6 C
Tuesday, November 21, 2017
Home Tags SYN Flood

Tag: SYN Flood

Botnets made up of hacked home routers were used to launch distributed denial-of-service attacks against the five largest financial organizations in Russia. The attacks occurred on Monday, Dec. 5, and were detected and mitigated by Rostelecom, Russia’s state-owned telecommunications company. The attacks peaked at 3.2 million packets per second (Mpps) and the longest attack lasted for over two hours, Rostelecom reported Friday. The company did not provide a bandwidth measurement for the attacks, but 3.2Mpps is not that much. DDoS mitigation providers regularly see attacks that exceed 100 Mpps and a very large September attack against the website of cybersecurity blogger Brian Krebs peaked at 665Gbps and 143Mpps. This week’s DDoS attacks against the Russian banks used the TCP SYN flood technique and originated from hacked home routers, according to Muslim Medzhlumov, director of Rostelecom’s cybersecurity center. A common trait for these routers is that all of them were using the CPE WAN Management Protocol (CWMP), also known TR-069. This is a protocol used by ISPs to remotely manage routers installed in their customers’ homes. A vulnerability was recently found in the TR-069 implementation from routers handed out to users by ISPs in multiple countries, including Deutsche Telekom in Germany, Eir in Ireland and TalkTalk in the U.K. Attackers quickly took advantage of the flaw to infect thousands of devices with malware and it’s very likely that some of them were used to launch the attacks against the Russian banks. Last Friday, the Russian Federal Security Service, the FSB, said that it foiled a large-scale cyberattack planned by a foreign intelligence service that aimed to destabilize the country’s financial system. The attack was planned for Dec. 5, according to the FSB, and would have included spreading fake claims about a crisis in the country’s financial system via social media and text messages. It’s not clear whether DDoS was also part of the plan and if the attacks mitigated by Rostelecom are related to the foiled campaign. DDoS attacks against banks are not unusual. In 2012, crippling DDoS attacks disrupted the online services of multiple banks in the U.S. In July 2015, three banks in the U.K. suffered similar disruptions. According to the FBI, financial institutions regularly receive extortion emails from hackers threatening to disrupt their services.
From November 8 to 12, websites of some of the largest Russian banks fell victim to heavy DDoS attacks.
Initially, it was no indication of anything unusual – all well-known banks get attacked from time to time – but further developments have evolved in the manner that allowed us to suggest a high level of organization in regards to the series of attacks. The first attacks that took place on November 8 affected two banks, but already at 4:00 pm Moscow time, similar attacks struck three more banks.

A little later, a fourth bank was attacked. On November 9 at 3 am, the attacks stopped for a while only to commence again in the evening with an attack on yet another bank.

At approximately 5 am on November 10, a new wave of attacks occurred. The largest number of attacks took place between 5 and 8 am on November 11 when, within the space of 10 minutes, eleven attacks occurred, which targeted various objects, namely, corporate websites of banks and online banking systems.

All attacks lasted approximately one hour and were similar to the attacks registered in the previous days. In the days to follow, no new attacks occurred, but some of the previously launched attacks continued until the morning of November 14. Kaspersky Lab received first-hand information as events unfolded: some of the banks that were attacked are our customers, and they promptly switched their traffic to Kaspersky DDoS Prevention centers with a few more joining after events had started.

This provided the analysts of Kaspersky Lab access to the patterns of the attacks and gave them an opportunity to draw a number of conclusions about their nature. Attackers used combinations of various attack methods.

They applied SYN Flood that exhausts operating system resources, as well as HTTP/HTTPS Flood that overloads the target Web server. The longest attack in the series lasted 4 days 6 hours and 34 minutes; The peak power of the attack was 660 thousand requests per second, while the average load on a corporate website of a major bank during business hours rarely exceeds 1 thousand requests per second; A few botnets “specializing” in different types of attacks participated in the attack.

Approximately 24 thousand unique bots have been blocked; The traffic analysis showed that the leads pointing to Mirai, which prematurely appeared in the press, were not substantiated: one of the botnets was indeed built on the basis of IoT devices, but a different bot was used. Bots that participated in the attacks are located in 30 different countries. More than half of them are in the United States, India, Taiwan and Israel. The most powerful attacks started when it was early morning in Moscow, which seems illogical at first glance – the number of visitors to the target websites of banks is low at this time of day.

This can be attributed to feeling out the target: the attackers started loading the websites with relatively simple SYN Flood and HTTP Flood attacks, thereby determining the possibilities of the protection systems to filter packets of trash traffic.

The small number of legitimate visitors enabled them to quite accurately determine the frequency of requests necessary to create a denial of service situation. Attacks against the banks protected by Kaspersky DDoS Prevention were not successful. Having recognized this, the attackers began to act in accordance with a more complex and demanding procedure – via HTTPS requests, and in some cases transferring the focus of the attacks onto Internet banking systems.
Since the traffic of an HTTPS session is encrypted, it is impossible to analyze and filter it when located outside of the affected network.

Thanks to the ability to analyze the traffic at the customer site (for this purpose, a separate “sensor” component is used), we received the statistical parameters of requests that were used to generate the filtering parameters directly in the cloud.
In addition, the results of the analysis were forwarded to the IT services of the banks, which, if necessary, successfully generated counteraction measures on their side. The carefully thought-out tactics, use of combined methodologies and scale of the event suggest a high level of organization among the attackers – the “job” was done by professionals.
In regards to one of the banks, after all attacks were successfully dealt with, an elaborate attack method against the application level that took advantage of the web server vulnerability was used.

This also points to the attackers being highly qualified. It is difficult to say what the aims of the series of attacks were: it may have been blackmail, diverting attention from a hacking attack against banking systems, or political hacktivism. However, the fact that the attackers targeted the banks’ corporate websites first, and only then switched to remote maintenance systems if they were unsuccessful, allows us to conclude that the organizers were more interested in publicity rather than doing real damage to the financial institutions. To a certain extent, our findings correlate with the reports that appeared in the press referring to the attacks being ordered from a certain DDoS service.

According to its owner, the persons who ordered the attacks were unhappy with the influence that Russia allegedly had on the US Presidential election and the websites of major Russian banks were selected as high-profile targets whose operational difficulties would definitely be noticed.