US-CERT has received information from multiple sources about coordinated distributed denial-of-service (DDoS) attacks with targets that included U.S. government agency and entertainment industry websites. The loosely affiliated collective "Anonymous" allegedly promoted the attacks in response to the shutdown of the file hosting site MegaUpload and in protest of proposed U.S. legislation concerning online trafficking in copyrighted intellectual property and counterfeit goods (Stop Online Piracy Act, or SOPA, and Preventing Real Online Threats to Economic Creativity and Theft of Intellectual Property Act, or PIPA).
3g[.]bamatea[.]com A 218[.]5[.]113[.]218
cybercrime[.]hostzi[.]com A 31[.]170[.]161[.]36
event[.]seeho[.]co[.]kr A 210[.]207[.]87[.]195
chatimpacto[.]org A 66[.]96[.]160[.]151
anonymouse[.]org A 193[.]200[.]150[.]125
pastehtml[.]com A 88[.]90[.]29[.]58
lcnongjipeijian[.]com A 49[.]247[.]252[.]105
www[.]rotterproxy[.]info A 208[.]94[.]245[.]131
www[.]tandycollection[.]co[.]kr A 121[.]254[.]168[.]87
www[.]zgon[.]cn A 59[.]54[.]54[.]204
www[.]turbytoy[.]com[.]ar A 190[.]228[.]29[.]84
msg=Stop%20S.O.P.A%20:)%20%E2%99%AB%E2%99%AB HTTP/1.1" 200 99406 "http://pastehtml.com/view/bl7qhhp5c.html"
66:6c:6f:6f:64:00:00:00:00:00:00:00:00:00 | flood.........
- Develop a checklist or Standard Operating Procedure (SOP) to follow in the event of a DDoS attack. One critical point in a checklist or SOP is to have contact information for your ISP and hosting providers. Identify who should be contacted during a DDoS, what processes should be followed, what information is needed, and what actions will be taken during the attack with each entity.
- The ISP or hosting provider may provide DDoS mitigation services. Ensure your staff is aware of the provisions of your service level agreement (SLA).
- Maintain contact information for firewall teams, IDS teams, and network teams and ensure that it is current and readily available.
- Identify critical services that must be maintained during an attack as well as their priority. Services should be prioritized beforehand to identify what resources can be turned off or blocked as needed to limit the effects of the attack. Also, ensure that critical systems have sufficient capacity to withstand a DDoS attack.
- Have current network diagrams, IT infrastructure details, and asset inventories. This will assist in determining actions and priorities as the attack progresses.
- Understand your current environment and have a baseline of daily network traffic volume, type, and performance. This will allow staff to better identify the type of attack, the point of attack, and the attack vector used. Also, identify any existing bottlenecks and remediation actions if required.
- Harden the configuration settings of your network, operating systems, and applications by disabling services and applications not required for a system to perform its intended function.
- Implement a bogon block list at the network boundary.
- Employ service screening on edge routers wherever possible in order to decrease the load on stateful security devices such as firewalls.
- Separate or compartmentalize critical services:
- Separate public and private services
- Separate intranet, extranet, and internet services
- Create single purpose servers for each service such as HTTP, FTP, and DNS
- Review the US-CERT Cyber Security Tip Understanding Denial-of-Service Attacks.
- Cyber Security Tip ST04-015 - <http://www.us-cert.gov/cas/tips/ST04-015.html>
- Anonymous's response to the seizure of MegaUpload according to CNN - <http://money.cnn.com/2012/01/19/technology/megaupload_shutdown/index.htm>
- The Internet Strikes Back #OpMegaupload - <http://anonops.blogspot.com/2012/01/internet-strikes-back-opmegaupload.html>
- Anonymous Operations tweets on Twitter - <http://twitter.com/#!/anonops>
- @Megaupload Tweets on Twitter - <http://twitter.com/#!/search?q=%2523Megaupload>
- LOIC DDoS Analysis and Detection - <http://blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html>
- Impact of Operation Payback according to CNN - <http://money.cnn.com/2010/12/08/news/companies/mastercard_wiki/index.htm>
- OperationPayback messages on YouTube - <http://www.youtube.com/results?search_query=operationpayback>
- The Bogon Reference - Team Cymru - <http://www.team-cymru.org/Services/Bogons/>
andThese latest pages we detect as Troj/DDoS-AN (http://nakedsecurity.sophos.com/2012/01/20/anonymo
us-opmegaupload-ddos-attack/).This means we have blocked access to the pages themselves - we'll also be getting feedback on these pages, which will lead to them being blocked on URL alone, but the main thing is that we're blocking the code itself.By Sophos