Remedy for South Korean DDoS onslaught

By Ron Meyran, Director of Security Products, Radware | Mar 9, 2011

0 comments

Digg

 Email

 Print

Nearly 40 government and commercial websites in South Korea were being attacked systematically in the past few days by massive denial of service (DoS) attacks, including South Korea's Presidential Office, the Foreign Ministry, the National Intelligence Service, US Forces Korea and some major financial and online site.

South Korea has issued a cyber security alert after websites of government and other agencies came under attack, the Korea Communications Commission (KCC) has said.

The attacks were generated by a botnet comprising up to 21,000 remotely controlled zombie computers, generating multi-vector attacks including network flood attacks and application misuse attacks such as: 

• High-rate SYN flood attack
• TCP connection flood attack
• HTTP-GET flood attack

These attacks were aimed at exhausting web server and TCP stack resources so legitimate users cannot be served. The attackers have distributed a malicious code named NetBot that was used to generate the attacks during the past few days.

Radware ERT has analysed the attack tool by scanning some of the infected Zombie PCs. NetBot was originally developed commercially as a stress-testing tool, but since its release to public domain it emerged as a powerful DDoS attack tool. Recent NetBot versions allow remote control on infected Zombie PCs.

Analysis of the attacks revealed usage of the NetBot attack vector called Circle-CC. The Circle-CC, an application level DoS attack, is used to flood victim websites by scanning the site across multiple pages systematically. This type of application-level DoS attack prevents the target server from using its caching mechanism and thus amplifies its impact. On top of that, the fact that the attack utilizes multiple pages is making detection impossible by standard network security solutions which are based on static URL request flood detection.

What to do

To fully mitigate the multi-vector attacks that include network DDoS attacks, application-level floods and advanced directed DoS attacks that aim to exploit specific vulnerabilities in the server applications, victims need to deploy multiple mitigation technologies including intrusion prevention (IPS), DoS Protection and Network Behavioral Analysis (NBA).

These security technologies - together with an emergency response team that is “war-game” trained to mitigate these types of DoS attacks, and capable of analyzing the attack tools that are used in order to find a way to neutralize them (i.e. rendering the tool ineffective by "choking" them through a sophisticated filtering action) - is the only effective way to defend against these emerging multi-vector threats

Organizations in South Korea, among them leading e-commerce sites, that are using Radware security technologies and the ERT’s unique capabilities to generate a “counterattack” in order to neutralize the attack tools (part of Radware’s mitigation strategy), are already protected against the recent attacks.
 

0 comments

Digg

 Email

 Print