DDoS on Russian banks. Chronology of the attack
On November 9, a large Russian bank registered an attack on its main public website. The events coincided with a large number of political media events related to the summing up of the results of the US presidential elections.
At this moment, our company specialists carried out an external pentest of the bank’s infrastructure (the first day of work was in progress). The bank was warned about the possible impact of the work being done on productive systems, so it was with external Pentest that the first assumptions about the causes of the observed difficulties in the operation of the web site were related.
It quickly became clear that this was an external attack. Bank specialists began to struggle to maintain the site. Jet Infosystems was sent to help the specialists of the financial organization of the engineer to jointly repel the attack.
')
Following the analysis of information security events and web-server logs, the following chronology of events was recorded.
During November 8, attackers attempted to exploit vulnerabilities associated with processing script web-site request parameters (attempts to generate requests that lead to disruption of the application). There was a study of the victims, they were looking for ways to create a specific attack, which would be guaranteed to put the bank site down. This did not significantly affect the availability of the site. Apparently, the attackers could not find anything interesting and decided to act with “brute force”.
On November 9, from midnight and until about six o'clock in the morning, the attack was conducted with the help of low-level flood of low power (up to 10 Mbit / s). Used ancient attack syn flood, aimed at the exhaustion of resources of web-servers. The local DDoS protection system successfully repelled this small attack.
Experts of the bank knew from their experience that a much stronger blow could follow. Hackers, in fact, gave themselves in advance and allowed the bank to strengthen its defense. Preparation began to repel more powerful and high-frequency attacks, in particular, protection was activated on the carrier’s channels. These actions were very timely.
In the first half of November 9, the telecom operator, whose channels were chosen by the main ones, successfully repelled attacks with a capacity of up to 350 Mbps. Bank systems themselves would not cope with such loads.
Assessing the seriousness of the attack, the bank began to urgently connect to one of the Russian cloud services for protection against DDoS. This was done by the end of the day. The threat was conveyed to the management of the financial organization, which allowed it to speed up the process as much as possible.
Bank systems and provider reports made it clear that attackers see the ineffectiveness of the attacks and look at different options. Different types were tried: both low-level and simple (icmp flood, syn flood, spoofed syn flood), and application level. Most of them were aimed at exhausting the available resources of web servers.
An analysis of the IP addresses of the attackers showed that for the most part they are not among the well-known proxy servers or output nodes of the anonymous TOR network, they are not defined as any public services, i.e. botnet was used mainly on real devices. This, and the specificity of the attacks, allows us to agree with analysts who claim that part of the famous Mirai botnet is participating in the attack. The source code of the components of the botnet has recently been uploaded to the network, so we assume that this is not the original botnet, but a new, smaller scale, but also consisting of hacked IoT devices, including home DVRs.
Unfortunately, the attackers could eventually find a weak spot in the protection of the bank. Neither the provider nor the DDoS protection service could not qualitatively separate legitimate and malicious encrypted traffic (HTTPS). The attacker understood this and sent the main flow of the attack on this vector. Infected systems simply entered the site via HTTPS with great intensity. Since cryptography requires a lot of computational resources, the bank's systems did not cope with the load. The site is down. Customers could not access the main page, use the Internet bank.
Perhaps the bank could be helped by WAF (a specialized firewall to protect the web). It was even installed, but it did not have time to be commissioned and the bank’s website was not connected to it.
The financial organization had to urgently adapt the infrastructure of the site to the attack: encryption was carried out on separate sites of increased power, on some pages of the site HTTPS had to be turned off altogether (where confidential data are not processed). These measures allowed to rectify the situation, but nevertheless the site was malfunctioning for several hours.
In addition to the apparent damage, the DDoS attack created an increased load on the bank's infrastructure (virtualization farms, communication channels and intermediate network equipment), which led to performance degradation and problems in the operation of a number of systems that were not directly related to the site.
We must pay tribute to the team opposing the attack. Specialists without sleep and rest reflected all the new waves. The attack caused a relatively small damage to the bank precisely due to the immediate reaction of the engineers and the support of the management. Decisions that take months under the usual conditions of the banking bureaucracy were taken and implemented by the crisis headquarters in a matter of minutes.
PS On November 11, another one of our clients came under attack, the bank was far from the top ten. It is impossible to say unequivocally that this is part of the same attack, but on the whole its profile is very similar.
Authors: Andrei Yankin, Head of Consulting Department, Information Security Center, Jet Infosystems and Sergey Pavlenko, Head of Engineering Support and Service, Information Security Center, Jet Infosystems.
At this moment, our company specialists carried out an external pentest of the bank’s infrastructure (the first day of work was in progress). The bank was warned about the possible impact of the work being done on productive systems, so it was with external Pentest that the first assumptions about the causes of the observed difficulties in the operation of the web site were related.
It quickly became clear that this was an external attack. Bank specialists began to struggle to maintain the site. Jet Infosystems was sent to help the specialists of the financial organization of the engineer to jointly repel the attack.
')
Following the analysis of information security events and web-server logs, the following chronology of events was recorded.
During November 8, attackers attempted to exploit vulnerabilities associated with processing script web-site request parameters (attempts to generate requests that lead to disruption of the application). There was a study of the victims, they were looking for ways to create a specific attack, which would be guaranteed to put the bank site down. This did not significantly affect the availability of the site. Apparently, the attackers could not find anything interesting and decided to act with “brute force”.
On November 9, from midnight and until about six o'clock in the morning, the attack was conducted with the help of low-level flood of low power (up to 10 Mbit / s). Used ancient attack syn flood, aimed at the exhaustion of resources of web-servers. The local DDoS protection system successfully repelled this small attack.
Experts of the bank knew from their experience that a much stronger blow could follow. Hackers, in fact, gave themselves in advance and allowed the bank to strengthen its defense. Preparation began to repel more powerful and high-frequency attacks, in particular, protection was activated on the carrier’s channels. These actions were very timely.
In the first half of November 9, the telecom operator, whose channels were chosen by the main ones, successfully repelled attacks with a capacity of up to 350 Mbps. Bank systems themselves would not cope with such loads.
Assessing the seriousness of the attack, the bank began to urgently connect to one of the Russian cloud services for protection against DDoS. This was done by the end of the day. The threat was conveyed to the management of the financial organization, which allowed it to speed up the process as much as possible.
Bank systems and provider reports made it clear that attackers see the ineffectiveness of the attacks and look at different options. Different types were tried: both low-level and simple (icmp flood, syn flood, spoofed syn flood), and application level. Most of them were aimed at exhausting the available resources of web servers.
An analysis of the IP addresses of the attackers showed that for the most part they are not among the well-known proxy servers or output nodes of the anonymous TOR network, they are not defined as any public services, i.e. botnet was used mainly on real devices. This, and the specificity of the attacks, allows us to agree with analysts who claim that part of the famous Mirai botnet is participating in the attack. The source code of the components of the botnet has recently been uploaded to the network, so we assume that this is not the original botnet, but a new, smaller scale, but also consisting of hacked IoT devices, including home DVRs.
Unfortunately, the attackers could eventually find a weak spot in the protection of the bank. Neither the provider nor the DDoS protection service could not qualitatively separate legitimate and malicious encrypted traffic (HTTPS). The attacker understood this and sent the main flow of the attack on this vector. Infected systems simply entered the site via HTTPS with great intensity. Since cryptography requires a lot of computational resources, the bank's systems did not cope with the load. The site is down. Customers could not access the main page, use the Internet bank.
Perhaps the bank could be helped by WAF (a specialized firewall to protect the web). It was even installed, but it did not have time to be commissioned and the bank’s website was not connected to it.
The financial organization had to urgently adapt the infrastructure of the site to the attack: encryption was carried out on separate sites of increased power, on some pages of the site HTTPS had to be turned off altogether (where confidential data are not processed). These measures allowed to rectify the situation, but nevertheless the site was malfunctioning for several hours.
In addition to the apparent damage, the DDoS attack created an increased load on the bank's infrastructure (virtualization farms, communication channels and intermediate network equipment), which led to performance degradation and problems in the operation of a number of systems that were not directly related to the site.
We must pay tribute to the team opposing the attack. Specialists without sleep and rest reflected all the new waves. The attack caused a relatively small damage to the bank precisely due to the immediate reaction of the engineers and the support of the management. Decisions that take months under the usual conditions of the banking bureaucracy were taken and implemented by the crisis headquarters in a matter of minutes.
PS On November 11, another one of our clients came under attack, the bank was far from the top ten. It is impossible to say unequivocally that this is part of the same attack, but on the whole its profile is very similar.
Authors: Andrei Yankin, Head of Consulting Department, Information Security Center, Jet Infosystems and Sergey Pavlenko, Head of Engineering Support and Service, Information Security Center, Jet Infosystems.
Source: https://habr.com/ru/post/315226/
All Articles