.
Case study: Los Angeles County Police Canine Association In
February 2012, CabinCr3w (a hacker group closely associated with
Anonymous), in support of a continual string of law enforcement
attacks carried out by Anonymous, hacked into the website of the
Los Angeles County Police Canine Association (LACPCA) and was able
to dump the site member database, including lots of personally
identifiable information such as:
• Names
• Addresses
• Passwords
• Employers
The group was then able to leverage the fact that many users had
reused passwords across both their personal and work emails, as
well as this site, to break into users’ email and other sites. In
this case, the hacktivist group found child pornography in the
personal email of one of the police officers. They after the fact
labeled this operation as #OpPedoCop.
Figure 11. Dox of Police—LAPCA
17
Many of these users registered with government or law enforcement
agency email addresses and reused passwords from work systems. Some
users even had three-letter passwords and simple passwords such as
“password1.” It is somewhat frightening to think that these were
shared with the users’ work systems.
Case study: Infragard Atlanta Infragard is an organization
promoting cooperation between the FBI and corporations involved
with critical infrastructure. Karim Hijazi, CEO of Unveillance—a
company that monitors and attempts to take over botnets—was a
member of the Atlanta, GA, chapter of Infragard. On May 25, 2011,
Hijazi began detecting an increased level of attacks against its
systems. The attacks were unsuccessful. But as a member of
Infragard, he had reused his password from his corporate account
and the Infragard site. Following a successful compromise of the
Infragard site, LulzSec was able to dump the email addresses and
passwords for users. Using this information, the group was able to
gain access to Hijazi’s email. The next day he received an email
with his password as the subject line. The attackers attempted to
extort money and control of botnets that Unveillance had taken
control of. He didn’t give in to the group’s demands, and his
personal and work emails were published online.69 He reported
detecting firsthand the ongoing activity as he watched his emails
go from unread to read. One week later, the group released a
recording of a conference call he was on.70
Case study: HB Gary Federal
This incident falls under the category of doxing, as personal
information was gained through system compromise and used for
harassment and exploitation of the target.
In yet another very public case, Aaron Barr, CEO of HB Gary
Federal, a government contractor, was targeted by Anonymous after
claiming he had infiltrated its ranks and indicated that he was
going to out its leadership. Beginning in February 2011, Anonymous
launched an all-out attack that combined social engineering,
doxing, publishing of confidential information, and website and
Twitter defacement.71 The episode finally concluded with Barr’s
public humiliation and resignation of his position. In addition to
HB Gary Federal, its sister company HB Gary and another site,
rootkit.com72, 73
Figure 12. Twitter announcement of rootkit.com database
(owned by Greg Hoglund), were caught up in the fallout.
74
As the attacks quickly unfolded, the back-end database at
rootkit.com was stolen and dumped for the public to see. The user
information was extracted from the database and the passwords
decrypted.
69
www.it-networks.org/2011/06/21/official-statement-karim-hijazi-ceo-unveillance/
70
www.csoonline.com/article/684093/when-lulzsec-attacks-a-survivor-s-story
71
www.forbes.com/sites/andygreenberg/2011/02/28/hbgary-federals-aaron-barr-resigns-after-anonymous-hack-scandal/
72
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
73
http://thehackernews.com/2011/02/rootkitcom-database-leaked-by-anonymous.html
74
https://twitter.com/BarrettBrownLOL/statuses/34408118184054784
Figure 13. Redacted user accounts for rootkit.com75
Figure 13 shows a snippet of the data dump that we have redacted.
The HB Gary account is clearly shown as shared across rootkit.com
and HB Gary’s systems. This information provided access to HB
Gary’s systems.
In the case of HB Gary, technical attacks such as SQL injection
were used in conjunction with social engineering attacks that
ultimately yielded root-level access to critical systems. That
access provided a treasure trove of information for attackers to
dox their victim.
Dox summary As we have shown, doxing can be frightening, as it
targets individuals as well as users’ personal lives. The reasons
these individuals are targeted can stem from actions in either
their personal or professional lives. And the results can be quite
devastating. Career, reputation, and personal safety can be on the
line. In another section, this paper will discuss ways to prevent
doxing and limit its impact.
Website compromise An organization’s Internet presence is akin to
its public face. It is also oftentimes used to provide tools and
information through Web applications. Web application security can
be challenging to maintain in dynamic environments, but it must be
undertaken to prevent the types of compromises discussed
here.
Common methods of compromising a Web application are SQL injection
(SQLi) and Cross Site Scripting (XSS). SQL injection is a class of
attack that leverages a security vulnerability in a website to
attack a back-end database. In this attack, user input is
improperly validated, allowing improper statements to be passed
through the Web application to the database.
75 www.wired.com/threatlevel/2011/02/anonymous/all/1
Figure 14. SQL injection examples from a Web server log
> 1149454610.276 %478 www -> 172.24.48.96/tcp
10.20.30.40/80/tcp L GET /default.asp?search=638';exec
sp_executesql N'create view dbo.test as select * from
master.dbo.sysxlogins' exec sp_msdropretry 'xx update sysusers set
sid=0x01 where name=''dbo''','xx' exec sp_msdropretry 'xx update
dbo.test set xstatus=18 where name=''sa''','xx' exec sp_executesql
N'drop view dbo.test';-- (200 "OK" [3033])
> 1149454616.160 %478 www -> 172.24.48.96/tcp
10.20.30.40/80/tcp L GET /default.asp?search=638';exec
master..sp_addsrvrolemember 'ptclickadmin',sysadmin;-- (200 "OK"
[2810])
> 1149454622.365 %478 www -> 172.24.48.96/tcp
10.20.30.40/80/tcp L GET /default.asp?search=638';create table
zjbvlvcub7g(fkey int identity,fvalue varchar(1000));-- (200 "OK"
[2818])
> 1149454623.577 %478 www -> 172.24.48.96/tcp
10.20.30.40/80/tcp L GET /default.asp?search=638';insert into
zjbvlvcub7g exec master..xp_cmdshell 'dir /o- d/a "C:\"';-- (200
"OK" [2821])
> 1149454624.203 %478 www -> 172.24.48.96/tcp
10.20.30.40/80/tcp L GET /default.asp?search=638' and (1=(select
top 1 fvalue from zjbvlvcub7g where (fkey>0)));-- (200 "OK"
[1290])
Web applications are constantly evolving to keep up with business
needs and consumer demand. Many factors contribute to a growing
number of vulnerabilities in the applications. These
vulnerabilities can be difficult to prevent during development
without proper tools, and even more difficult to protect against
once in production.
SQL is a very robust language, and many possible evasion techniques
exist for bypassing detection. For example, it is possible to
insert C-style comments in SQL injection attacks such as:
> SELECT/* */column/* */FROM/* */database/* */where/* */column/*
*/=/* */‘value’
This will be interpreted by the database as:
> SELECT column FROM database where column = ‘value’
It is also possible to break SQL statements into multiple
variables, then reassemble them such as follows:
> @SQL1 = “Select * from”
> Execute @SQL1 + @SQL2
Fortunately, most evasion techniques make SQL injection more
suspicious for the IPS inspecting this traffic.
Despite the various methods of attack used by Anonymous, proper
planning and preparation can help organizations deploy the
appropriate defenses to protect their valuable information, Web
presence, and reputation. The internal information gleaned from
these Web application attacks can be used for financial fraud,
identity theft, and doxing, among other cybercrimes.
The vulnerabilities present in Web applications pose a critical
risk to the enterprise beyond the threat of Anonymous. The impact
from loss of data, exposure of confidential data, or site
defacement can be severe. Businesses have been forced to pay fines,
post public notice, and have even been shuttered as a result of
this class of attack. These vulnerabilities exist in commercial
off-the-shelf products as well as custom-designed software. The
resolution to the problem requires a multipronged approach that
combines offensive and defensive security strategies.
Attack methods summary The attack types described here comprise the
majority of Anonymous activity that has been observed. Most of this
activity has occurred over the previous two years, and it is
increasing at a rapid pace. Each operation is unique, and the
20
techniques are constantly evolving. Security best practices should
always be used, but a focused strategy thoughtfully planned out
before an incident occurs will yield the most effective defense. In
the next section, this paper will walk through the best way to
detect and defend against these attacks.
Defending against Anonymous The attack methods and tools used by
Anonymous are not new. The group’s motivation is fairly unique in
the realm of cyber threats and has been adopted by many the world
over. Its ability to amass support and collectively unite globally
on operations and attract supporters who are not “hackers” has made
for a powerful and effective force. A common approach should be
defined to defend against this class of attacks and requires proper
preparation.
When dealing with Anonymous, there are a variety of attacks against
multiple attack vectors. No single approach or tool will secure the
entire attack surface or defend against all attacks. An information
security incident response team should have a plan in place to
manage the various attacks discussed here. This plan should be
reviewed regularly and modified as tactics change.
The United States Computer Emergency Readiness Team (US-CERT) has
defined standard mitigation strategies for DDoS attacks such as
those from Anonymous. The organization also suggests developing a
plan prior to an attack and identifying resources helpful in
defending against the attacks. HP TippingPoint should be a key
component of this arsenal, providing the ability to protect
critical assets while they are under fire.
Figure 15. US-CERT DDoS attack mitigation strategies
There are a number of mitigation strategies available for dealing
with DDoS attacks, depending on the type of attack as well as the
target network infrastructure. In general, the best practice
defense for mitigating DDoS attacks involves advanced
preparation.
• Develop a checklist or Standard Operating Procedure (SOP) to
follow in the event of a DDoS attack. One critical point in a
checklist or SOP is to have contact information for your ISP and
hosting providers. Identify who should be contacted during a DDoS,
what processes should be followed, what information is needed, and
what actions will be taken during the attack with each
entity.
• The ISP or hosting provider may provide DDoS mitigation services.
Ensure your staff is aware of the provisions of your service level
agreement (SLA).
• Maintain contact information for firewall teams, IDS teams, and
network teams and ensure that it is current and readily
available.
• Identify critical services that must be maintained during an
attack as well as their priority. Services should be prioritized
beforehand to identify what resources can be turned off or blocked
as needed to limit the effects of the attack. Also, ensure that
critical systems have sufficient capacity to withstand a DDoS
attack.
• Have current network diagrams, IT infrastructure details, and
asset inventories. This will assist in determining actions and
priorities as the attack progresses.
• Understand your current environment and have a baseline of daily
network traffic volume, type, and performance. This will allow
staff to better identify the type of attack, the point of attack,
and the attack vector used. Also, identify any existing bottlenecks
and remediation actions if required.
• Harden the configuration settings of your network, operating
systems, and applications by disabling services and applications
not required for a system to perform its intended function.
• Implement a bogon block list at the network boundary.
• Employ service screening on edge routers wherever possible in
order to decrease the load on stateful security devices such as
firewalls.
• Separate or compartmentalize critical services: o Separate public
and private services o Separate intranet, extranet, and internet
services o Create single purpose servers for each service such as
HTTP, FTP, and DNS
• Review the US-CERT Cyber Security Tip Understanding
Denial-of-Service Attacks.
Source: http://www.us-cert.gov/cas/techalerts/TA12-024A.html
• DDoS attacks
• Web application attacks
Identification of the tools and techniques used in attacks is often
more valuable than identifying the source. The sources are dynamic
and can be many. They can also be anonymized by various means. The
tools used by Anonymous in the voluntary DDoS attacks, however,
cannot be changed quickly due to the preparation required for the
flash mob-style attacks. Often there is a week or more of lead time
before an attack occurs as the message is propagated through social
media. Knowing the attacker and its methods can help to rapidly
mount the most effective defense. Rarely does a situation arise
where more information is less helpful when performing this type of
analysis. The next section outlines the tools necessary to identify
these attacks and understand the various defenses.
The HP TippingPoint IPS provides multiple tools to deal the with
attacks executed by Anonymous:
• Vulnerability filters that protect against directed attacks
• More generic filters to identify other patterns in attack
traffic
• Custom Web application protection via HP TippingPoint Web
Application Digital Vaccine (WebAppDV) Service
• Custom filters via HP TippingPoint Digital Vaccine (DV)
Toolkit
• Reputation Digital Vaccine Service (RepDV), which provides IPv4,
IPv6, and Domain Name System (DNS) security intelligence feeds from
a global reputation database
• ACLs—traditional firewall-like functionalities within the IPS
provide good solutions to combat this imminent threat
• SYN Proxy
The HP TippingPoint Next Generation Intrusion Prevention System
(NGIPS) acts as an enforcement point, inspecting traffic in real
time, identifying “known bad” traffic, and enforcing RepDV security
policies. RepDV is a feature of IPS and SMS that enforces actions
on traffic to or from hosts based on their reputation score. The
reputation can be user provided or delivered through a RepDV
service subscription. The RepDV service tracks millions of IPv4 and
IPv6 IP addresses and DNS names. When used in conjunction with the
other IPS features, they provide a powerful layer of defense.
DDoS mitigation There are many different types of DDoS attacks. By
definition, the sources are distributed, so identification of a
source is often of less value than effectively managing the traffic
received. The number of sources can number from a handful to tens
of thousands. Identification of the payloads or the behavioral
characteristics of the traffic patterns can aide in determining the
type of DDoS attack and the tool used to generate the
traffic.
DDoS attacks seek to overwhelm a constrained resource. This can
range from a service constraint such as TCP sockets or Web server
process allocation to the perimeter connection bandwidth. Depending
on the target of the attack, the volume of traffic may not
necessarily be large. Only a relatively small amount of traffic is
required to deplete the open HTTP connections supported by a Web
server. The primary goal in mitigating these attacks is to separate
the legitimate users from the attackers.
As part of its preplanning, organizations should identify emergency
contacts at their ISPs. An ISP can often offer mitigation services
for large-scale DDoS attacks. This is critical because if the
volume of the attack overwhelms the Internet connection, access to
resources will be interrupted and there is little that can be done
to mitigate the attack from the receiving end. Organizations must
work with the upstream provider to scrub traffic before it reaches
the site. Identification of the type of attack and the tools used
will help tailor the response and more surgically remove the
offending traffic.
22
SYN flood One of the oldest DDoS attacks is the SYN flood,76
SYN Proxy
where TCP connections are opened partially, but the three-way
handshake is never completed. This is an old type of attack, but
one that is still used due to its effectiveness. It is targeted at
any systems that maintain state, overwhelming the state engine so
that new connections cannot be opened.
The HP TippingPoint NGIPS provides a built-in SYN Proxy system
leveraging SYN cookies to validate hosts. The feature set offered
across different HP TippingPoint IPS products and TOS versions
differs. Refer to the respective data sheet and release notes for
specific details.
The SYN Proxy serves to absorb SYN flood traffic, allowing service
to continue for normal users. Figure 16 shows how the SYN Proxy
functions when this feature is enabled. When a TCP SYN packet is
received and an initial lookup is performed on the destination IP
address. If it matches one of the 16 CIDR blocks defined by
preconfigured rules, the packet proceeds to the next stage. Next,
the source IP address is checked against a whitelist and a list of
known valid hosts. If the IP is on the whitelist, then the flow
bypasses the proxy and proceeds to the Threat Suppression Engine
(TSE) for additional security inspection. If this IP has not been
observed recently, then the proxy will respond with a SYN-ACK,
containing a SYN cookie. At this stage, the IPS does not maintain
state of the session.
In the case of a SYN flood, the packet progression will be stopped
here and does not proceed to the end system. There is no state kept
at this point on the IPS, so it is not vulnerable to connection
exhaustion. If the original SYN was from a legitimate user, their
machine will respond in kind with an ACK containing the SYN cookie.
The SYN Proxy is able to validate the authenticity of the cookie
and, after determining whether the session is legitimate, it will
build another TCP connection on the other side to the end server,
connecting the two proxied sessions together. This will continue
for the life of the session. After several proxied sessions have
been completed by a source IP, that IP will be placed on a list of
validated hosts. After this point, sessions originating from the IP
address will bypass the proxy. This allows the overhead of proxying
connections to be focused on malicious traffic with minimal impact
on legitimate users. The number of sessions required for a source
IP to be validated is configurable.
Figure 16. HP TippingPoint IPS DDoS protection flow chart
76 www.cert.org/advisories/CA-1996-21.html
Figure 17. HP TippingPoint IPS DDoS protection chart
Advanced DDoS features require the IPS to be in symmetric mode. As
both sides of the session must be seen by the IPS, asymmetric mode
is not supported by this feature. This can be configured in the SMS
under Device Configuration -> TSE settings. Make sure the
Asymmetric Network Enabled box is unchecked. This is enabled by
default.
Figure 18. HP TippingPoint IPS asymmetric network
configuration
Configuration of SYN Proxy settings in SMS To configure SYN Proxy
settings in SMS, select Infrastructure Protection -> Advanced
DDoS under the profile for that IPS segment. Then follow these
steps:
1. Click New to create a new entry
2. Name the DDoS filter
3. Select action, Block or Block + Notify
4. Define the destination IPs to be protected
5. Select direction of traffic to be protected Note: The IPS
applies inspection bidirectionally, so normally A and B ports do
not matter. However, in this case, you must know whether port A or
port B is internal or external. The best practice is to
consistently allocate A and B in the same way.
6. Define any exceptions
7. Enable SYN Proxy and configuration options for the appropriate
TOS your device is running
8. Save and distribute the profile
24
Figure 19. HP TippingPoint IPS DDoS filter configuration in
SMS
The default settings for the SYN Proxy will whitelist a source
after three established connections, as it is a known valid host.
LOIC has an evasion capability, whereby it will make 10 complete
connections prior to sending its DoS traffic. The HP TippingPoint
settings are configurable as shown in figure 19.
Figure 20. HP TippingPoint IPS SYN Proxy CLI configuration
options
keyName Value -------------------------------- --------------
ddosTaskPriority 231 ddosMsgQEntries 2500 ddosQueueMaxLoops 25
ddosQueueDelay 5 synProxyMasterEnable 1 synProxySecretLen 4
synProxySecretTimeout 300 synProxyWhitelistEnable 1
synProxyWhitelistThreshold 3 synProxyGenPacketTTL 64
synProxyGenPacketWin 5840 synProxyEarlyAckDelay 1
synProxyNumBitsMSS 6 synProxyMSSTimeout 180 synProxyAlertSmoothing
2 synProxyTrace 0 synProxyPerfTrace 0 synProxyBufferEarlyPackets 1
synProxyMaxBufferedPackets 5000 synProxyBufferedPcbTimeout 30
25
To configure this setting, enter the follow command on the IPS
CLI:
debug modify ini-cfg netpal.ini.handle ddos
synProxyWhitelistThreshold 11
reboot
The HP TippingPoint IPS can also be used to limit TCP connections
per source. In these attacks, the TCP handshake is completed, as
this serves to bypass SYN flood protections. You can use the IPS to
limit the total connections one source can open or limit the rate
at which they can be opened. Some models provide for connection
limiting and connection- per-second flood protection as part of the
Advanced DDoS feature set.
Figure 21. HP TippingPoint IPS DDoS Filter configuration
options
The IPS Reputation feature can also be used in conjunction with
Quarantine to limit the number of open connections per source to a
system using the following steps:
1. Determine which IP addresses you want to protect
2. Create a Quarantine action:
• Example: permit 100 hits per 1 minute, block HTTP and other
traffic
3. Create a new Reputation group
• Add all IP(s) of protected servers as reputation entries
4. Create Reputation filter
• Choose the group you created in step 3
• Choose the action you created in step 2
Quarantined addresses will show all source IP(s) that are issuing a
DDoS attack against the protected servers.
Note: This is a system-heavy approach, as all connections will be
logged. This method can be better refined by using a custom IPS
filter that will only monitor an affected portion of a website, for
example.
IPS filters HP TippingPoint offers IPS filters that provide
visibility and protection against many different attack vectors
related to DDoS. These filters detect identifiable sequences within
attack traffic and can be used to block that traffic.
26
Source IP address filters Many SYN flood tools will spoof the
source address from sufficiently random IP address space. A
pseudorandom generator will often spread the spoofed addresses
across reserved net blocks. Source IP filtering77
Where the source IP address used falls into certain reserved net
blocks, these filters can be used to identify and block that
traffic:
can help to block this traffic at the source, but it is not
implemented widely enough to prevent these attacks
completely.
0051: IP: Source IP Address Spoofed (Impossible Packet) 0052: IP:
Source IP Address Spoofed (Loopback) 0053: IP: Source IP Address
Spoofed (IANA Reserved) 0054: IP: Source IP Address Spoofed
(Multicast) 0055: IP: Source IP Address Spoofed (Reserved for
Testing)
Invalid packet filters Other filters can detect invalid traffic
based on Layer 3 or 4 information. Oftentimes, when a tool
generates raw traffic outside of a typical IP stack or replays
traffic directly to the wire, the packets will have anomalies that
can be detected. Even tools that generate traffic leveraging the OS
IP stack can specify parameters that result in pack formations that
would not normally occur in live applications.
These filters can detect these occurrences:
0058: Invalid IP Traffic: Unknown IP Protocol 0290: Invalid TCP
Traffic: Possible Recon Scan (SYN FIN) 0291: Invalid TCP Traffic:
Possible nmap Scan (FIN no ACK) 0292: Invalid TCP Traffic: Possible
nmap Scan (No Flags) 0293: Invalid TCP Traffic: Possible nmap Scan
(XMAS (FIN PSH URG)) 0324: Invalid TCP Traffic: Impossible Flags
(SFRPAU) 0334: Invalid TCP Traffic: Destination Port 0 0558: IP:
Invalid IP Traffic (Destination IP Address set to Loopback) 0559:
Invalid TCP Traffic: Source Port 0 7102: IP: Fragment Invalid,
e.g., Boink, Fawx 2, Newtear, or Teardrop DoS 7105: IP: Length
Invalid, e.g., Whisker 7107: IPv6: Fragment Invalid, e.g., Boink,
Fawx 2, Newtear, or Teardrop DoS 7115: IPv6: Length Invalid, e.g.,
Whisker 7121: TCP: Header Length Invalid, e.g., Fragroute 7125:
TCP: Length Invalid 7126: TCP: Checksum Invalid 7152: UDP: Length
Invalid 7170: ARP: Address Invalid 7172: ARP: Length Invalid
DDoS tool-specific filters There are filters that have been written
to detect traffic from specific DoS tools. These filters can be
used to help identify the weapon being used in an attack as well as
to protect against the attack. More knowledge of the attacker will
put you in a position to defend yourself more effectively against
the attacks.
4259: UDP: Saihyousen Denial of Service 4365: UDP: UDP Flood Denial
of Service 4374: UDP: UDP Flood Denial of Service 5208: UDP:
UDPFlood Attack Tool 10725: TCP: LOIC DDoS Tool 10727: UDP: LOIC
DDoS Tool 10736: HTTP: LOIC DDoS Web Access
77 www.ietf.org/rfc/rfc2827.txt
27
10846: TCP: Denial of Service Attack 10847: UDP: UDP Flood Denial
of Service 11872: UDP: UDP Flood Attack Tool (Net Tools 5) 11349:
HTTP: Default Page Request (Only enable when under DoS attack)
12026: HTTP: LOIC DDoS Tool (ONLY enable when under DoS attack)
12027: HTTP: PenTBox DDoS Tool (ONLY enable when under DoS
attack)
Note: This category of filters grows as new tools are developed.
Organizations should monitor HP TippingPoint DV notifications from
the Threat Management Center (TMC) for new filters covering DDoS
tools.
UDP flood Another method of DDoS very popular with Anonymous is UDP
flooding, which is typically used to open ports such as 25, 53, and
80. This attack is easily accomplished with readily available tools
such as LOIC. Figure 22 shows the various configuration options
allowed by LOIC.
Figure 22. LOIC user interface
When defending against a tool such as this, there are several
filters that can be used to detect and block the traffic the tool
generates:
10724: IRC: LOIC DDoS IRC Communication 10725: TCP: LOIC DDoS Tool
10727: UDP: LOIC DDoS Tool 12026: HTTP: LOIC DDoS Tool (ONLY enable
when under DoS attack)
For UDP floods against ports typically used for TCP applications,
such as those documented against ports 25 and 80, ACLs can be
applied at the border or upstream to block this traffic. The HP
TippingPoint NGIPS allows for this capability using Traffic
Management Filters (TMFs). These filters are implemented in the
hardware and have very little impact on the system because very
little traffic inspection must be done to match. TMFs are
directional. You must know the direction (A->B or B->A) of
traffic you wish to block. Figure 23 shows the configuration
options for TMF filters in SMS. They are configured under the
appropriate profile for the affected IPS segment.
Note: The IPS applies inspection bidirectionally, so normally A and
B ports do not matter. However, in this case, you must know whether
port A or port B is internal or external. The best practice is to
consistently allocate ports A and B in the same way.
28
Figure 23. HP TippingPoint IPS Traffic Management Filter
configuration options
HP TippingPoint Digital Vaccine Toolkit For traffic patterns that
do not currently have shipping filters to detect them,
organizations can write custom filters using HP TippingPoint
Digital Vaccine Toolkit (DVToolkit). DVToolkit is a desktop
application used to create custom filters for the HP TippingPoint
NGIPS using strings and regular expressions. The latest version o
DVToolkit allows snort rules to be imported. The imported snort
filters are converted for use by the Threat Suppression Engine
(TSE).
Using DVTookit, filters can quickly be created to block unique
application-layer DoS attacks and to detect lower-layer attack
patterns. When LOIC strings are changed or attacks occur against
Web applications, custom filters can be written to identify and
block this traffic. Custom filters can also be used to quarantine
hosts, rate limit traffic, or assign reputation. This feature
greatly increases the flexibility of the system.
DVToolkit can be downloaded from the TMC, and documentation is
available within the application once it is installed. Multiple
filter examples can be found in the manual.
Figure 24 shows an example of bleeding-edge snort filters being
imported to create a .csw package.
29
Figure 24. HP TippingPoint DVToolkit
Figure 25 shows some of the many options DVToolkit offers when
writing filters. String matches and regular expressions are
supported.
Figure 25. TippingPoint DVToolkit filter details
Note: Please use consideration when creating filters for the IPS,
as these can cause significant impact on network traffic.
Application-level DDoS Moving up the stack, beyond Layer 4
connection exhaustion attacks, HP TippingPoint is able to detect
and block HTTP- GET flooding. A two-pronged approach is taken here.
The first is to detect packets crafted by known attack tools by
their identifiable characteristics. The second is to detect the
behavior of these tools by distinguishing between attackers and
legitimate clients, then blocking the attacker or limiting the
number of connections that can be made per source.
30
Pyloris is a python implementation of Slowloris, which was
originally written in Perl. Both tools work by creating a
connection flood on Web servers with many opened connections that
are kept open for an extended period. It is indeed an evolution of
Slowloris and does offer more features. The following section
covers these tools in more depth.
The DVToolkit can be used to:
• Detect packets crafted by specific tools
• Detect behavior of specific tools
Slowloris Slowloris sends a recognizable initial HTTP request and
follow-up headers, which is what the filter identifies. The IPS
filter does not detect the growing number of open HTTP connections.
Connection limiting on the IPS or elsewhere should be used to
detect and control that aspect of the attack. Figure 26 shows a
snippet of the Slowloris source code. The areas highlighted show
the payload data that is recurrent and detectable. The HP
TippingPoint IPS filters detect these patterns in network traffic
and can be used to block attacks from this tool.
Figure 26. Code Snippet From Slowloris attack tool
~~~~~~ slowloris.pl snippet ~~~~~~ my $primarypayload = "GET /$rand
HTTP/1.1\r\n" . "Host: $sendhost\r\n" . "User-Agent: Mozilla/4.0
(compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR
1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729; MSOffice 12)\r\n" . "Content-Length: 42\r\n"; if ( print
$sock $primarypayload ) { print "Connection successful, now comes
the waiting game...\n"; } else { print "That's odd - I connected
but couldn't send the data to $host:$port.\n"; print "Is something
wrong?\nDying.\n"; exit; } } else { print "Uhm... I can't connect
to $host:$port.\n"; print "Is something wrong?\nDying.\n"; exit; }
for ( my $i = 0 ; $i <= $#times ; $i++ ) { print "Trying a
$times[$i] second delay: \n"; sleep( $times[$i] ); if ( print $sock
"X-a: b\r\n" ) { print "\tWorked.\n"; $delay = $times[$i];
IPS filter 8262: HTTP Slowloris DoS tool
This filter detects a DoS attack via the slowloris.pl tool. The
tool performs a Denial of Service attack by exhausting available
connections. The tool will open a connection to an http server
which waits for the complete header to be received. The tool will
continue sending bogus header lines which keep the connection
allocated.
31
Bojan Zdrnja describes the tool as "the HTTP equivalent of a SYN
flood" (http://isc.sans.org/diary.html?storyid=6601).
Pyloris Pyloris operates similarly. Figure 27 shows the default
options in the source code.
Figure 27. Code Snippit from Pyloris attack tool
~~~~~~ pyloris.py snippet ~~~~~~ self.options['request'] = Text(df,
foreground="white", background="black", highlightcolor="white",
highlightbackground="purple", wrap=NONE, height = 28, width = 80)
self.options['request'].grid(row = 0, column = 1)
self.options['request'].insert(END, 'GET / HTTP/1.1\r\nHost:
www.example.com\r\nKeep-Alive: 300\r\nConnection:
Keep-Alive\r\nReferer: http://www.demonstration.com/\r\n')
self.options['request'].insert(END, 'User-Agent: Mozilla/5.0
(Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.5 (KHTML, like
Gecko) Chrome/4.1.249.1045 Safari/532.5\r\n')
self.options['request'].insert(END, 'Cookie: data1=' + ('A' * 100)
+ '&data2=' + ('A' * 100) + '&data3=' + ('A' * 100) +
'\r\n')
Pyloris also provides a graphical user interface that is shown here
in figure 28. The left pane is for configuration of the tool. The
right pane will show the body of the request sent.
Figure 28. Pyloris user interface
Pyloris can also be run from the command line. It requires Python
to be installed on the system. Figure 29 shows the command-line
options.
Figure 29. Pyloris command-line options
Usage: pyloris.py [options] www.host.com Options: -h, --help show
this help message and exit -c COUNT, --count=COUNT Number of
requests to perform (default = 50) -f, --finish Complete each
session rather than leave them unfinished (lessens the
effectiveness) -g GET, --get=GET Page to request from the server
(default = /) -l, --loop Loop indefinitely (overrides -c) -p PORT,
--port=PORT Port to initiate attack on (default = 80) -s SIZE,
--size=SIZE Size of data segment to attach in cookie (default = 0)
-t THROTTLE, --throttle=THROTTLE Throttle each request, bytes per
second (default = 1) -u USERAGENT, --useragent=USERAGENT The
User-Agent string for connections (defaut = pyloris) -w WAIT,
--wait=WAIT Seconds between starting sessions (default = 1)
Figure 30 shows the defaults for the configurable options.
Figure 30. Pyloris default options
self.options['host'].set('localhost') self.options['port'].set(80)
self.options['ssl'].set(False) self.options['attacklimit'].set(500)
self.options['connectionlimit'].set(500)
self.options['threadlimit'].set(50)
self.options['connectionspeed'].set(0.3)
self.options['timebetweenthreads'].set(0.3)
self.options['timebetweenconnections'].set(1)
self.options['quitimmediately'].set(False)
self.options['socksversion'].set('NONE')
self.options['sockshost'].set('localhost')
self.options['socksport'].set(9050)
self.options['socksuser'].set('')
self.options['sockspass'].set('')
Shipping filter 11349 will catch Pyloris (as long as the default
GET request string is used). This filter looks for a default GET
request matching “GET / HTTP/1.1” or “GET /index.html
HTTP/1.1”.
Note: This filter can match on legitimate traffic, which can cause
performance issues. The filter should only be enabled while under a
DoS attack.
11349: HTTP: Default Page Request (ONLY enable when under DoS
attack)
This filter looks for a HTTP default page request like: 'GET /
HTTP\1.1' or 'GET /index.html HTTP\1.1' which, due to its small
size, was generated by an attack tool instead of a typical web
browser. These are the typical requests used in HTTP DoS attacks,
since a request for the default page will work regardless of the
web server content. NOTE: You should only enable this filter if you
are under a DoS attack and need to protect your network
infrastructure. Enabling this filter to block or rate limiting can
help alleviate the traffic issues. Do NOT enable with alert or
alert+trace. NOTE2: This filter can also match on valid requests to
your web server, including web crawlers. Setting the filter to
block can block valid requests as well as the DoS requests.
Other defense techniques There are several other things that can be
done to defend against an attack like this beyond the existing IPS
filters that detect the packets these tools generate. These revolve
around managing connections to the Web server and limiting
connections per source. This should be used in conjunction with
payload content identification where possible because proxies (TOR)
can mask the sources. Identifying payload identifiers is sometimes
of limited use, as the source code is available and the
identifiable characteristics can be easily modified.
To identify abuse of connections during an attack and limit its
impact, there are several steps that should be taken.
1. Apache offers connection limiting through module
mod_limitipconn. This will limit the connections per source
IP.
2. HP TippingPoint E-series IPS units support connection flood
protection as part of their Advanced DDoS implementation. This will
also limit the connections per source IP.
3. HP TippingPoint N platform does not implement connection
limiting directly in TSE as of TOS 3.2.
a. The alternative solution for connection limiting is to use Rep +
Q
i. Determine the IP addresses to protect
ii. Create a Quarantine action: permit 100 hits per 1 minute, block
HTTP and other traffic; this can be tuned as needed
iii. Create a new Reputation group
iv. Add IP addresses for protected servers as reputation
entries
v. Configure a Reputation filter in the appropriate profile
1. Choose the group you created in step 3
2. Choose the action you created in step 2
vi. The Quarantine address will show all source IP(s) that are
issuing DDoS attacks against the protected IP addresses.
b. ArcSight can also be used to detect this activity, and HP
TippingPoint can be used to block the source
i. ArcSight can monitor the connection from firewall or load
balancer logs, or from the Web server logs (/var/log/access).
ii. When it detects this condition [open conn (src IP) > limit],
it can connect to HP TippingPoint SMS to implement a quarantine
action that is enforced on the IPS.
4. Firewalls and load balancers that are managing session state
provide an ideal place to implement this type of protection.
a. IPtables supports this, for example (iptables -A INPUT -p tcp
--syn --dport 80 -m connlimit --connlimit-above 100 -j DROP)
34
HP TippingPoint integrates with ArcSight to detect and block
attacks against a Web application using an HTTP-GET flood. Here are
the steps of this integration using an example of an attack
identified in Web server logs as shown in figure 31.
Step 1: Attacker sends HTTP-GET flooding to the target
system.
Step 2: ArcSight monitors Apache Web server access log
(/var/log/access) and determines the attacker IP is
16.151.66.199.
(Threshold base : HTTP-GET request for 20 seconds, if it hits more
than 30 HTTP-GET requests, Arcsight considers it as an attacker
.)
Step 3: ArcSight sends TippingPoint IPS (through SMS) to block the
attacker IP 16.151.66.199 using IPS quarantine.
Figure 31. Web server logs used to identify attacker
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.geocities.com/TelevisionCity/Stage/2950/az/P.html
HTTP/1.0" 404 261 16.151.66.199 - - [31/May/2011:06:05:13 -0500]
"GET /epguides2/epguides.com/SignificantOthers/index.htm HTTP/1.0"
404 248 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/TargetTheCorruptors/index.htm HTTP/1.0"
404 254 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/epguides.com/Legend/index.htm HTTP/1.0" 404 237
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/EllenShow/index.htm HTTP/1.0" 404 244
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.movieprop.com/Production/specialeffects.htm
HTTP/1.0" 404 255 16.151.66.199 - - [31/May/2011:06:05:13 -0500]
"GET /epguides2/www.epguides.com/Closer/index.htm HTTP/1.0" 404 241
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/epguides.com/Three/index.htm HTTP/1.0" 404 236
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/Woops/index.htm HTTP/1.0" 404 240
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/epguides.com/FinderofLostLoves/index.htm HTTP/1.0" 404
248 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/members.aol.com/RWACEMAR/XFiles.html HTTP/1.0" 404 244
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/HollywoodSafari/index.htm HTTP/1.0" 404
250 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/Visitor/index.htm HTTP/1.0" 404 242
16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/LifeandStuff/index.htm HTTP/1.0" 404
247 16.151.66.199 - - [31/May/2011:06:05:13 -0500] "GET
/epguides2/www.epguides.com/BigfootandWildboy/index.htm HTTP/1.0"
404 252
The HP TippingPoint Security Management System (SMS) API connection
to block the attacker IP would be formatted like this:
https://<TippingPoint_SMS_IP>/quarantine/quarantine?ip=16.151.66.199
&policy=dd&timeout=10&smsuser=SuperUser&smspass=password
Note: Full documentation for the SMS API can be found on ThreatLinQ
and on SMS.
Reputation as an action Using SMS and the Reputation feature
filters can add entries to RepDV as an action. An earlier section
described how Reputation can be used on the IPS to block attacks
against a server. IPS filters can be used in conjunction with
Reputation to block even more types of attacks. The integration
between these features makes the IPS very flexible.
35
• DVT custom filter created and distributed
• “Active responder” rule created to fire filter after 20 requests
in 10 seconds
• Further packets from these entries will be blocked in hardware
(up to 5 million total entries)
Figure 32 shows how a Reputation leveraging IPS filters would look
in SMS.
Figure 32. HP TippingPoint IPS RepDV Configuration in SMS
A primary goal of Anonymous attacks is to send a message. This
notion remains true regardless of the tactics used. In the tool
LOIC, messages can be defined that are delivered as part of the
payload. A recent US-CERT Technical Cyber Security Alert78
"GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200
99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101
Firefox/9.0.1"
shows how the message “We are Legion!” referring to the Anonymous
slogan is observed in Web server logs from a victim:
When these patterns are discovered, DVToolkit can be used to
quickly write filters to block the traffic.
Today DDoS attacks come in many forms. Organizations must have the
ability to detect the attacks, identify the tools used in the
attack, and isolate the attack traffic. No one solution can provide
complete coverage across all areas and meet every need. HP
TippingPoint, however, does offer a robust toolset to identify and
mitigate these attacks.
78 www.us-cert.gov/cas/techalerts/TA12-024A.html
36
Protection against doxing Protecting against doxing is a difficult
challenge. In the modern age, users have personal and private
information of every nature on systems across the Internet.
Consider what information could be obtained from doctors, retailers
where you have made purchases using your credit card, or the DMV.
Law enforcement agencies and state agencies are routinely being
targeted for compromise to harvest personal information. There is
little that can be done to protect such personal information that
is in private systems. Some level of trust in the provider and the
regulations meant to mandate certain protection levels must be
assumed.
Personal information that is made public can be curtailed, though.
Even information that is believed to be restricted can often be
accessed. Once personal details are captured in digital form and
listed in the ether, it must be assumed that it is no longer
private and will never go away. Facebook had a recent authorization
bypass vulnerability79
Defending against doxing and the accompanying harassment requires
legal support that is beyond the scope of this paper. Every effort
to protect personal information should be made before this becomes
an issue, especially for those in high-profile positions.
that allowed anyone to view a private profile of another user they
were not friends with. Users should limit the information on these
sites, limiting their online footprint and shrinking the risk
window.
There are steps that should be taken to limit the exposure for an
organization. Users must be educated about the dangers of reusing
passwords. A recent study at Cambridge University doing comparative
analysis of the password compromises at rootkit.com and gawker.com
found that even in a tech-savvy group, up to half of the passwords
were reused.80
When Sabu, the leader of LulzSec and arguably of Anonymous, was
outed March 6, 2012, by the FBI as an informant who had betrayed
the group by working for them for nine months, he became the target
of a dox campaign.
Minimum password requirements must also be enforced. Two-factor
authentication can be used to limit the access to systems, even
when passwords are compromised.
81
79
http://online.wsj.com/article/SB10001424052748703730804576315682856383872.html
80 www.theregister.co.uk/2011/02/10/password_re_use_study/ 81
http://pastebin.com/CmntFktF
37
Doxing is a complex issue to defend against and is not always a
cyber threat. There are measures that can be taken to prepare for
this type of personal attack and limit the scope of its damage.
Preplanning and being vigilant about privacy are critical.
Web application attack mitigation Web applications can be
developed, hosted, and administered by third parties or at other
sites, or they can be run internally. Either way, these sites often
do not receive the same scrutiny of back-end systems that have been
deemed more valuable due to the data they contain. The risk,
however, to an organization’s public reputation is grave. A defaced
website brings bad press and lowered expectations.
Today’s IT environments are rapidly evolving to keep up with the
changing times. Security cannot be overlooked in this evolution.
Building the proper security controls into the development and
operation of these Web applications can significantly reduce the
chances of falling victim to these attacks.
HP TippingPoint provides significant coverage of OWASP Top 10
through hundreds of DV filters. Several other techniques can be
used to go beyond these filters. These are highlighted below.
Dynamic and static application testing If an attack occurs and the
organization is not quite prepared, there are things that can help.
HP WebInspect82
WebAppDV
is an industry-leading Web application security assessment solution
designed to thoroughly analyze today’s complex Web applications. It
delivers broad technology coverage, fast scanning capabilities,
extensive vulnerability knowledge, and accurate Web
application-scanning results. HP WebInspect is an integral part of
the HP integrated security testing technologies that uncover real
and relevant security vulnerabilities in a way that siloed security
testing cannot. HP WebInspect easily tackles today’s most complex
Web application technologies—including JavaScript, Adobe® Flash,
Ajax, and SOAP, utilizing HP’s break-through testing innovations
for fast and accurate application security tests. The HP WebInspect
solution’s intuitive interface and interactive test results enable
areas of an organization that are new to application security to
leverage security testing automation to cover more applications.
When vulnerabilities are found, the results feed the HP
TippingPoint WebAppDV service to provide immediate solutions.
When faced with targeted attacks against a custom Web application,
standard defenses may not be comprehensive. The HP WebAppDV Service
will provide custom protection in these cases. This service enables
the NGIPS to serve as a dynamic Web application firewall through
the following steps:
• Scan of your Web application
• Identification of vulnerabilities
• Creation by DVLabs of custom filters to protect against attempts
to exploit the Web applications
• Filters are delivered and once deployed a follow-up scan help
ensure complete coverage
SQL injection HP TippingPoint also provides many filters out of the
box to detect common SQL injection commands and evasion
techniques.
Details of some SQL injection evasion filters:
• 3807: inline comment evasion
– This filter detects inline comments between SQL statements in an
HTTP request. It is very important to enable this filter because of
the popularity of this evasion technique.
• 3808: variable declaration evasion
– This filter detects when attackers split SQL statements apart and
concatenate them together later. This is a less common evasion
tactic.
• 3809: comment terminator evasion
– This is the single most effective generic SQL injection
filter.
– This tactic relies on SQL statements that are terminated with --
or /*.
82 www.fortify.com/products/web_inspect.html
Figure 34. HP TippingPoint IPS General SQL injection filters
Current list of SQLi filters 3593: HTTP: SQL Injection (UNION)
3624: HTTP: SQL Injection (SELECT) 3625: HTTP: SQL Injection
(OPENROWSET) 3626: HTTP: SQL Injection (WAITFOR) 3630: HTTP: SQL
Injection (Boolean Identity) 3798: HTTP: SQL Injection (Boolean
Identity) 3799: HTTP: SQL Injection (Boolean Identity) 3800: HTTP:
SQL Injection (Boolean Identity) 3801: HTTP: SQL Injection
(EXECUTE) 3802: HTTP: SQL Injection (DROP/CREATE) 3803: HTTP: SQL
Injection (INSERT) 3804: HTTP: SQL Injection (UPDATE) 3805: HTTP:
SQL Injection (ALTER) 3806: HTTP: SQL Injection (DELETE) 3807:
HTTP: SQL Injection Evasion Inline SQL Comment 3808: HTTP: SQL
Injection Variable Declaration Evasion 3809: HTTP: SQL Injection
Evasion SQL Comment Terminator 3810: HTTP: SQL Injection Evasion
(System Variables) 3936: HTTP: SQL Injection Evasion (Oracle PL/SQL
Block) 3986: HTTP: SQL Injection (Oracle GRANT TO) 4001: HTTP: SQL
Injection MySQL Show Function 5669: HTTP: SQL Injection (UNION)
5670: HTTP: SQL Injection (SELECT) 5671: HTTP: SQL Injection
(OPENROWSET) 5672: HTTP: SQL Injection (WAITFOR) 5673: HTTP: SQL
Injection (Boolean Identity) 5674: HTTP: SQL Injection (Boolean
Identity) 5675: HTTP: SQL Injection (Boolean Identity) 5719: HTTP:
SQL Injection (CAST) 5772: HTTP: SQL Injection (Boolean Identity)
5773: HTTP: SQL Injection (EXECUTE) 5774: HTTP: SQL Injection
(DROP/CREATE) 5775: HTTP: SQL Injection (INSERT) 5776: HTTP: SQL
Injection (UPDATE) 5777: HTTP: SQL Injection (ALTER) 5778: HTTP:
SQL Injection (DELETE) 6103: HTTP: SQL Injection (RESTORE) 6115:
HTTP: SQL Injection (CONVERT) 6116: HTTP: SQL Injection (CAST)
6236: HTTP: SQL Injection (RESTORE) 6321: HTTP: SQL Injection
(CONVERT) 6388: HTTP: SQL Injection (Benchmark) 6392: HTTP: SQL
Injection (Benchmark) 6568: HTTP: SQL Injection (CAST) 11171: HTTP:
SQL Injection (UNION) 11897: Oracle: SQL Function SQL Injection
11902: Oracle: SQL Function SQL Injection 11938: HTTP: SQL
Injection (Boolean Identity)
HP TippingPoint has delivered filters that look for SQL syntax in
HTTP parameters. This is unusual behavior and can safely be blocked
for most users. There are Web applications that use SQLi for normal
operation, so these filters are disabled by default. The best
practice is to initially enable these filters to Permit + Notify to
verify that normal Web application traffic is not blocked.
This is not a complete list of IPS filters that can address these
issues. There are hundreds of filters that detect other attack
vectors and which can protect against vulnerabilities in common Web
applications.
Geolocation-based blocking For organizations with a generally local
presence and limited need for access from outside that region
during periods of heightened threat or attack, you can leverage
geolocation data to block foreign sources. This is an aggressive
posture and not likely one that would be appropriate all of the
time. For example, a municipal police department in the United
States being targeted may choose to block traffic from B.R.I.C.
nations or everywhere outside the U.S. for a limited time.
39
This approach limits the aperture of the risk window. However,
though Anonymous is global, often the attacks originate locally. We
have observed this with attacks in Oakland, CA, in retaliation to
the Occupy clashes there; in Greece; and in Panama. If you have
attackers in Greece attacking the Greek government,
geolocation-based blocking will be of little value.
HP TippingPoint provides a simple tool to leverage open source
geographic IP data to help classify the reputation of systems.
MaxMind provides an open source database of IP addresses and DNS
names, along with their physical location. The free open source
version of the database is called the GeoLite Country database. HP
TippingPoint leverages this database to enhance its ReputationDV
service by allowing data to be converted into a f
