A – ATTACKERS: DDOS
A standard Denial Of Service (DOS) attack denies access to some computing function of a system, or even access to the entire system, often by flooding a resource channel. When DOS attacks are launched from a single system and use normal networking protocols, the attack can usually be identified, traced back to the source and blocked or other action taken. In order to make it more difficult to take action against such attacks, Distributed DOS attack tools were designed. DDOS attacks often use the same techniques as DOS attacks but send them from many different sources. The sources are often controlled by a second layer of systems that relay commands but do not participate in the attack. The command nodes issue instructions to the actual attacking systems to vary their attacks both in type of attack and in timing. Using this system, the attack can achieve an effect of an entire spectrum of DOS attacks that is constantly shifting and changing. A node can be instructed to perform a smurf attack for a few minutes, then go silent for a few minutes, then resume with a syn flood for a few minutes, then go silent for a few minutes, then resume with yet another unique type of DOS attack (ICMP floods, UDP floods, DNS reflection attacks…), then go silent, and then repeat the process ad infinitum. Using ad-hoc networks of thousands of compromised systems that are called bot-nets, to launch a distributed attack, makes it unlikely that it will be easy to quench the attack or even filter it effectively.
Recently, as defenses have been developed to attack the command and control elements of bot-nets, they are evolving to use peer to peer structures as a counter . They are starting to use encrypted communication channels and polymorphic stealth techniques that make them harder to eliminate. A recent botnet/worm, called Nugache, has shown encrypted communications over an ad-hoc peer to peer network.
A recent paper discussed weaknesses in current botnet design (Nugache, Slapper, Sinit, and Phatbot) and presented a new design for an advanced hybrid peer to peer botnet. This design uses individualized encryption and ports, making it more difficult to detect through network flow analysis. It uses public key encryption for command authentication to prevent hijacking. Shifting command and report traffic across a network of many sensors makes it difficult to either intercept or block. Each bot contains a peer list for communication, but the list is kept short and never shared, minimizing the damage to the larger network if a bot is discovered and analyzed.
B – Scenario (DDOS)
The purpose of the attackers DDOS attack was to both disrupt normal network traffic and to demonstrate their control of the network to the extent that the defenders would be forced to shut the network down. As the attackers continued their penetration of the network, they had deliberately targeted key infrastructure components, including: email servers, IDS sensors, database servers, routers and switches, and of course the domain controllers. With many of these systems compromised, it would be easy to actually disable the network from functioning, but the goal was to actually induce the defenders to turn it entirely off themselves, out of mistrust of both their data and their ability to control their own systems.
One of the key elements of the disruption plan was to edit medical data in the patient records database and to do it over a time-frame that meant backup tapes were also contaminated. Since the defenders were using a “father/grandfather” backup rotation system scheduled over a monthly time-frame, the contamination had to take place over a period of greater than a month. This effort had begun early on in the penetration, and was accomplished with maximum effort given to stealth, to prevent it from discovered too early. Once the full blown attack was launched, the compromised data was deliberately revealed to the defenders to sow mistrust in all of the patient data, including the backups and even paper records that had been recently printed from the data.
The plan of disruption was scaled to begin slowly a few weeks before the final attack and escalate over that period until a grand climax was reached. Small disruptions that were not very consequential were initiated sporadically. Only systems that were considered inconsequential to the rest of the plan were used, with the consideration that if they became suspect to the defenders, they might be taken off-line and of no further use to the attackers. One of the attackers’ objectives at this point was to exhaust the defenders before the large final attack was launched. The small attacks were not designed to cause any major disruption, but simply to be constant annoyances that required attention and kept the support staff busy and moving from one small problem to the next and always falling behind on their normal task schedule.
In addition to compromising systems and preparing to launch the DDOS attack, the attackers also took some actions designed to destroy the defenders’ will and ability to function. From the initial reconnaissance, they knew the defenders’ had two highly skilled rapid response and forensics teams that could be mobilized on short notice to fly into a site needing their special skills. Several days before the large attack was scheduled, a deep intrusion was deliberately revealed by the attackers in locations that were not geographically close to the facilities that were the real final targets. This tactic was designed to lure the defenders’ two highly skilled incident response teams out of position.
Communications systems were disrupted in an ever increasing crescendo with the rest of the incidents. Email server backups were deleted whenever possible, and then email accounts were tampered with, email records were deleted on a random basis and some entire accounts were deleted. Internet gateways and proxy servers were likewise tampered with. Services were turned off and other services not needed were turned on. At first this did not cause any serious disruption, but as time went on, the tampering became more serious, with services being deleted and registry files corrupted, requiring more and more time involved with repair and restore operations and slower response end users attempts to use normal communications channels.
Key members of the defense teams and key decision makers had been singled out of the basic recon database and further focused collection had been done to identify their home addresses and phone numbers and as much information as possible on members of their families. This data was used to harass and threaten their families.
The final DDOS blitz was launched on a timetable according to the attackers’ plans for their biological weapons attack. They wanted the network to be shut down on the same day as casualties began to stream into the hospitals. Since some DOS attacks can have their sources spoofed, it is impossible to know how many sources were actually involved in the attack, but it is clear that there were many hundreds and probably several thousand systems included in the internal botnet.
At the same time as the DDOS attack was launched, the attackers began changing administrative passwords on some of the infrastructure elements, particularly the routers. Unable to even attempt to filter traffic with these units, the defenders were forced to shut them down and begin to rebuild them. Eventually, a decision was made to shut down the entire network and start the process of rebuilding every system from scratch.