Dr. Antonio Nucci

By Supranamaya Ranjan

This must be the summer of geo-politically motivated Distributed Denial of Service (DDoS) attacks. We are close to the one year anniversary of the first cyber-war against the Baltic republic of Estonia. Last week CNN was DDoS’ed by supporters of a pro-China group called, Revenge of the Flame. And in the course of all this, a bystander sports site, Sports Network Management, which only had the misfortune of sharing the word ‘cnn’ in its website while not being directly affiliated to CNN at all, also got DDoS’ed. To top it all, in apparent retaliation, one of the sites behind the patriotic drive sweeping China, Red Heart China Signature (www.5sai.com), got its site DDoS’ed by a group of ip-addresses located in Europe.

Close at the heels of all these intense attacks and counter-attacks, we hear of yet another. Various news sources are reporting that Radio Freedom Europe’s Belarus site was DDoS’ed this weekend starting from April 26. The radio station was going to cover mass protests in Minsk, Belarus dedicated to the anniversary of the Chernobyl disaster. The radio station had plans to direct people to their website to check out pictures, videos of the coverage, etc. However, much to their dismay their site was totally inaccessible for 2 days and 2 nights under a massive DDoS storm. According to the RFE/RL Belarus Service Director:

“There was not much we could do because at this moment we also lost e-mail communication and Skype communication with Belarus. As we found out later, the attack was so massive that the firewall that protects Radio Free Europe went down. And a number of other [RFE/RL] sites went down as well.”

These attacks set a scary precedent. That political agendas can very easily find their way in the form of online hacks and attacks. Even more scarier is the fact that the exact perpetrator of a DDoS attack can be very difficult to pin-point, especially if the attack was launched by a Botnet.

Let alone find the identity of the attacker, it can sometimes be incredibly difficult to even find the location of the attacker. In these geo-political attacks, a lot of times, claims are made that the attack was launched from a certain country or region. A case in point are reports that suggested that the DDoS attack on Red Heart China Signature was launched in Europe. However, there could be a completely different picture, where those 4 European ip-addresses were only used as frontmen for the attack, while for all practical purposes, the actual attacker could be somewhere in Antarctica, controlling those 4 machines.

So the point being that to perform detailed and accurate forensics of these sorts, Managed Security Services as provided by the ISPs is better off than an edge-security solution installed at the web site itself. Web server logs of the victim site can only provide an idea of the frontmen of the attack. While, ISPs can not only detect that a DDoS attack is underway and hence alert the web site, they can also correlate and identify who else did the attackers talk to - and potentially determine the botnet controller or the real perpetrator of the attack.

By Supranamaya Ranjan

Over the last 24 hours, several security researchers have analyzed the tools that were distributed to launch the DDoS attacks against CNN. The interested reader can get an analysis of the 3 tools at Dancho Danchev’s blog.

The attack tool that caught my attention is the one in which the ‘hacktivists’ via mailing lists and forums urged users to do one of the two following things. The more tech savvy users or the generals were urged to install an executable after which they would be able to serve a web page on their web site (e.g., hackerhf.com/cnn.html, etc.). This web page would then load www.cnn.com continuously (almost once per second) in a frame. The lesser tech savvy ones or the soldiers were asked to simply point their browser towards the web pages set up by the generals. As long as they kept their browsers up and running, requests would be sent towards CNN’s homepage continuously, thereby throttling either the bandwidth around CNN or Akamai, its Content Distribution Network or bringing CNN’s web server infrastructure to its knees.

Interestingly, just this geo-political activism was able to generate enough traffic at CNN so that legitimate users’ requests were delayed from 1 seconds on a usual day to 4 seconds times on Sunday morning for 3 hours (source: Netcraft) . Note however that requests were never dropped and everyone was able to browse CNN albeit slowly.
A packet trace analysis of what happens when a soldier logs on to one of the generals’ sites reveals the following sequence of HTTP requests that are generated:

Sequence of http requests

Most interestingly, note that the next group of HTTP requests to CNN start after 1 minute (time gap between request IDs 124 and 4910). In other words, this tool allows a Firefox client with default settings to generate attacks at a highly modest rate of once per minute. Interestingly, the frame embedding CNN definitely appeared to be refreshing itself much faster than that, at 20 times per minute. Every browser has a parameter where the browser sends requests to check for new content on an existing site at a particular rate. For instance, for Firefox:

“browser.cache.check_doc_frequency [Integer] (3) - This setting determines how often Firefox checks for newer versions of the page you are viewing. This setting is similar to Internet Explorer’s ‘Check for newer versions of stored pages’ setting. If set to 0 Firefox only checks once per browser session; if set to 1 Firefox checks every time a page is viewed; if set to 2 Firefox never checks (i.e. it always uses the version stored locally in your browser cached); and if set to 3 (the default) Firefox checks at automatically determined intervals. If you browse mostly pages which update their content extremely often (i.e. a few times a day) you may wish to set this to 1 though it will slow down browsing speed. The default of 3 is best for fastest browsing on most connections. You can experiment to see if 0 suits your needs, but don’t use a value of 2.”

One does wonder whether the hacktivists instructed their users to change the default Firefox setting from 3 to 1, where requests would be generated to CNN as fast as the frame refreshes. And assuming that 100% of the users had done this browser setting change, then would CNN’s response time have increased exponentially? May be then it would have crumbled to the attack!

It also makes one wonder which problem is easier: detecting attacks launched by human armies or that launched by botnets?

By Supranamaya Ranjan

Throughout this weekend, CNN’s website was under threat of a DDoS attack purportedly being planned by a group called Revenge of the Flame (source: DarkVisitor blog). Fortunately, there were no large scale attacks and CNN.com was very much up and running. The weekend plot involved dramatic twists and turns that Hitchcock would have been proud of. First, the hacker group postponed the attack since the news had leaked far and wide. Later for reasons unbeknownest to us, the group called off the attack completely and even disbanded.

Despite calls by the group for halting the attack, there were relatively smaller scale attacks that did happen over the weekend. May be the calls to stop didn’t propagate to the participants as far and wide. Multiple sites of CNN (www.cnn.com, www4.cnn.com, edition.cnn.com) were the target of these attacks. NarusInsight Secure Suite (NSS) reported 2 different kinds of attacks going towards CNN - ICMP flood attacks and TCP SYN flood attacks. Interestingly the attacks had very similar signatures, e.g. an instance of a SYN flood involved the attacker distributing his packets across multiple source ports while sending exactly the same number of packets per source port). This can be expected given that the hacker group had made it easy for the novice who could download a script to launch the attack.

The highest bandwidth attack seen by NSS was an 80 Mbps SYN flood attack, while the others were much less than that. Regardless, the attacks were never big enough to bring down CNN and much to our joy we could continue reading about the Pennsylvania primary, the olympic torch being relayed around the world and all the other stuff that gets us up in the morning.

By Supranamaya Ranjan

Since early yesterday morning (18th April), we have been following ‘The Dark Visitor‘ which has leads about a large-scale DDoS attack being planned on CNN.com. The attack was planned for 5 am PST, but seems to have been called off, rather postponed since too many people found out about it. Nevertheless, I took a look at the traffic heading towards CNN and NarusInsight Secure Suite (NSS) didn’t report any attacks for today morning.

NSS did report 2 separate TCP SYN flood attacks yesterday morning though, one was targeted towards cnn.com and the other towards edition.cnn.com. These attacks lasted very briefly (2 minutes) and had the uniformity typically only seen in attack traffic, e.g. each of the attackers generated the same amount of traffic. We will keep a close eye on this in case the attack does happen. Since CNN is very much up and running, I am off to get my daily dose of news now!