: CASE STUDY WEB APPLICATION DDOS ATTACK 1
WEB APPLICATION DDOS ATTACK CASE STUDY MORAL Ensuring you have DoS/DDoS protection in place, before you are attacked, can pay off. OVERVIEW XYZ Corp (name changed to protect client identity), an NTT Group managed security service client, was subjected to a distributed denial-of-service (DDoS) attack. The attack, which had seen little previous use, was an application layer DDoS attack, targeting a web application at a rate of less than a megabit per second. This was a significant difference from many of the large, distributed attacks which NTT mitigates every day in the global backbone provided to its customers. 2
TIMELINE OF EVENTS TIMELINE OF EVENTS DATE EVENT DAY 1 Possible application DDoS attack detected Incident escalated to NTT Group Client Team verified no operational issues causing delays leading to indication of an attack Logs requested from the client s Internet Service Provider (ISP) Detailed analysis reveals an attacker maliciously using a WordPress feature as a focus of the attack Mitigation steps identified and signature is created, tested and deployed Client fully mitigates the attack Escalation of sanitized details related to the attack traffic is transmitted to DoS prevention vendor Total elapsed time for this incident: 5.5 hours Elapsed time once logs were received from ISP: 1.5 hours DAY 7 Vendor deploys new official signature DESCRIPTION OF EVENT During the spring of 2014, NTT Group security analysts in a Security Operations Center (SOC) detected a DDoS attack by observing anomalous responses from various systems within a single client s monitored environment. NTT Group initiated further investigations along with XYZ Corp, as well as XYZ Corp s IT 3
service provider and ISP. The team quickly identified that latency experienced with application performance was not caused by maintenance or network equipment failures. The NTT SOC team requested relevant logs, and further investigations indicated attackers were using legitimate functionality in WordPress called Pingback 7 to conduct a DDoS attack. Once NTT Group security analysts identified the nature of the attack, they developed, tested and deployed a signature to mitigate future attacks. Following the successful mitigation, the DoS prevention vendor was informed about the incident and how NTT Group mitigated the attack. The vendor created and deployed an official signature, which was made available to all of their other customers. ROOT CAUSE This attack was an application attack, where the goal was to consume all the resources of the targeted web application. However, the attack did not affect network access to the website, as the volume was low. This is typical of application attacks, and can make it difficult to distinguish them from normal website traffic. The low bandwidth also means other applications sharing the same Internet access were not affected by the attack. Using this feature in WordPress, the attackers could take advantage of legitimate third-party servers with good reputations, creating what appeared to be legitimate HTTP requests directed at the victim s web servers. The victim s website was not running WordPress. 7 https://en.support.wordpress.com/comments/pingbacks/ 4
Pingback is enabled by default on WordPress and is used to cross-reference between blogs. The attacker can forge the destination URL so the WordPress site will contact the victim s website to check if the pingback in fact originated from the location. The Pingback attack uses legitimate HTTP requests, but the query contains an arbitrary value which changes for each request. The arbitrary request is key to the effectiveness of the attack as it forces the website to reload the web page for each incoming request. This effectively bypasses any buffer storage or caching intended to reduce the load on the web server. Such reloads are very resource intensive on the application, and can create a denial-of-service (DoS) condition on the affected website. This is especially true in cases where the web page requested is media rich with larger file sizes and a large amount of content. For this particular type of WordPress attack, legitimate WordPress sites are turned against innocent victims. WordPress attacks have been observed in the wild, in some cases using more than 160,000 WordPress sites to send pingback requests to a single victim. A few months later, attackers attempted to use the same type of WordPress DDoS attack against the same client, along with several financial and transportation businesses. One financial institution s website was unavailable for over an hour, while other companies experienced varying degrees of impact for up to 12 hours. NTT Group clients experienced no measurable business impact. 5
COST OF INCIDENT Based on interaction with the client XYZ Corp, NTT Group estimated that the actual cost of this event was fairly low since the incident was discovered and mitigated rapidly. Costs associated with the incident were mostly related to coordination, communication, documentation and lessons-learned activities. COST OF INCIDENT ITEM Actual cost of investigation, remediation and professional incident support as described COST Less than $2,000 Actual cost of legal and public relations support $0 Actual loss due to website outage Low Actual total cost directly related to the event Less than $2,000 Actual total cost of the follow-on-attack (after signatures had been deployed) $0 Caption: Cost of successfully mitigated DDOS event. CASE STUDY SUMMARY Data from NTT Group shows denial-of-service attacks continue to be prevalent and pose a threat to any business with an online presence. In this particular case, XYZ Corp had proactively invested in protection against DoS/DDoS attacks. Once the attack was detected, experts were ready to mitigate the web application attack immediately. Skilled SOC analysts investigated and deployed effective permanent protection. Later, when new WordPress attacks targeted the business again, XYZ Corp did not experience any downtime. 6
THREAT MITIGATION, WEB APPLICATION DOS/DDOS ATTACK Service downtime not only affects customer interactions, but also has a huge impact on the reputation of any business. DoS/DDoS attacks vary in type and method, so there is no single solution which will stop them all. However, a proactive, layered defense following sound guidelines can help prevent these attacks and minimize impact. The following recommendations can help to mitigate the impact of DoS/DDoS attacks: Conduct an enterprise risk assessment: Identify your organization s important data and applications, and the potential impact which different attacks could have on your organization. If an attack could create an outage causing a measurable impact on your business, include DoS/ DDoS mitigation strategies in your organization s security plans. Create a formal DoS/DDoS incident response plan: Ensure that your incident response plan includes guidance for preparation and response to DoS/DDoS attacks. Deploy a layered DoS/DDoS defense strategy: Consider all aspects of your environment, and review on-site, cloud and ISP-based solutions. Not all DoS/DDoS attacks are equal; low and slow application attacks require a different response tactic than rate-based reflection attacks which flood the network layer. Understand ISP options: Include an accurate contact list with names and phone numbers for all ISP and third-party providers so you can readily contact them for assistance. Discuss DoS/DDoS detection and mitigation support options with your ISP before you actually need the services. Review lessons learned: After a DoS/DDoS attack, regardless of whether the attack was successful, review your lessons learned to help you manage future attacks. 7
Test your environment: Test your exposed systems to find, and mitigate, system limits and weak points before you are subjected to an attack. Leverage monitored and managed security services: Evaluate the offerings of any DoS/DDoS mitigation and assessment services supported by your managed security services provider. Be proactive about understanding their capabilities, and understanding how thirdparty services can complement other available resources. 8