WWW – Web Weaponization and WikiLeaks

Unless you’ve been on a sabbatical in a remote and unconnected part of the world, I don’t think you could have missed the news regarding WikiLeaks (the “whistleblower” web site) and its founder, Julian Assange. To put it succinctly, in the last few weeks, attempts have been made to shut down WikiLeaks’ operations- from payment processors to hosting providers and others. Mr. Assange has had unrelated charges filed against him and was recently arrested on those charges.

But this article isn’t about his arrest – it’s about the resultant firestorm that continues to rage across the Internet as a result of countless people rising up and protesting against, what can be described as, “Internet censorship”. The protests are being conducted in a way that can be devastating to any organization that finds itself in the crosshairs of the “ION Cannons” (more on those later). For those that are wondering, the countless people’s action that I was referring to is the devastating DDoS (Distributed Denial of Service) attack.

 In a nutshell, a DDoS is an attack where the target of the attack is subjected to the  output aggregate of bot-driven and individually-generated  data that is both distributed and large on receipt. The result is that the target can no longer respond to requests, or its ability to respond to those requests has become significantly diminished – in other words, “tango down” [http://www.urbandictionary.com/define.php?term=Tango%20Down]. You can also visit this link for a more detailed definition: http://en.wikipedia.org/wiki/Denial-of-service_attack.   

 For insight into the how/why regarding this particular DDoS attacker, here’s an interesting interview of 4Chan in a Computerworld blog post by Richi Jennings: http://blogs.computerworld.com/17493/4chan_helps_wikileaks_julian_assange_shuts_down_bank_website?tb. There are also quite detailed articles surrounding DDoS attacks such as the article entitled, “DDoS Free–for-all “, by Dark Reading’s Kelly Jackson Higgins: http://www.darkreading.com/insider-threat/167801100/security/attacks-breaches/228702011/ddos-free-for-all-mastercard-visa-other-major-websites-hit-in-wikileaks-fallout.html

 

Example of coordination via Twitter

 If that wasn’t enough for the world, or curious onlookers, there’s also a report of malware (worm) linked to WikiLeaks-related spam: http://www.net-security.org/malware_news.php?id=1560.

 There’s an old saying, “Those who cannot remember the past are doomed to repeat it”. [http://en.wikiquote.org/wiki/George_Santayana] If you recall, several years ago there was another cyber-call-to-arms – that one was regarding the DDoS attacks against Estonia. Studying the attacks, defenses and results provide important lessons, and in some cases, best-practices. Numerous references and sources here: http://en.wikipedia.org/wiki/2007_cyberattacks_on_Estonia.  

 So how do you protect your organization from a DDoS attack? Here are just three recommendations (there are others that are fairly complex but I thought I’d share at least three solutions of many):

(1) Separate the internal business functions, whatever those might be, from the public-facing web servers. This has continually been one of the key methods of preventing DDoS attacks from severely impacting the internal operations of any organization. For those organizations that are dependent on online ordering, a DDoS attack can yield a crippling effect.

(2) Having a hosting company host your website(s) as well as DNS is crucial. They are more readily able to address the flood of inbound traffic than most non-hosting organizations. They often have the expertise, bandwidth and equipment necessary to respond to the attack. Note: not all hosting companies are created equal and one’s mileage may vary when it comes to the type and intensity of attack. There are also various costs involved with different services and SLAs (Service Level Agreements).

(3) Rate-limiting/traffic shaping front-end hardware to reduce the amount of traffic that can reach mission-critical servers (such as e-commerce sites). This may also come ion the form of a proxy-type service that classifies traffic and only forwards non-malicious traffic. Sometimes the use of firewalls may help slow down the site it is set to protect (if at the perimeter). Having a hardware appliance up front with defined ACLs (Access Control Lists) to filter the packets quickly is a good first step.

 The “when, where and why” of a DDoS attack is very dynamic, and as such, it means that any person or organization is prone to being attacked at any time for any reason. So what’s a person to do about this? It all comes down to risk management – knowing the benefits, liabilities and costs of using the Internet as a business, social, educational or political platform.

 

Jeff Debrosse

Sr. Security Evangelist

 

p.s. Oh, and about those Low-Orbit ION Cannons, read more about them here: http://www.urbandictionary.com/define.php?term=Low%20Orbit%20Ion%20Cannon