by Khaled Al Hawasli, Senior Security Consultant, help AG
Take a look at the most recent DDOS attacks:
- DDOS attack against Israeli stock exchange. Message - to promote an anti-Israeli political point of view.
- DDOS attack against www.arabbank.ps, www.centralbank.ae and www.goverment.ae. Message - response to the anti-Israeli attack.
- DDOS attack against SOPA. Message - promote refusal against anti-piracy act PIPA.
- DDOS attack against PayPal. Message - response to bringing down Wikileaks.
- DDOS attack against VISA. Message - response to bringing down WikiLeaks.
- DDOS attack against Mastercard. Message - response to bringing down WikiLeaks.
- Then surprisingly DDOS attack against Wikileaks. Message - nobody knows.
It seems that these attacks are definitely executed by different hacking groups, all with different and sometimes conflicting objectives. One thing for sure is that it seems DDOS attack is affective and very easy to pull-off. So regardless of what your industry is, what your business represents or what country you belong to, there is probably a group of hackers who wants to DOS you.
About DDOS attacks
So what is a DDOS attack? DDOS stands for distributed denial of service attack. In a DDOS attack, an attacker uses many compromised workstations all over the world to continuously send requests against a website (or any online service).
DDOS attacks can be categorized into:
1. CPU targeted attack (tries to peak the CPU of the targeted machine)
2. Bandwidth consumption targeted (tries to consume all the available bandwidth)
This article will focus on CPU targeted attacks.
So where can an attacker get all those compromised workstations one might ask? Well, it so happens that hackers are now SELLING those BOTNET online, so any script kiddie who has a grudge against some organization can Google “buy botnets” and end up buying access to 10,000 compromised workstations.
Prevention (the common approach)
The current DDOS prevention mechanisms rely on IP thresholds, once the threshold has been exceeded, the IP is blocked. So what are the problems with this method?
1. A considerable number of DDOS attacks can cause CPU to peak (even when executed from one compromised node) before the threshold has been reached.
2. Trying to reduce the threshold (or making the DDOS detection more sensitive) will result in many false positives
3. When a threshold is reached, the blocked IP might be shared among hundreds or maybe thousands of legit users, hence blocking all legit traffic for the sake of one attacker. But how can an IP be shared? It can be shared if the attacker was within a NATTED network (example a university) or by using a proxy (so all users behind that same proxy will also get blocked)
So as a summary, this mechanism is likely to be too late, not accurate and expected to trigger false positives. In order to solve this problem we need to stop the BOTNET without blocking it! Sounds impossible right? Nevertheless a solution exists.
F5 and help AG DDOS Prevention add-on
Before going into details of the solution we need to specify some of the characteristics of a BOTNET:
1. BOTNETS are small in size and are intended to be developed in the most simplistic form for ease of propagation and avoiding detection
2. When performing a DOS attack against a website, BOTNETS continuously send legit GET or post requests rapidly against the website, causing the application to process the requests various times therefore hiking the CPU
3. BOTNETS do not check the reply coming from the server since it is irrelevant
4. BOTNETS do not understand JavaScript code, ActiveX components nor HTML code (does not work like a browser)
With all that being said, we need to have an intermediate device, which validates whether an incoming request is coming from a browser or a BOTNET. If the request was initiated from a BOTNET, then that particular session will not be forwarded to the back-end (the web server) otherwise it gets forwarded.
Help AG has developed an add-on to the load balancer F5, which will accomplish this task. By default, the intermediate device (in this case F5) will verify whether or not the requesting agent has already been verified that it is a real browser. If it was then the request is forwarded, otherwise it is blocked. So the technical flow would be:
It goes without saying that the key here is verification process, verification process will abuse the fact that BOTNETS do not operate like browsers, meaning that they:
1. Do not understand JavaScript
2. Do not understand ActiveX components
3. Do not understand Java applets
4. Might not use cookies
5. Do not check the reply from the target
Verification process
Verification will go through a challenge/response procedure, where a randomly generated and encrypted client side script (consisting of either encrypted JavaScript, ActiveX component or Java applet) will be sent back from the intermediate device back to the requesting agent (this is called the challenge).
That script will contain code that instructs the browser into redirecting to a random URI, but since it is encrypted, only a browser will know how to process the “challenge”, decrypt it then execute the redirect command.
If the agent was indeed a browser, it will properly process the challenge script and send back a request to the intermediate device with the randomly generated URI (this is called the response). Our intermediate device will verify this URI and see whether or not it was linked to that specific browser.
If yes then the browser agent is set to be trusted and is granted 10 minutes before the next time it has to go through the same verification process.
Below is a sequential diagram which demonstrates a trusted browser session:
Below is a sequential diagram, which demonstrates a BOTNET trying to attack our server:
So what are the benefits of this method?
1. The DOS or DDOS attack will be stopped from the first request without having to go for a threshold calculation module
2. The blocking is done per session not IP therefore no risk of blocking a NATTED network or a proxy IP
3. Is very difficult to countermeasure since the “challenge” signature is interchangeable and varies every time
As cybercrime increases, access to malicious software and BOTNETS becomes easier. It is not the script kiddies who are forming a threat anymore, it is anyone with enough money to buy a few botnets, therefore it is important to guard your network with a powerful DDOS prevention system.
F5 being one of the most powerful load balancers already reduces the effect of a DDOS attack by distributing the load among backend servers, and with the help AG DDOS prevention add-on, you will be able to stop a DDOS attack before it even starts.
