The Barracuda Web Application Firewall Versus Anonymous

Best Practices for Planning and Defending Against Attacks by Anonymous

Download PDF

Introduction

The security analysts at Barracuda Central have been continuously monitoring the recent state of distributed denial of service (DDoS) attacks launched by online criminals, hacktivists, and even nation states. This document profiles attacks that originate from hacktivists, including their preferred tools and attack methodology. It will then present best practices for defending against these attacks.

Members of a loosely related ensemble of hacktivists call themselves Anonymous. Their preferred attack vectors are DDoS via the Low Orbital Ion Canon (LOIC) and SQL Injection attacks used for information extraction. They normally do not use traditional botnets for attacks. Details about Anonymous and their targets are well documented elsewhere so we will not go into those details here.

To counter these threats, the Barracuda Web Application Firewall provides a powerful proxy architecture WAF/ADC that can utilize its complete visibility into Layer 3 – 7 constructs to thwart such attacks.

LOIC

Anonymous uses LOIC as a tool to inflict DDoS attacks on victims’ servers. The initiator of the attack recruits a large number of volunteers by various means (mainly through social networking) to participate in the attack. Volunteers either download the LOIC attack client or visit a web page, which has a JavaScript version of LOIC called JS-LOIC. The latter doesn’t require installing anything on the client computer. The use of LOIC in both variants is becoming a preferred way of using nontechnical volunteers to magnify the intensity of attacks.
Essentially, LOIC sends a continuous deluge of requests to the victim’s server. These can be multiple HTTP, UDP packets, or TCP requests to the targeted servers.

JS LOIC

This is the JavaScript version of LOIC. To use it, a user has to simply visit the URL of a page that hosts the JavaScript version of the LOIC. Users are informed of the URL through social media channels. Once the user is on that URL, the JavaScript is automatically retrieved by the browser and executed. At the time of this writing, the JS version of the LOIC is limited to only carrying out HTTP attacks.
This attack vector is potentially very dangerous since anyone with any sort of browser on any device such as a PC, laptop, Mac, smartphone, or tablet can become part of the attack.

Best Practices for Defending Against Anonymous Attacks

To protect against such attacks, the main goal is to distinguish genuine users of websites from the attackers. In order to provide needed “friend-or-foe” recognition, the Barracuda Web Application Firewall provides several layers of defense against such attacks, which are outlined below:

Step 1: Validate Protocol Basics

Standard browsers have implemented the HTTP protocol for a long time. They ensure that they follow the basics of the protocol. Additionally, many of the tools used during attacks do not go into enough detail of the HTTP protocol to get them right. The basic protocol validation engine of the Barracuda Web Application Firewall detects these discrepancies and uses them to stop the attacks even before they begin.

Step 2: Employ GeoIP Intelligence

In attacks by Anonymous, the participants are often located globally, regardless of whether the attack has regional or global significance. For example, the participants in the Visa/MasterCard attacks were distributed across the globe.

Since Anonymous directs their anger towards all state actors and large corporations irrespective of nationality, people from across the world join in. A simple and effective way to deflate such an attack is to block client traffic from regions that are not the core audience of your web application.

The Barracuda Web Application Firewall has a built-in GeoIP module that can map the attacking IP address to its geographic location. Around 30-70% of attack traffic can be blocked just by using GeoIP control.

Step 3: Block Requests with Default LOIC Signatures

As the JS LOIC screenshots above show, the tool allows appending random characters and messages to the request. This is not just for sending a retributive message: It’s required for technical reasons as well so browsers don’t resort to the local cache when fetching the response. If that happens, the requests will never reach the victims.

The Barracuda Web Application Firewall’s powerful extended matching engine greatly simplifies creating allow/deny ACLs for such signatures. Assuming the parameters appended by the LOIC tool are called “msg” and “id” and the message appended is “anonymous_msg,” a DENY ACL with the following match is easily defined:

(Parameter msg ex ) || (Parameter id ex ) || (URI-path co anonymous_msg)

You don’t have to remember the entire syntax. The extended match widget lets you define these signatures using a WYSIWYG UI widget:

This configuration protects against the use of default settings in the attack script, which may be aimed at your application. However, a resourceful attacker could change the parameters frequently to thwart such a basic detection and blocking mechanism. So, this rule set must be augmented by advanced rate-based controls.

Step 4: Identify and Block High-Rate Attackers with Malformed Requests

Your website might get hundreds of thousands of unique visitors a day. Unfortunately, a typical Anonymous attack generally originates from thousands of attackers. In the instance of the attacks that caused MegaUpload to shut down, an estimated 5,000 people (unique IP addresses) participated in the attack. Being able to identify these 5,000 IP addresses would ensure service availability to the rest of your visitors.

The Barracuda Web Application Firewall’s Brute Force Prevention module can easily block and blacklist such IP addresses. The LOIC tool sends a deluge of requests without valid cookies and referrers. The following brute-force prevention rule catches and blocks such requests, and examines all incoming requests from a given client IP without valid cookies and a referrer header. If requests exceed a threshold of five within a 30 second interval, it blocks that IP for a configurable time span. During this time, any subsequent requests from the offending IP are denied at Layer 4.

URL Match /*
Extended Match (Header Cookie nex ) || (Header Referer nex)
Sequence Number 1
Count Window 30
Max Allowed Accesses Per IP 5
Genuine clients are not affected since the very first request from a brand new client can come without a cookie or referrer; however, the subsequent ones would not.

Step 5: Lock Out Offenders

We want to ensure that identified offenders are blocked for a desired time interval. The Barracuda Web Application Firewall’s Action Policy supports lockouts for every attack type.

Step 6: Secure Against TCP SYN and UDP/ICMP Flood Attacks

One option in the LOIC tools is a TCP SYN flooding attack. When thousands of attackers send a SYN flood, this can exhaust the victim’s server’s TCP buffers, which results in the inability to process new requests. To prevent these attacks, ensure that SYN Guard is turned on in the Barracuda Web Application Firewall.

Ideally, SYN Flood attacks should be blocked by the network perimeter firewalls before they reach your servers or application firewalls. However, the Barracuda Web Application Firewall has the ability to block such attack traffic in case the network firewall failed to block the initial intrusion. Additionally, the Barracuda Web Application Firewall comes with a full-featured network firewall that creates ACLs (Access Control Lists) to block any UDP/ICMP flood attacks that bypassed the network firewall.

Step 7: Work with YOUR ISP and Upstream Network

Note that if your incoming lines are completely burdened with packets floods – i.e. you have two T1 lines with a total capacity of 3 Mbps, but the attack traffic is 100 Mbps, then you will have to tackle the attack at your network edge or ISP level. Ensure that your ISP has an anti-DDoS solution in place and have the right contacts ready.

Other DDoS Mitigation Strategies

Anonymous attacks are typically short lived, but they can cripple a site if Anonymous is able to recruit a sufficient number of volunteers for a long duration. However, since the army of attackers is mostly voluntary opt-ins from people with desktop clients and mobile devices, the attacks are not sustainable.

However, an attack from a botnet can be significantly more challenging. They can last several days with a much larger captive infrastructure and attack motivation. The core proxy architecture of the Barracuda Web Application Firewall can help alleviate several application DDoS challenges that other solutions cannot.

Step 9: Block “Slow Client” Attacks

These are a new breed of “low and slow” application layer attacks that are very hard to detect and block because:
  • They are protocol compliant so do not raise any red flags.
  • They bring down the victim server resources stealthily without inundating the network.

For example, Slowloris and RUDY attacks send partial HTTP GET and POST requests to the server at a very slow rate, which keeps the connection alive, but it never fully completes the request. The servers keep resources allocated to these partial requests while waiting for the connections to complete. Envetually, the servers finally succumb to resource exhaustion.

The Barracuda Web Application Firewall, with its proxy architecture, buffers and monitors such requests using a sophisticated adaptive timeout algorithm to prevent the server exhaustion.

Step 10: Employ IP Reputation to Reject Malicious Traffic

In a botnet attack, the command and control (C&C) servers instruct the botnet zombies to attack a victim server. There are botnets specializing in spam, banking Trojans, DDoS, and other attacks. Barracuda Central continuously monitors botnets using thousands of sensors in the field, which leads to a state-of-the-art IP reputation database that blacklists botnet-infected IP addresses.

Apart from botnets, the Barracuda Web Application Firewall can also block anonymous and open proxies and satellite ISPs. These are commonly used by hackers for reconnaissance and carrying out Advanced Persistence Threats (APTs).

Step 11: Optimize Server Resources and Compute Capacity

Compute resources are under increasing pressure due to the proliferation of the Internet and the rise of mobile and cloud computing. When you deploy the Barracuda Web Application Firewall, you have a very beefy ADC front ending your server(s). This reduces the server load drastically, increasing their availability under attack. It offers several optimization features:
  • TCP Multiplexing
  • SSL Offloading
  • Caching and Compression
  • Intelligent Content Routing
  • AAA (Authentication, Authorization and Access Control) Offloading

Together, these features can reduce the load on your server(s) by 50% or more.

Step 12: Plan for a Scalable Server Infrastructure

Often, an attack happens during peak traffic to gain additional visibility and leverage. You can deflate the DDoS to a large extent using the Barracuda Web Application Firewall. But, even residual traffic can bring your server infrastructure – including your application, web, and database – server to their knees. The Barracuda Web Application Firewall models 460 and above come with built-in intelligent load balancing and application content routing to distribute the load between your server farms. You can also designate backup compute resources to deal with unanticipated load.

SQL Injection

Anonymous hackers attempt reconnaissance of their targets by various SQL injection tools like sqlmap and Havij, as well as manual pentesting. The intent is to extract information from the backend databases and leak out PII (Personally identifiable information) or other sensitive information to embarrass or expose the targeted organization. The Barracuda Web Application Firewall blocks SQL injection using a mix of positive and negative security.

Negative security – The Barracuda Web Application Firewall employs highly tuned regular expression grammar-based signatures that detect SQL language, grammar, and syntax in input fields of the web application. For example:

http://www.mydomain.com/products/products.asp?productid=123 UNION

SELECT user-name, password FROM USERS

Looking for just “union” or “select” etc. to block this can generate false positives. However, the Barracuda Web Application Firewall employs contextual signatures like the following:

union.*[^[:alnum:]]select.*[^[:alnum:]]from[^[:alnum:]]

Other signatures like these completely ensure that SQL commands in any form or obfuscation are not let through, while false positives are completely minimized. The normalization module precedes these rule matches and reduces all obfuscations like UTF-8 content encoding, SQL comments etc. to a neutral form. New applications and modifications to existing apps are instantly protected – there is no “re-learning” period. Performance is fast and admin overhead very low.

Positive Security – In positive security, FORM and URL parameter values are restricted to a known whitelist. For example, a FORM entry representing “Age” is restricted to numerical values from 0-120 only; everything else is denied. Since this can become administrative overhead for large sites, the Barracuda Web Application Firewall can “learn” and auto-generate such application profiles from the request and response traffic using its Adaptive Profiling feature. It then enforces this profile and blocks any anomalies. This feature is also unique in the industry in that it provides complete security even while the profile is being learned.

Conclusion

Application layer DDoS attacks are growing in popularity. The record setting Mirai Botnet contained the code to perform Layer 7 DDoS in addition to the standard volumetric DDoS attacks. The Barracuda Web Application Firewall provides a strong defense against layer 5-7 DDoS using multiple techniques such as IP reputation, geo-awareness, application request throttling, application session tracking, brute force prevention, client fingerprinting, CAPTCHA challenges, and more. Our security analysts constantly evaluate the tools and techniques used by Anonymous and others against the Barracuda Web Application Firewall to ensure that all attacks are blocked and web applications are completely secured.