what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Technical Cyber Security Alert 2012-24A

Technical Cyber Security Alert 2012-24A
Posted Jan 25, 2012
Authored by US-CERT | Site us-cert.gov

Technical Cyber Security Alert 2012-24A - US-CERT has received information from multiple sources about coordinated distributed denial-of-service (DDoS) attacks with targets that included U.S. government agency and entertainment industry websites. The loosely affiliated collective "Anonymous" allegedly promoted the attacks in response to the shutdown of the file hosting site MegaUpload and in protest of proposed U.S. legislation concerning online trafficking in copyrighted intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA, and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA).

tags | advisory
SHA-256 | 925a21594f876a867e4c6e9471fa1023ca73286d7899e7a048b74bdefeb10aaa

Technical Cyber Security Alert 2012-24A

Change Mirror Download

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


National Cyber Alert System

Technical Cyber Security Alert TA12-024A


"Anonymous" DDoS Activity

Original release date: January 24, 2012
Last revised: --
Source: US-CERT


Overview

US-CERT has received information from multiple sources about
coordinated distributed denial-of-service (DDoS) attacks with
targets that included U.S. government agency and entertainment
industry websites. The loosely affiliated collective "Anonymous"
allegedly promoted the attacks in response to the shutdown of the
file hosting site MegaUpload and in protest of proposed U.S.
legislation concerning online trafficking in copyrighted
intellectual property and counterfeit goods (Stop Online Piracy
Act, or SOPA, and Preventing Real Online Threats to Economic
Creativity and Theft of Intellectual Property Act, or PIPA).


I. Description

US-CERT has evidence of two types of DDoS attacks: One using HTTP
GET requests and another using a simple UDP flood.

The Low Orbit Ion Cannon (LOIC) is a denial-of-service attack tool
associated with previous Anonymous activity. US-CERT has reviewed
at least two implementations of LOIC. One variant is written in
JavaScript and is designed to be used from a web browser. An
attacker can access this variant of LOIC on a website and select
targets, specify an optional message, throttle attack traffic, and
monitor attack progress. A binary variant of LOIC includes the
ability to join a botnet to allow nodes to be controlled via IRC or
RSS command channels (the "HiveMind" feature).

The following is a sample of LOIC traffic recorded in a web server
log:

"GET /?id=1327014400570&msg=We%20Are%20Legion! HTTP/1.1" 200
99406 "hxxp://pastehtml.com/view/blafp1ly1.html" "Mozilla/5.0
(Windows NT 6.1; WOW64; rv:9.0.1) Gecko/20100101 Firefox/9.0.1"

The following sites have been identified in HTTP referrer headers
of suspected LOIC traffic. This list may not be complete. Please do
not visit any of the links as they may still host functioning LOIC
or other malicious code.

"hxxp://3g.bamatea.com/loic.html"
"hxxp://anonymouse.org/cgi-bin/anon-www.cgi/"
"hxxp://chatimpacto.org/Loic/"
"hxxp://cybercrime.hostzi.com/Ym90bmV0/loic/"
"hxxp://event.seeho.co.kr/loic.html"
"hxxp://pastehtml.com/view/bl3weewxq.html"
"hxxp://pastehtml.com/view/bl7qhhp5c.html"
"hxxp://pastehtml.com/view/blafp1ly1.html"
"hxxp://pastehtml.com/view/blakyjwbi.html"
"hxxp://pastehtml.com/view/blal5t64j.html"
"hxxp://pastehtml.com/view/blaoyp0qs.html"
"hxxp://www.lcnongjipeijian.com/loic.html"
"hxxp://www.rotterproxy.info/browse.php/704521df/ccc21Oi8/
vY3liZXJ/jcmltZS5/ob3N0emk/uY29tL1l/tOTBibVY/wL2xvaWM/v/b5/
fnorefer"
"hxxp://www.tandycollection.co.kr/loic.html"
"hxxp://www.zgon.cn/loic.html"
"hxxp://zgon.cn/loic.html"
"hxxp://www.turbytoy.com.ar/admin/archivos/hive.html"

The following are the A records for the referrer sites as of
January, 20, 2012:

3g[.]bamatea[.]com A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr A 210[.]207[.]87[.]195
chatimpacto[.]org A 66[.]96[.]160[.]151
anonymouse[.]org A 193[.]200[.]150[.]125
pastehtml[.]com A 88[.]90[.]29[.]58
lcnongjipeijian[.]com A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A 121[.]254[.]168[.]87
www[.]zgon[.]cn A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar A 190[.]228[.]29[.]84

The HTTP requests contained an "id" value based on UNIX time and
user-defined "msg" value, for example:

GET /?id=1327014189930&msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20

Other "msg" examples:

msg=%C2%A1%C2%A1NO%20NOS%20GUSTA%20LA%20
msg=:)
msg=:D
msg=Somos%20Legion!!!
msg=Somos%20legi%C3%B3n!
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406
"http://pastehtml.com/view/bl7qhhp5c.html"
msg=We%20Are%20Legion!
msg=gh
msg=open%20megaupload
msg=que%20sepan%20los%20nacidos%20y%20los%20que%20van%20a%20nacer
%20que%20nacimos%20para%20vencer%20y%20no%20para%20ser%20vencidos
msg=stop%20SOPA!!
msg=We%20are%20Anonymous.%20We%20are%20Legion.%20We%20do%20not%20
forgive.%20We%20do%20not%20forget.%20Expect%20us!

The "msg" field can be arbitrarily set by the attacker.

As of January 20, 20012, US-CERT has observed another attack that
consists of UDP packets on ports 25 and 80. The packets contained a
message followed by variable amounts of padding, for example:

66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood.........

Target selection, timing, and other attack activity is often
coordinated through social media sites or online forums.

US-CERT is continuing research efforts and will provide additional
data as it becomes available.


II. Solution

There are a number of mitigation strategies available for dealing
with DDoS attacks, depending on the type of attack as well as the
target network infrastructure. In general, the best practice
defense for mitigating DDoS attacks involves advanced preparation.

* Develop a checklist or Standard Operating Procedure (SOP) to
follow in the event of a DDoS attack. One critical point in a
checklist or SOP is to have contact information for your ISP and
hosting providers. Identify who should be contacted during a
DDoS, what processes should be followed, what information is
needed, and what actions will be taken during the attack with
each entity.

* The ISP or hosting provider may provide DDoS mitigation services.
Ensure your staff is aware of the provisions of your service
level agreement (SLA).

* Maintain contact information for firewall teams, IDS teams,
network teams and ensure that it is current and readily available.

* Identify critical services that must be maintained during an
attack as well as their priority. Services should be prioritized
beforehand to identify what resources can be turned off or
blocked as needed to limit the effects of the attack. Also,
ensure that critical systems have sufficient capacity to
withstand a DDoS attack.

* Have current network diagrams, IT infrastructure details, and
asset inventories. This will assist in determining actions and
priorities as the attack progresses.

* Understand your current environment and have a baseline of daily
network traffic volume, type, and performance. This will allow
staff to better identify the type of attack, the point of attack,
and the attack vector used. Also, identify any existing
bottlenecks and remediation actions if required.

* Harden the configuration settings of your network, operating
systems, and applications by disabling services and applications
not required for a system to perform its intended function.

* Implement a bogon block list at the network boundary.

* Employ service screening on edge routers wherever possible in
order to decrease the load on stateful security devices such as
firewalls.

* Separate or compartmentalize critical services:

* Separate public and private services
* Separate intranet, extranet, and internet services
* Create single purpose servers for each service such as HTTP,
FTP, and DNS
* Review the US-CERT Cyber Security Tip Understanding
Denial-of-Service Attacks.


III. References

* Cyber Security Tip ST04-015 -
<http://www.us-cert.gov/cas/tips/ST04-015.html>

* Anonymous's response to the seizure of MegaUpload according to
CNN -
<http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm>

* The Internet Strikes Back #OpMegaupload -
<http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html>

* Twitter Post from the author of the JavaScript based LOIC code -
<http://www.twitter.com/#!/mendes_rs>

* Anonymous Operations tweets on Twitter -
<http://twitter.com/#!/anonops>

* @Megaupload Tweets on Twitter -
<http://twitter.com/#!/search?q=%2523Megaupload>

* LOIC DDoS Analysis and Detection -
<http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html>

* Impact of Operation Payback according to CNN -
<http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm>

* OperationPayback messages on YouTube -
<http://www.youtube.com/results?search_query=operationpayback>

* The Bogon Reference - Team Cymru -
<http://www.team-cymru.org/Services/Bogons/>

____________________________________________________________________

The most recent version of this document can be found at:

<http://www.us-cert.gov/cas/techalerts/TA12-024A.html>
____________________________________________________________________

Feedback can be directed to US-CERT Technical Staff. Please send
email to <cert@cert.org> with "TA12-024A Feedback INFO#919868" in
the subject.
____________________________________________________________________

For instructions on subscribing to or unsubscribing from this
mailing list, visit <http://www.us-cert.gov/cas/signup.html>.
____________________________________________________________________

Produced 2012 by US-CERT, a government organization.

Terms of use:

<http://www.us-cert.gov/legal.html>
____________________________________________________________________

Revision History

January 24, 2012: Initial release


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)

iQEVAwUBTx9v3z/GkGVXE7GMAQJvTQf+J3rSHG60QPyNunnw9E7ifrGoY0ib+GvV
Z1y2NvfwdxStka5xaq7KVmGXd7yExwdhDhWJrfmfXTjA+9Ac18xHdDn+FwdzqueY
qF1+P+LevwJM1gNI/g2RdJDna/ij5M7+eCpk03olRcieMtANZgolh07yCiuJDodm
utleV2m/PYXVNbNsZw74x3dZcxxpYlCdBojV4jpeYSvVG5Qf7uYgQ6/Q9WHY6j4D
Z7UTIQlkA/YULjTNFcDqjdSv4DHMSJsXcmkP0BLM1n11mfRpbToSZVkKZuCZUlqI
wag8ZkuGVwiXt93hIfMpWhgfPzjAbYGeeRpt3sVivBfNyzmME1FIvw==
=A0+U
-----END PGP SIGNATURE-----
Login or Register to add favorites

File Archive:

July 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jul 1st
    27 Files
  • 2
    Jul 2nd
    10 Files
  • 3
    Jul 3rd
    35 Files
  • 4
    Jul 4th
    27 Files
  • 5
    Jul 5th
    18 Files
  • 6
    Jul 6th
    0 Files
  • 7
    Jul 7th
    0 Files
  • 8
    Jul 8th
    28 Files
  • 9
    Jul 9th
    44 Files
  • 10
    Jul 10th
    24 Files
  • 11
    Jul 11th
    25 Files
  • 12
    Jul 12th
    11 Files
  • 13
    Jul 13th
    0 Files
  • 14
    Jul 14th
    0 Files
  • 15
    Jul 15th
    28 Files
  • 16
    Jul 16th
    6 Files
  • 17
    Jul 17th
    34 Files
  • 18
    Jul 18th
    6 Files
  • 19
    Jul 19th
    0 Files
  • 20
    Jul 20th
    0 Files
  • 21
    Jul 21st
    0 Files
  • 22
    Jul 22nd
    0 Files
  • 23
    Jul 23rd
    0 Files
  • 24
    Jul 24th
    0 Files
  • 25
    Jul 25th
    0 Files
  • 26
    Jul 26th
    0 Files
  • 27
    Jul 27th
    0 Files
  • 28
    Jul 28th
    0 Files
  • 29
    Jul 29th
    0 Files
  • 30
    Jul 30th
    0 Files
  • 31
    Jul 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2022 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close