OpKillingBay 2016 Update – APDoS Attacks
Online protests in the form of network and application attacks against countries and organizations involved in whale and dolphin hunting has become an integral part of hunting season. OpKillingBay is an annual Advanced Persistent Denial of Service attack (APDoS attack) campaign created by Anonymous. During the hunting season, which runs from September to March, street protests are accompanied by online protests in the shape of largescale cyber-attacks (See Figure 1).
While the main target for OpKillingBay is Japan, parallel Anonymous operations target European countries such as Denmark, Faroe Islands, Iceland, and Norway. The attackers launch network and application floods to disrupt the operation of those involved in hunting, such as government institutions and large corporations (see Target List below). Last year, hackers took down the websites of the Tokyo Narita International Airport and the car manufacturer Nissan with similar APDoS attacks.
Figure 1: Tweets from OpKillingBay 2016
Reasons for Concern
Radware expects denial of service attacks, data dumps and service outages caused by OpKillingBay. Attackers are using tools like Nmap designed for network discovery and security auditing. They are also using basic script tools used to launch Layer 7 attacks in combination with stresser services. As part of their target lists, OpKillingBay attackers will identify ports to attack and if the target has DDoS mitigation solutions implemented.
Advanced Persistent Denial of Service Attacks (APDoS Attacks)
These APDoS attacks are hard to avoid, as the core of the issue is an ideological difference. While victims of these attacks are conducting business within their rights, the group behind OpKillingBay and other operations are driven by emotions and what they believe to be social injustice. As these two groups continue to disagree, we expect to see a persistent state of attacks. These attacks can be labelled as APDoS attacks due to their multi-vector attacks and the length in which the attacks can last. These campaigns usually begin with port scanning attempts to launch various attacks at different volumes and durations with the goal of identifying weaknesses and blind spots.
Figure 2: Touch My Tweets targets Japanese website
Scanning Tools For OpKillingBay
Nmap – Nmap is a security scanner designed for network discovery and security auditing. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering. In addition, they identify what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics.
Attack Vectors For OpKillingBay
Layer 7 (HTTP) Flood - HTTP flood consists of seemingly legitimate session-based sets of HTTP GET or POST requests sent to a target Web server. These requests are specifically designed to consume a significant amount of the server’s resources, and therefore can result in a denial-of-service.
HTTP makes it difficult for network security devices to distinguish between legitimate HTTP traffic and malicious HTTP traffic, and could cause a high number of false-positive detections. Rate-based detection engines are also not successful at detecting HTTP flood attacks, as the traffic volume of HTTP floods may be under detection thresholds. Because of this, it is necessary to use several parameters detection including rate-based and rate-invariant.
SQL Injection – This technique takes advantage of poor application coding. When the application inputs are not sanitized it becomes vulnerable. Attackers can modify an application SQL query to gain access to unauthorized data with administrator access, run remote commands on the server, drop or create objects in the database and more.
Organizations Facing APDoS Attacks Should Consider
Hybrid DDoS Protection (on-premise + cloud) – for real time protection that also addresses high volume attacks and protects from pipe saturation.
Behavioral-Based Detection - to quickly and accurately identify and block anomalies while allowing legitimate traffic through.
Real-Time Signature Creation - to promptly protect from unknown threats and zero-day attacks.
A cyber-security emergency response plan that includes a dedicated emergency team of experts.
In addition, we recommend that you review your network patch your system according. Maintaining and inspecting your network often is necessary in order to defend against these types of risks and threats.
Under Attack and in Need of Expert Emergency Assistance? Radware Can Help.
Radware offers a DDoS service to help respond to security emergencies, neutralize the risk and better safeguard operations before irreparable damages occur. If you’re under a DDoS attack or malware outbreak and in need of emergency DDoS attack prevention, Contact us with the code "Red Button".