posted on Friday, January 20, 2012 5:53 AM
#infosec #adcfw #LOIC Did you rush out to check if a site was really taken down? If you did, you may have unintentionally helped
The focus on Anonymous’ self-described retributive attacks on a variety of sites last night has been on its use of LOIC – Low Orbit Ion Cannon – as a means to achieve maximum effect with minimal resources.
It’s a connection-based attack, pure and simple. A DDoS at the application layer, which makes it nearly impossible to detect, let alone stop.
The tool isn’t really anything special in execution. Its ability to give control to someone else and communication with a central system is not what’s special about it. The way it participates in an attack is not what’s special about it.
What’s important about it is that there’s actually nothing really special about it. The purpose is merely to generate requests automatically. Not special requests, just requests.
In other words, anyone with a web browser could do the same, albeit not as efficiently. In fact, it was noted on Twitter during the attacks that “It’s a click party no #LOIC needed” (for those who wanted to help but were concerned with the legal ramifications of using LOIC).
A click party. Flash mob. DDoS.
This is because of a single fundamental truth on the web today: connections count. 
CONNECTIONS COUNT
If your infrastructure would not be able to withstand a sudden spike in users – i.e. connections – then it certainly won’t withstand a click party, or targeting via LOIC, or any other tool designed to consume connections.
When thousands of people intentionally and unintentionally (did you zip off to check if the site really was down? If you did, you probably aided in their quest to consume resources and render the site disabled) connect to a site – with or without the use of a tool – it’s going to have an impact. Reports estimated over 5000 people were using LOIC in the attacks last night. A typical browser will generate several TCP connections for every web page requested, meaning the connection impact of those 5000 people was likely magnified by a factor of 2, 6, or eight (depending on who you ask, what browser they’re running, and whether they’ve changed the default settings), assuming LOIC will use the configured maximum number of connections per host and per server.
So really, all you have to do to overwhelm a site today is generate more connections than the weakest link in the traffic path can handle. That may be the server, although with cloud computing, virtualization, and auto-scaling solutions this is growing more unlikely, but it may also be an upstream or downstream network component. Any piece of network infrastructure which manages TCP connections is a potential source of disruption in the event of a concerted attack, as is your DNS infrastructure. Firewalls. Load balancers. Dependent services. There’s a host (pun mostly intended) of possible chokepoints in a network that make it more likely that even if an attack is not successful in the sense that it forces an outage, it might be successful at overloading enough components that performance degrades so far it might as well be down.
LEGIT and NON-LEGIT
The biggest problem organizations may face in terms of defending against these types of attacks is detecting them. These are more often than not legitimate requests, they’re just in overwhelming numbers or drawing responses back very slowly, or using some other similar technique whose intent is malicious but the packets and data are not. If part of the retaliatory attacks by Anonymous were, in fact, a “click party”, security infrastructure was likely unable to do anything about it, because what’s the difference between 100 people clicking on a site for purposes of attack and 100 people clicking on a site for purposes of gathering information?
Right. Nothing but intent, and that’s something no infrastructure can determine with any real accuracy. Or can it?
There are some characteristics that make it obvious a user – or bot – is intent on disabling a site. Repeated requests for the same content, pulling responses from web servers at a rate that is much lower than their network connection would normally allow, and failure to respond to TCP protocol connection-management packets (common when the attacker is spoofing their IP address in a (mostly futile these days) attempt to hide their location and/or identity).
If infrastructure is smart enough, as some application delivery controllers are, then these clues will give it the information it needs to redress the situation. What policies might be applied to such connections is dependent upon the organization. Rejection, closing connections, redirection, etc. It might simply be that you want to be aware. The right infrastructure can withstand a lot when the attack is primarily attempting to overwhelm a site through massive connection counts.
Right now is a good time to evaluate your infrastructure and its ability to withstand such an attack. Consider leveraging cloud-based load testing services as a means to determine at which point your site might “fall over”, and to ascertain what, if any, components in the connection path may be your “weakest link”, and then determine to do something about it.
Latest F5 Information
Technorati Tags:
F5,
F5 News,
LOIC,
threat mitigation,
security,
web application security,
firewall,
DNS,
infrastructure,
news,
blog
