Products & Services
Support

Product Categories


Popular Downloads


Manage Software

How to Buy

For Home

Linksys Products Store
Linksys is now part of Belkin
Products for everyone

All Ordering Options

Training & Events Partners
Guest

Cisco Applied Mitigation Bulletin

Cisco Applied Mitigation Bulletin: Identifying and Mitigating Distributed Denial of Service Attacks Based on Low Orbit Ion Cannon Bot Agent

 
Threat Type:CWE-399: Resource Management Errors
IntelliShield ID:22056
Version:3
First Published:2010 December 10 17:15 GMT
Last Published:2010 December 13 17:36 GMT
Port: Not available
Urgency:Weakness Found
Credibility:Confirmed
Severity:Mild Damage
 
 
Version Summary:

Additional AnonOps IRC server information is available.

 

Contents

Introduction
Device-Specific Mitigation and Identification
Related Links
Additional Information
Cisco Security Procedures

Introduction

Over the past several days, a group of vandals known as AnonOps has coordinated and incited attacks against websites they deemed were not supportive of Wikileaks and its founder Julian Assange. Towards this goal, the group is encouraging any interested individual with a host connected to the Internet to download and run the Low Orbit Ion Cannon (LOIC) bot agent. Cisco is publishing this bulletin for customers that may want to identify and mitigate attempts to use the LOIC application in their own networks (potential attackers), as well as defend their networks (potential victims) against distributed denial of service (DDoS) attacks that are launched using LOIC.

Attack Characteristics

LOIC (Low Orbit Ion Cannon) is an open-source tool that is written in the C# programming language, and the project is hosted on major open-source online repositories, including Github and Sourceforge. According to reports, the main purpose of the tool is to conduct stress tests of web applications; however, the tool is now being leveraged to perform DDoS attacks on any number of targets. Recently, the DDoS attacks have also utilized a specific Twitter account to coordinate and particpate in the effort.

Additional details of this activity are described in IntelliShield Alert 22057.

LOIC Network Connectivity Summary

  • Host (potential attacker) connects via standard HTTP to AnonOps website (refer to list of web servers below) to learn about next target (victim)
  • Host downloads the LOIC DDoS tool (uses HTTP GET request)
  • LOIC connects to an IRC server (refer to list of IRC servers below) 
  • LOIC attack commences once hosts in voluntary botnet receive command from the IRC server

AnonOps Network IRC Server DNS Names
sobriquet.anonops.net
loic.anonops.net 
care.anonops.net
lost.anonops.net
triton.anonops.net 
osiris.anonops.net
nitrox.anonop.net
denied.anonops.net
tinycore.anonops.net
thealps.anonops-irc.com
irc.anonops-irc.com
irc.anonops.eu

AnonOps Network Web Server DNS Names 
http://www.anonops.com
https://pad.anonops.net
http://forum.anonops.net

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of this vulnerability. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Cisco/Arbor Clean Pipes
Source-Based Remote Triggered Black Hole
Spoofing Protecting Using Unicast Reverse Path Forwarding
Traffic Flow Identification Using Cisoco IOS NetFlow Records
Transit Access Control Lists

Caution: The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

The following Cisco Security Intelligence Operations content focuses on identifying and mitigating these events.

Defending as a Potential Target/Victim

Cisco/Arbor Clean Pipes

Tthe Cisco/Arbor Clean Pipes solution (formerly the Cisco Guard solution) provides one option for mitigating attacks due to LOIC-generated DDoS traffic. This solution can react to anomalous (and not necessarily malicious) traffic patterns, mitigate the effects of a DoS attack by filtering malicious traffic, and is also capable of identifying spoofed traffic. 

Source-Based Remote Triggered Black Hole 

Another option for protecting the destination of the LOIC-generated DDoS traffic is through the use of Source-based Remote Triggered Black Hole (SRTBH) routing. SRTBH through the use of Null routes (installed for IP addresses/subnets of attacking hosts) and Unicast RPF (which will drop ingress traffic based on these Null routes) is a very effective technique to combat DoS attacks once the source(s) of the attack are known.  Please reference the following for more on Remotely Triggered Black Hole Filtering:

http://www.cisco.com/web/about/security/intelligence/blackhole.pdf

Spoofing Protecting Using Unicast Reverse Path Forwarding 

Administrators can deploy and configure Unicast Reverse Path Forwarding (Unicast RPF) as a protection mechanism against spoofing of IP source addresses when used to launch LOIC-based attacks.

Unicast RPF is configured at the interface level and can detect and drop packets that lack a verifiable source IP address. Administrators should not rely on Unicast RPF to provide complete spoofing protection because spoofed packets may enter the network through a Unicast RPF-enabled interface if an appropriate return route to the source IP address exists. Administrators are advised to take care to ensure that the appropriate Unicast RPF mode (loose or strict) is configured during the deployment of this feature because it can drop legitimate traffic that is transiting the network. In an enterprise environment, Unicast RPF might be enabled at the Internet edge and the internal access layer on the user-supporting Layer 3 interfaces.

Additional information is in the Unicast Reverse Path Forwarding Loose Mode Feature Guide.

For additional information about the configuration and use of Unicast RPF, reference the Understanding Unicast Reverse Path Forwarding Applied Intelligence white paper.

Defending as a Potential Source/Attacker

Visibility into LOIC attack traffic (or any traffic), whether sourced from or destined to customer networks, using identification techniques/features, such as Cisco IOS NetFlow and access control list (ACL) hits, is paramount to successfully defending against these types of DoS attacks.

The following sections provide additional options for identifying anomalous/malicious traffic that may be generated through the use of the LOIC application.

Traffic Flow Identification Using Cisco IOS NetFlow Records

Administrators can configure Cisco IOS NetFlow on Cisco IOS routers and switches to aid in the identification of traffic flows that may be attempts to use LOIC to generate DDoS attack traffic. Administrators are advised to investigate flows to determine whether they are actual attempts to leverage LOIC or whether they are legitimate traffic flows.
router#show ip cache flow
IP packet size distribution (90784136 total packets):
   1-32   64   96  128  160  192  224  256  288  320  352  384  416  448  480
   .000 .698 .011 .001 .004 .005 .000 .004 .000 .000 .003 .000 .000 .000 .000

    512  544  576 1024 1536 2048 2560 3072 3584 4096 4608
   .000 .001 .256 .000 .010 .000 .000 .000 .000 .000 .000

IP Flow Switching Cache, 4456704 bytes
  1885 active, 63651 inactive, 59960004 added
  129803821 ager polls, 0 flow alloc failures
  Active flows timeout in 30 minutes
  Inactive flows timeout in 15 seconds
IP Sub Flow Cache, 402056 bytes
  0 active, 16384 inactive, 0 added, 0 added to flow
  0 alloc failures, 0 force free
  1 chunk, 1 chunk added
  last clearing of statistics never
Protocol         Total    Flows   Packets Bytes  Packets Active(Sec) Idle(Sec)
--------         Flows     /Sec     /Flow  /Pkt     /Sec     /Flow     /Flow
TCP-Telnet    11393421      2.8         1    48      3.1       0.0       1.4
TCP-FTP            236      0.0        12    66      0.0       1.8       4.8
TCP-FTPD            21      0.0     13726  1294      0.0      18.4       4.1
TCP-WWW          22282      0.0        21  1020      0.1       4.1       7.3
TCP-X              719      0.0         1    40      0.0       0.0       1.3
TCP-BGP              1      0.0         1    40      0.0       0.0      15.0
TCP-Frag         70399      0.0         1   688      0.0       0.0      22.7
TCP-other     47861004     11.8         1   211     18.9       0.0       1.3
UDP-DNS            582      0.0         4    73      0.0       3.4      15.4
UDP-NTP         287252      0.0         1    76      0.0       0.0      15.5
UDP-other       310347      0.0         2   230      0.1       0.6      15.9
ICMP             11674      0.0         3    61      0.0      19.8      15.5
IPv6INIP            15      0.0         1  1132      0.0       0.0      15.4
GRE                  4      0.0         1    48      0.0       0.0      15.3 
Total:        59957957     14.8         1   196     22.5       0.0       1.5

SrcIf         SrcIPaddress    DstIf         DstIPaddress    Pr SrcP DstP  Pkts
Gi0/0         192.168.10.201  Gi0/1         192.168.60.102  06 0984 1A0B     1
Gi0/0         192.168.11.54   Gi0/1         192.168.60.158  06 0911 1A0B     3
Gi0/1         192.168.150.60  Gi0/0         10.89.16.226    06 0016 12CA     1
Gi0/0         192.168.13.97   Gi0/1         192.168.60.28   06 0B3E 1A0B     5
Gi0/0         192.168.10.17   Gi0/1         192.168.60.97   06 0B89 1A0B     1
Gi0/0         10.88.226.1     Gi0/1         192.168.202.22  11 007B 007B     1
Gi0/0         192.168.12.185  Gi0/1         192.168.60.239  06 0BD7 1A0B     1
Gi0/0         10.89.16.226    Gi0/1         192.168.150.60  06 12CA 0016     1
router#

In the preceding example, there are potentially multiple flows for LOIC on TCP port 6667 (hex value 1A0B).

The following may help your customer's understanding of Cisco IOS NetFlow and how it can be deployed in their network:         

Transit Access Control Lists

The following section on ACLs can to identify and mitigate attempts made by the LOIC Command & Control servers to connect to LOIC-controlled hosts in your network.

Mitigation: Transit Access Control Lists

To protect the network from traffic that enters the network at ingress access points, which may include Internet connection points, partner and supplier connection points, or VPN connection points, administrators are advised to deploy transit access control lists (tACLs) to perform policy enforcement. Administrators can construct a tACL by explicitly permitting only authorized traffic to enter the network at ingress access points or permitting authorized traffic to transit the network in accordance with existing security policies and configurations. A tACL workaround cannot provide complete protection against this vulnerability when the attack originates from a trusted source address.

Ingress Command & Control Traffic

The tACL policy denies unauthorized ingress LOIC Command & Control packets on TCP port 6667 that are sent to affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted IRC Command & Control server that requires access to the affected devices. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is in Transit Access Control Lists: Filtering at Your Edge.

!-- Include explicit permit statements for trusted sources
!-- that require access on the IRC Command & Control port
!
access-list 150 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 6667

!
!-- The following vulnerability-specific access control entry
!-- (ACE) can aid in identification of LOIC Command & Control attempts
!
access-list 150 deny tcp any 192.168.60.0 0.0.0.255 eq 6667
!
!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Explicit deny for all other IP traffic
!
access-list 150 deny ip any any
!
!-- Apply tACL to interfaces in the ingress direction
!
interface GigabitEthernet0/0
 ip access-group 150 in

Note that filtering with an interface access list will elicit the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, ICMP unreachable generation is limited to one packet every 500 milliseconds by default. ICMP unreachable message generation can be disabled using the interface configuration command no ip unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration command ip icmp rate-limit unreachable interval-in-ms.

Identification: Ingress Transit Access Control Lists

After the administrator applies the tACL to an interface, the show ip access-lists command will identify the number of inbound LOIC (or legitimate IRC) packets on TCP port 6667 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit this vulnerability. Example output for show ip access-lists 150 follows:

router#show ip access-lists 150  
Extended IP access list 150      
10 permit tcp host 192.168.100.1 192.168.60.0 0.0.0.255 eq 6667      
20 deny tcp any 192.168.60.0 0.0.0.255 eq 6667 (12 matches)      
30 deny ip any any  
router#

Egress Command & Control Traffic

The tACL policy denies unauthorized egress LOIC Command & Control packets on TCP port 6667 that are sent from affected devices. In the following example, 192.168.60.0/24 is the IP address space that is used by the affected devices, and the host at 192.168.100.1 is considered a trusted IRC server to which the affected devices require access. Care should be taken to allow required traffic for routing and administrative access prior to denying all unauthorized traffic.

Additional information about tACLs is in Transit Access Control Lists: Filtering at Your Edge.

!-- Include explicit permit statements for trusted internal hosts
!-- that require egress access on the IRC Command & Control port
!
access-list 150 permit tcp 192.168.60.0 0.0.0.255 host 192.168.100.1 eq 6667

!
!-- The following vulnerability-specific access control entry
!-- (ACE) can aid in identification of egress LOIC Command & Control attempts
!
access-list 150 deny tcp 192.168.60.0 0.0.0.255 any eq 6667
!
!-- Permit or deny all other Layer 3 and Layer 4 traffic in accordance
!-- with existing security policies and configurations
!
!-- Explicit deny for all other IP traffic
!
access-list 150 deny ip any any
!
!-- Apply tACL to interfaces in the egress direction
!
interface GigabitEthernet0/0
 ip access-group 150 out

Note that filtering with an interface access list will elicit the transmission of ICMP unreachable messages back to the source of the filtered traffic. Generating these messages could have the undesired effect of increasing CPU utilization on the device. In Cisco IOS Software, ICMP unreachable generation is limited to one packet every 500 milliseconds by default. ICMP unreachable message generation can be disabled using the interface configuration command no ip unreachables. ICMP unreachable rate limiting can be changed from the default using the global configuration command ip icmp rate-limit unreachable interval-in-ms.

Identification: Egress Transit Access Control Lists

After the administrator applies the tACL to an interface, the show ip access-lists command will identify the number of outbound LOIC (or legitimate IRC) packets on TCP port 6667 that have been filtered. Administrators are advised to investigate filtered packets to determine whether they are attempts to exploit this vulnerability. Example output for show ip access-lists 150 follows:

router#show ip access-lists 150  
Extended IP access list 150      
10 permit tcp 192.168.60.0 0.0.0.255 host 192.168.100.1 eq 6667      
20 deny tcp 192.168.60.0 0.0.0.255 any eq 6667 (12 matches)      
30 deny ip any any  
router#

Finally, please also review the follwing Cisco Security Intelligence Operations web pages that contain additional documents that customers may be able to leverage when responding to events related to the LOIC-generated DDoS attacks::

Security Intelligence Operations Best Practices
Service Provider Security Best Practices

Related Links

Cisco ACE 4710 Application Control Engine
Cisco ASA 5500 Adaptive Security Appliances
Cisco Firewall Solutions

Cisco Intrusion Prevention System
Cisco IOS IPS
Cisco IOS NetFlow
Cisco IronPort Email and Web Security Appliances
Cisco NAC Appliance
Cisco Services for IPS
Cisco Security Agent
Cisco Security IntelliShield Alert Manager Service

Cisco Security Monitoring, Analysis, and Response System
Cisco IPS 6.x Signature Downloads
Cisco IPS Signature Search Page
Cisco Applied Mitigation Bulletins


Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Vulnerability Characteristics

Mitigation Technique Overview

Risk Management

Organizations are advised to follow their standard risk evaluation and mitigation processes to determine the potential impact of <this vulnerability | these vulnerabilities>. Triage refers to sorting projects and prioritizing efforts that are most likely to be successful. Cisco has provided documents that can help organizations develop a risk-based triage capability for their information security teams. Risk Triage for Security Vulnerability Announcements and Risk Triage and Prototyping can help organizations develop repeatable security evaluation and response processes.

Device-Specific Mitigation and Identification

Caution:The effectiveness of any mitigation technique depends on specific customer situations such as product mix, network topology, traffic behavior, and organizational mission. As with any configuration change, evaluate the impact of this configuration prior to applying the change.

Specific information about mitigation and identification is available for these devices:

Additional Information

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco products, obtaining assistance with security incidents, and registering to receive security information from Cisco, is available on Cisco's worldwide website at http://www.cisco.com/web/about/security/psirt/security_vulnerability_policy.html. This includes instructions for press inquiries regarding Cisco security notices. All Cisco security advisories are available at http://www.cisco.com/go/psirt.

Related Information

 
Alert History
 

Version 2, December 10, 2010, 1:20 PM: Additional information about AnonOps Network IRC and web servers is available.

Version 1, December 10, 2010, 12:15 PM: This is the initial version of the Cisco Applied Mitigation Bulletin to address distributed denial of service attacks based on the Low Orbit Ion Cannon bot agent.



Product Sets
 
The security vulnerability applies to the following combinations of products.

Primary Products:
IntelliShieldUniversal Product Original Release Base

Associated Products:
N/A




Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service. This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.


LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.
Powered by  IntelliShield