Members of a loosely related ensemble of hacktivists call themselves Anonymous. Their preferred attack vectors are DDoS via the Low Orbital Ion Canon (LOIC) and SQL Injection attacks used for information extraction. They normally do not use traditional botnets for attacks. Details about Anonymous and their targets are well documented elsewhere so we will not go into those details here.
To counter these threats, the Barracuda Web Application Firewall provides a powerful proxy architecture WAF/ADC that can utilize its complete visibility into Layer 3 – 7 constructs to thwart such attacks.
Best Practices for Defending Against Anonymous Attacks
Step 1: Validate Protocol BasicsStandard browsers have implemented the HTTP protocol for a long time. They ensure that they follow the basics of the protocol. Additionally, many of the tools used during attacks do not go into enough detail of the HTTP protocol to get them right. The basic protocol validation engine of the Barracuda Web Application Firewall detects these discrepancies and uses them to stop the attacks even before they begin.
Step 2: Employ GeoIP IntelligenceIn attacks by Anonymous, the participants are often located globally, regardless of whether the attack has regional or global significance. For example, the participants in the Visa/MasterCard attacks were distributed across the globe.
Since Anonymous directs their anger towards all state actors and large corporations irrespective of nationality, people from across the world join in. A simple and effective way to deflate such an attack is to block client traffic from regions that are not the core audience of your web application.
The Barracuda Web Application Firewall has a built-in GeoIP module that can map the attacking IP address to its geographic location. Around 30-70% of attack traffic can be blocked just by using GeoIP control.
Step 3: Block Requests with Default LOIC SignaturesAs the JS LOIC screenshots above show, the tool allows appending random characters and messages to the request. This is not just for sending a retributive message: It’s required for technical reasons as well so browsers don’t resort to the local cache when fetching the response. If that happens, the requests will never reach the victims.
The Barracuda Web Application Firewall’s powerful extended matching engine greatly simplifies creating allow/deny ACLs for such signatures. Assuming the parameters appended by the LOIC tool are called “msg” and “id” and the message appended is “anonymous_msg,” a DENY ACL with the following match is easily defined:
(Parameter msg ex ) || (Parameter id ex ) || (URI-path co anonymous_msg)
You don’t have to remember the entire syntax. The extended match widget lets you define these signatures using a WYSIWYG UI widget:
Step 4: Identify and Block High-Rate Attackers with Malformed RequestsYour website might get hundreds of thousands of unique visitors a day. Unfortunately, a typical Anonymous attack generally originates from thousands of attackers. In the instance of the attacks that caused MegaUpload to shut down, an estimated 5,000 people (unique IP addresses) participated in the attack. Being able to identify these 5,000 IP addresses would ensure service availability to the rest of your visitors.
The Barracuda Web Application Firewall’s Brute Force Prevention module can easily block and blacklist such IP addresses. The LOIC tool sends a deluge of requests without valid cookies and referrers. The following brute-force prevention rule catches and blocks such requests, and examines all incoming requests from a given client IP without valid cookies and a referrer header. If requests exceed a threshold of five within a 30 second interval, it blocks that IP for a configurable time span. During this time, any subsequent requests from the offending IP are denied at Layer 4.
|Extended Match||(Header Cookie nex ) || (Header Referer nex)|
|Max Allowed Accesses Per IP||5|
Step 5: Lock Out OffendersWe want to ensure that identified offenders are blocked for a desired time interval. The Barracuda Web Application Firewall’s Action Policy supports lockouts for every attack type.
Step 6: Secure Against TCP SYN and UDP/ICMP Flood AttacksOne option in the LOIC tools is a TCP SYN flooding attack. When thousands of attackers send a SYN flood, this can exhaust the victim’s server’s TCP buffers, which results in the inability to process new requests. To prevent these attacks, ensure that SYN Guard is turned on in the Barracuda Web Application Firewall.
Ideally, SYN Flood attacks should be blocked by the network perimeter firewalls before they reach your servers or application firewalls. However, the Barracuda Web Application Firewall has the ability to block such attack traffic in case the network firewall failed to block the initial intrusion. Additionally, the Barracuda Web Application Firewall comes with a full-featured network firewall that creates ACLs (Access Control Lists) to block any UDP/ICMP flood attacks that bypassed the network firewall.
Step 7: Work with YOUR ISP and Upstream NetworkNote that if your incoming lines are completely burdened with packets floods – i.e. you have two T1 lines with a total capacity of 3 Mbps, but the attack traffic is 100 Mbps, then you will have to tackle the attack at your network edge or ISP level. Ensure that your ISP has an anti-DDoS solution in place and have the right contacts ready.
Other DDoS Mitigation Strategies
However, an attack from a botnet can be significantly more challenging. They can last several days with a much larger captive infrastructure and attack motivation. The core proxy architecture of the Barracuda Web Application Firewall can help alleviate several application DDoS challenges that other solutions cannot.
Step 9: Block “Slow Client” AttacksThese are a new breed of “low and slow” application layer attacks that are very hard to detect and block because:
- They are protocol compliant so do not raise any red flags.
- They bring down the victim server resources stealthily without inundating the network.
For example, Slowloris and RUDY attacks send partial HTTP GET and POST requests to the server at a very slow rate, which keeps the connection alive, but it never fully completes the request. The servers keep resources allocated to these partial requests while waiting for the connections to complete. Envetually, the servers finally succumb to resource exhaustion.
The Barracuda Web Application Firewall, with its proxy architecture, buffers and monitors such requests using a sophisticated adaptive timeout algorithm to prevent the server exhaustion.
Step 10: Employ IP Reputation to Reject Malicious TrafficIn a botnet attack, the command and control (C&C) servers instruct the botnet zombies to attack a victim server. There are botnets specializing in spam, banking Trojans, DDoS, and other attacks. Barracuda Central continuously monitors botnets using thousands of sensors in the field, which leads to a state-of-the-art IP reputation database that blacklists botnet-infected IP addresses.
Apart from botnets, the Barracuda Web Application Firewall can also block anonymous and open proxies and satellite ISPs. These are commonly used by hackers for reconnaissance and carrying out Advanced Persistence Threats (APTs).
Step 11: Optimize Server Resources and Compute CapacityCompute resources are under increasing pressure due to the proliferation of the Internet and the rise of mobile and cloud computing. When you deploy the Barracuda Web Application Firewall, you have a very beefy ADC front ending your server(s). This reduces the server load drastically, increasing their availability under attack. It offers several optimization features:
- TCP Multiplexing
- Caching und Komprimierung
- Intelligent Content Routing
- AAA (Authentication, Authorization and Access Control) Offloading
Together, these features can reduce the load on your server(s) by 50% or more.
Step 12: Plan for a Scalable Server InfrastructureOften, an attack happens during peak traffic to gain additional visibility and leverage. You can deflate the DDoS to a large extent using the Barracuda Web Application Firewall. But, even residual traffic can bring your server infrastructure – including your application, web, and database – server to their knees. The Barracuda Web Application Firewall models 460 and above come with built-in intelligent load balancing and application content routing to distribute the load between your server farms. You can also designate backup compute resources to deal with unanticipated load.
Negative security – The Barracuda Web Application Firewall employs highly tuned regular expression grammar-based signatures that detect SQL language, grammar, and syntax in input fields of the web application. For example:
SELECT user-name, password FROM USERS
Looking for just “union” or “select” etc. to block this can generate false positives. However, the Barracuda Web Application Firewall employs contextual signatures like the following:
Other signatures like these completely ensure that SQL commands in any form or obfuscation are not let through, while false positives are completely minimized. The normalization module precedes these rule matches and reduces all obfuscations like UTF-8 content encoding, SQL comments etc. to a neutral form. New applications and modifications to existing apps are instantly protected – there is no “re-learning” period. Performance is fast and admin overhead very low.
Positive Security – In positive security, FORM and URL parameter values are restricted to a known whitelist. For example, a FORM entry representing “Age” is restricted to numerical values from 0-120 only; everything else is denied. Since this can become administrative overhead for large sites, the Barracuda Web Application Firewall can “learn” and auto-generate such application profiles from the request and response traffic using its Adaptive Profiling feature. It then enforces this profile and blocks any anomalies. This feature is also unique in the industry in that it provides complete security even while the profile is being learned.