Threat Summary: October 1, 2012
On September 19, 2012, the Financial Services Information Sharing and Analysis Center (FS-ISAC) raised its Financial Services Cyber Threat Level to High based on reported attacks against United States financial institutions. Multiple online groups have claimed responsibility for the attacks.
This malicious activity should be considered a high risk and a threat to other industries. Customers are strongly advised to follow best common practices (BCPs) for denial of service attacks. These BCPs are provided as links in this document.
Multiple attack-pattern profiles are being used in these distributed denial of service (DDoS) attacks. The patterns are described in the Cisco Security Intelligence Operations Analysis section of this document.
Threat Updates
December 19, 2012: Cisco Security Intelligence Operations (SIO) has included new countermeasure and control guidelines in this document, which include recommendations on network segmentation, baseline traffic profiles, packet scrubbing services, device capacity and performance, and additional resources.
October 25, 2012: Cisco SIO has included incident handling and response guidelines in this document. The guidelines should not replace your existing organizational policy, rather they should supplement your existing response procedures. See the Incident Handling and Response section for more information. Although it has been reported that the attacks will slow down, the Financial Services Information Sharing and Analysis Center (FS-ISAC) maintains its Financial Services Cyber Threat Level at High. Additional information has been added to the Attack Pattern Traffic Profiles table, Resources, and Related Cisco Products and Services.
October 3, 2012: Cisco SIO has published Intrusion Prevention System (IPS) signature 1493/0: Distributed Denial of Service on Financial Institutions in signature update package S672 to help provide identification and detection for these attacks.
Other countermeasures and controls may help identify and detect the attack pattern traffic profiles described in this document. See the Attack Pattern Traffic Profiles table for more information.
Cisco SIO will continue to monitor the threat landscape and provide additional analysis and updates when new information is available.
Event Intelligence
The following table identifies Cisco SIO content that is associated with this Event Response Page:
| Threat Response | Cisco Applied Mitigation Bulletin | Cisco IntelliShield Alert | CWE ID | CAPEC |
|---|---|---|---|---|
Financial Institution DDoS |
Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions | Security Activity Bulletin: Financial Institution Websites Targeted by Distributed Denial of Service Attacks |
CWE-400
CWE-770 |
CAPEC-119
CAPEC-125 CAPEC-227 CAPEC-343 CAPEC-469 |
Cisco Security Intelligence Operations Analysis
DDoS attacks continue to evolve, and infrastructure managers are urged to plan for defense against these attacks well in advance of an active attack. Cisco SIO recommends that users work with their data providers to perform mitigations as close to the traffic source as possible to avoid services from becoming overwhelmed at the destination host and network. Cisco Internet Protocol Journal has published a white paper in the December 2004 issue that provides strategies to protect against DDoS attacks.
Network-based indicators of these attacks are the following:
Attack Pattern Traffic Profiles
| Protocol | Port | Payload | Notes | Cisco Mitigations |
|---|---|---|---|---|
| UDP (protocol 17) |
53 | "A" (hexadecimal value \x41) | The Data field, or payload, of the UDP message contains all As. | IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood IPS Signature: 4004.0 - DNS Flood Attack Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
| UDP (protocol 17) |
80 | "/http1" (hexadecimal value \x2f\x68\x74\x74\x70\x31) "A" (hexadecimal value \x41) |
The Data field, or payload, of the UDP message contains all /http1. The Data field, or payload, of the UDP message contains all /As. |
IPS Signature: 6910/0 - Net Flood UDP IPS Signature: 4002.0 - UDP Host Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
| TCP (protocol 06) |
53 | None | Flood of TCP SYN segments sent to TCP port 53 | IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow |
| TCP (protocol 06) |
80 | None | Flood of TCP SYN segments sent to TCP port 80 | IPS Signature: 6009.0 - SYN Flood DOS IPS Signature: 6920.0 - Net Flood TCP Cisco IOS NetFlow |
| TCP (protocol 06) |
80 | Varies | HTTP GET method requests using varying HTTP header values and URI requests. HTTP GET method requests are sent to root document web pages and nonroot document web pages. | IPS Signature: 1493/0 - Distributed Denial of Service on Financial Institutions IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow |
| TCP (protocol 06) |
80 | Varies | HTTP POST method using varying HTTP header values and submitted data. HTTP POST method sent to web pages expecting data input (for example, pages that require user login, contain forms, or expect user-submitted data). | IPS Signature: 6009.0 - SYN Flood DOS Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
| Internet Control Message Protocol (ICMP; protocol 01) |
N/A | Varies | Flood of ICMP messages sent to the targeted/victim address. ICMP Type 8/Code 0 has been observed, but other ICMP types and codes could be used. | IPS Signature: 6902.0 - Net Flood ICMP Request IPS Signature: 6901.0 - Net Flood ICMP Reply IPS Signature: 6903.0 - Net Flood ICMP Any IPS Signature: 2152.0 - ICMP Flood Cisco IOS tACL Cisco IOS NetFlow Cisco ASA/ASA-SM/FWSM |
Impact on Cisco Products
There are no specific Cisco vulnerabilities associated with this event. The attack attempts to saturate the bandwidth of the targeted network and exhaust resources on the targeted devices and devices in the path between the attacker and victim. If the Cisco Product Security Incident Response Team (PSIRT) discovers that a product is vulnerable to DDoS attacks because of a defect in software or hardware unrelated to memory or bandwidth saturation from a DDoS attack, information about affected products will be published at Cisco Security Advisories and Responses. As always, ensure that you monitor reports from Cisco PSIRT for any Cisco product-related vulnerabilities.
Countermeasures and Controls on Network Devices
Network Segmentation
- Host Internet-accessible services and resources across different service providers and use an Anycast network addressing and routing solution when possible.
- Do not host multiple Internet-accessible services and resources (for example, Domain Name Service (DNS), HTTP and HTTPS (web services), remote-access VPN, and e-mail) on the same Internet point of presence at the on-premise edge. Hosting multiple services and resources on the same Internet point of presence allows DDoS traffic to potentially impact all the Internet-accessible services and resources.
- Separate services and resources used by internal corporate users and applications so they are not impacted if an Internet-accessible service or resource is affected by a DDoS attack.
Baseline Traffic Profiles
- Use flow telemetry technologies (such as NetFlow) to collect and perform a traffic profile baseline for business, user, application, and other types of network traffic.
- Ensure that you understand what is considered a normal traffic profile baseline.
- This normal traffic profile baseline will help detect anomalies and assist in determining which traffic may be malicious, if any, during an attack.
- Understand the impact of an increased volume of traffic on affected services and resources.
On-Premise and Upstream Scrubbing Services
- Use products or services that have the capability to scrub anomalous and malicious traffic both at the on-premise edge and upstream at the provider edge. Ensure that you have already used a flow telemetry technology to collect and perform a traffic profile baseline.
- Validate and test traffic redirection to the upstream scrubbing service and ensure that Internet-accessible services and resources meet an acceptable performance baseline.
Device Capacity and Performance
- Ensure you understand device capabilities and limitations based on the following and their impact to device operations:
- Which features are enabled (for example, NetFlow, syslog, and BGP peering receiving 400K prefixes) on the device
- Volume of traffic that is being switched or forwarded by the device
- What technique or solution (for example, Remotely Trigger Black Hole Routing, Unicast Reverse Path Forwarding [understanding, enhancements]) is implemented on the device
Network operators are encouraged to work with their data providers or applicable Cisco products and services.
Cisco SIO has performed attack analysis and published a Cisco Applied Mitigation Bulletin, Identifying and Mitigating the Distributed Denial of Service Attacks Targeting Financial Institutions, which provides details about countermeasures and controls that can be used to identify and detect the Attack Pattern Traffic Profiles listed in the preceding table.
Incident Handling and Response
Coordinate Internal Response Teams
- Incident response teams should identify the specific applications being flooded and the protocols and ports used in the flood. Packet captures can be saved as evidence and used by vendors.
- Gather a response team that can make operational decisions concerning the DDoS event. Keep the team as small as possible without excluding other organizations. Consider adding the following groups: management, information assurance, IT support, legal, and public affairs.
- Avoid staff burnout. Consider shift rotations and meal delivery. Document details about the incident as they happen and share those details with new shifts.
Sharing Information with Third Parties
- The incident response team should comply with organization policies and procedures about media interaction and information disclosure.
- The FBI Cyber Crime unit investigates crimes of this nature in the United States. Outside the United States, the Forum of Incident Response and Security Teams can help with contacting the appropriate law enforcement organization.
- The Financial Services Information Sharing and Analysis Center can help financial institutions coordinate a response and provide detailed information about previous attacks.
- Coordinate with your Internet Service Provider to implement traffic controls, such as rate limiting, source blocking, and packet scrubbing.
- Identify the owners of the attacking addresses. Incident handlers may want to alert the owners of the IP addresses exhibiting the malicious behavior, and ask them to collect evidence and mitigate the attacking device.
- Contact vendors as needed by the support teams (see "Resources") to quantify the DDoS traffic, collect evidence, etc.
Lessons Learned
- After the incident has passed, conduct a lessons learned meeting with the parties involved to discuss what happened and the subsequent response. What worked well? What inhibited the recovery? What can help prevent similar actions in the future? How will the next response be handled?
Resources
A Cisco Guide to Defending Against Distributed Denial of Service Attacks
Huffington Post - Izz Ad-Din Al-Qassam Cyber Fighters Group Takes Break From Hacking Banks To Celebrate Eid Al-Adha Holiday
Remotely Triggered Black Hole Filtering
Internet Service Provider Security Best Practices
Creating a Computer Security Incident Response Team
Financial Services - Information Sharing and Analysis Center (FS-ISAC)
Updated NIST Guide is a How-To for Dealing With Computer Security Incidents
Softpedia: Izz ad-Din al-Qassam Hackers Attack Wells Fargo Website
Dancho Danchev: DDoS Attacks Crowdsourced
Threatpost: Historic DDoS attacks against banks continue>
Digital Dao: Fact-checking the Iranian DDoS Attacks Against US Banks
US-CERT: Alert (TA12-024A) "Anonymous" DDoS Activity
Cyber Warfare Intelligence: DDoS attacks, so simple so dangerous
Akamai: Information, not Hope is the key to Surviving DDoS
Cyberattacks on US banks resume, aiming to block their websites
Detecting and Analyzing Network Threats with NetFlow
RFC 1546: Host Anycasting Service
RFC 4786: Operation of Anycast Services
Packet Clearing House (PCH) Papers: Anycast
PCH Papers: Anycast Performance
PCH Papers: Anycast Services
PCH Papers: IPv4 Anycast
Arbor Networks: Pravail Availability Protection System (APS)
Prolexic Technologies: DoS and DDoS Protection
AT&T Internet Protect: Distributed Denial of Service Defense
Verizon: DoS Defense Services
Related Cisco Products and Services
ASA Threat Detection Functionality and Configuration
Network Security Baseline
Cisco ASA Series CLI Configuration Guide, 9.0
NetFlow Configuration Guide, Cisco IOS Release 15M&T
Cisco Flexible NetFlow Configuration Guide
Cisco Next-Generation Intrusion Prevention System
Cisco IOS IPS
Cisco IOS NetFlow
Cisco Web Security Appliance
Cisco IPS Signature Downloads
Cisco IPS Signature Search Page
This document is part of the Cisco Security portal. Cisco provides the official information contained on the Cisco Security portal in English only.
This document is provided on an “as is” basis and does not imply any kind of guarantee or warranty, including the warranties of merchantability or fitness for a particular use. Your use of the information in the document or materials linked from the document is at your own risk. Cisco reserves the right to change or update this document without notice at any time.