Introduction
There is an old saying that those who fail to learn from the past are doomed to repeat it. I believe this statement is true and that there are some things IT security professionals can learn from the WikiLeaks saga of 2010 and how Distributed Denial of Service (DDoS) was used to attack specific domains. Before I discuss what we can learn from this event, its important to understand what happened.
Background
WikiLeaks is a website that was created by the former Australian hacker, Julian Assange. The purpose of the website, seen in Figure 1, is to expose secret/confidential information. WikiLeaks has hosted information on everything from Sarah Palins Yahoo mail account to climategate. (Climategate was the name given to leaked emails among climate scientists discounting climate change.) During the later months of 2010, WikiLeaks stayed in the news because of its release of huge amounts of confidential U.S. Government documents.
The alleged source of this information is Bradley Manning. According to a computer chat log published in June, 2010, by the Wired News website, Bradley Manning bragged to Adrian Lamo, the former hacker who turned him in, that he was going to unleash worldwide anarchy in CSV format. Among other things, Manning stated in the chat that he would come to work at an Army base outside Baghdad with rewritable CDs, labeled with something like Lady Gaga, and quietly transfer secret U.S. government information to rewriteable CDs.
The release of this information can be categorized as a type of cyber attack. Cyber attacks are much different than traditional war. 9/11, Pearl Harbor, and the Tet Offensive were all planned, organized attacks that quickly made the news and could be assessed as far as physical damage and the loss of life. Modern cyber attacks are much different in that they can happen in the blink of an eye, and the damage may not be apparent for many months or even years.
Project Payback
Because of the release of this sensitive information and the jailing of the suspect, the U.S. State Department asked companies to stop doing business with WikiLeaks to restrict their access to funding. Companies such as Visa, MasterCard, and PayPal froze WikiLeaks accounts. Other companies followed suit, stating that servicing WikiLeaks violated their internal policies. While this did restrict WikiLeaks access to funding, it also started a round of DDoS attacks. These attacks were launched by a loose affiliation of hackers known as Anonymous. These hackers targeted companies that had cut off service to WikiLeaks and called the attacks Project Payback. Their stated goal was to exact some vigilante justice against what they believed were the evil, free-speech suppressing corporations such as MasterCard, PayPal, PostFinance.ch, Visa.com, and Amazon.com. What is most interesting is that even though their techniques were low tech, they were somewhat successful at disrupting the services of these companies. Project Payback chose Twitter and IRC channels to communicate, and it used publicly available attack DDoS tools to target their victims. Anonymous instructed its followers to access a specific URL that provided instructions on how to launch the attack and who/what would be the intended targets. An example of this URL can be seen in the figure above. DDoS is a blunt instrument in that it does not give the attacker access to the victims site; it simply disrupts communication. A DDoS attack involves flooding a server with traffic until it becomes overloaded and can no longer function. While a single high-speed DSL or cable connection cannot generate enough traffic to cause a significant disruption to a website, an attack spread over hundreds of connections can cause a spike in traffic that has the potential to slow or shut down a domain that has not implemented good security controls.
DDoS attack tools are widely available Basic controls that can help mitigate DDoS attacks The need for more protection to mitigate DDoS attacks
The military data-classification system is widely used within the DoD. This system has five levels of classification: Top secret Grave damage if exposed Secret Serious damage if exposed Confidential Disclosure could cause damage Sensitive but unclassified Disclosure should be avoided Unclassified If released, no damage should result Each level represents an increasing level of sensitivity. Sensitivity is the desired degree of secrecy that the information should maintain. If an individual holds a confidential clearance, it would mean that he could access unclassified, sensitive, or confidential information for which he has a need to know. His need-to-know would not extend to the secret or top-secret levels. The concept of need-to-know is similar to the principle of least privilege in that employees should have access only to information that they need to know to complete their assigned duties. Public/Private Data Classification is another approach to data classification. The public or commercial data classification is built upon a four-level model: onfidential This is the highest level of sensitivity and disclosure could cause extreme damage to C the company. Private This information is for company use only and its disclosure would damage the company. Sensitive This information requires a greater level of protection to prevent loss of confidentiality. Public This information might not need to be disclosed, but if it is, it shouldnt cause any damage. The number one thing that data classification does is to force an organization to examine its informational assets and place a value on them. Only then can a company start to look at what level of control is needed to protect this information.
The next approach is traceback. This technique is focused on tracing packets back to the entry points to the domain. Once the entry point is known, the upstream ISP can configure its routers to reject all packets flooding the DDoS target; this results in Internet Control Message Protocol (ICMP) type 3 destination unreachable messages being returned to the upstream source. The ISP can then identify the next specified router interfaces through which the attack is entering. This process repeats itself as the defender continues to work back toward the attacker, tracing the attack back to the original source. Mitigation is the third approach. I considered this technique a more proactive defense. Mitigation makes use of a traffic cleaning center that operates at peering points on the Internet. The traffic cleaning nodes operate as scrubbers and only redirect clean valid traffic to the companys web servers. Symantec, Verisign, and others offer these services.
make it harder for an attacker to hide his true identity. The basic control to which I am referencing is ingress and egress filtering. Filtering is the act of examining the source and destination IP addresses at key locations like firewalls and border routers, looking at things that should never happen. Heres an example using the 128.6.68.0 address. If this is your internal address, you should never get an IP packet from the Internet with that source address in that range. The only way such a packet could arrive would be if it were forged, so dropping it is the right thing to do. Oh well, it could never be replied to, so why bother processing it. A similar example is for traffic leaving a network. To use 128.6.68.0, again, no packet should ever arrive at your network exit points (firewall, proxy, or border router) that does not have a valid 128.6.68.0 network address as its source. Since many worms, Trojans, and DDoS tools forge the source address, this is another packet that should be logged, investigated, and then dropped. With this rule in place, DDoS attacks such as Tribal Flood, Trinoo, Code Red, Blaster, and others would have been much harder to launch and execute because they all contain software that uses spoofed IP addresses. Just a few simple rules could have prevented much of the damage these programs have caused. By applying these techniques, you, too, can gain some basic protection.
Physical controls are the third category of controls that can be used to mitigate DDoS and the control of information. When discussing DDoS, its common to think in terms of a network attack, but the truth is that DDoS can also be the result of physical attacks. For example, if a hacker can gain physical access, he may be able to disrupt, alter, or destroy equipment. Just by gaining access to a router, a hacker could change the routing table and disable or redirect your network traffic. Other examples of physical controls used to protect an organizations assets include: Gates Guards Fences Locks CCTV systems Turnstiles Mantraps
Conclusion
We live in a world that is much different than just a few years ago. Today, secret and sensitive information may no longer be locked in a safe. In todays world, a large amount of sensitive and secret information can be found in databases and fileservers connected to the Internet. A companys sales may demand that they maintain a presence on the Internet and downtime of only a few minutes may result in the loss of thousands of dollars. The business environment of the 21st century requires that companies build stronger IT security controls and implement true security. Companies must consider the cost of a DDoS attack before it happens and implement controls to mitigate an attack should it occur. The cost of not doing so may result in the business failing, loss of life, and more.
Learn More
Learn more about how you can improve productivity, enhance efficiency, and sharpen your competitive edge. Check out the following Global Knowledge course(s): Cybersecurity Foundations Certified Ethical Hacker Security+ Prep Course For more information or to register, visit www.globalknowledge.com or call 1-800-COURSES to speak with a sales representative. Our courses and enhanced, hands-on labs and exercises offer practical skills and tips that you can immediately put to use. Our expert instructors draw upon their experiences to help you understand key concepts and how to apply them to your specific work situation. Choose from our more than 1,200 courses, delivered through Classrooms, e-Learning, and On-site sessions, to meet your IT and business training needs.
security programs within top corporations and government agencies. Michael is an expert in security risk assessment, security risk management, security criteria, and building corporate security programs. He holds two associate degrees, a bachelor degree, and a master degree. Some of the certifications he holds include CISA, CISSP, CISM, MCSE, CTT+, CGEIT, A+, N+, Security+, CNA, CCNA, CIW Security Analyst, CEH, CHFI, CEI, DCNP, ES Dragon IDS, ES Advanced Dragon IDS, and SSCP. In addition to his experience performing security assessments, he has authored or coauthored more than 10 books including Certified Ethical Hacker Exam Prep (Que), CISSP Exam Cram 2 (Que), Build Your Own Network Security Lab (Wiley), and Hack the Stack (Syngress). Michael has created more than 15 security-related courses and training classes for various companies and universities.
10