CERT-MU :Advisories

Home | Search | FAQ | Site Map | Contact Us

|| Hotline : 800 2378 || To contact CERT-MU send e-mail on --> info[at]cert-mu.gov.mu || To report incident e-mail on --> incident[at]cert-mu.gov.mu || To report Vulnerabilities send e-mail on --> Vulnerability[at]cert-mu.gov.mu ||

Charter & Mission

CERT-MU Services

Constituency

Authority

Incident Reporting

Vulnerability Reporting

Incident Statistics Forms

Vol. 2, Feb 2012

Vol. 1, Oct 2011

World CERTs

Security Sites

Security Tools

Antivirus Resources

Email Abuse

Network Abuse

Anti-Spam Initiative

Cyber Security Portal

Safer Internet Day

Computer Security Day

National Computer Board

Authorized to use CERT(TM) - CERT is a mark owned by Carnegie Mellon University

CERT-MU AD-2009-09

DDoS attacks against US and South Korean sites

Original issue date: 10 July, 2009

Overview

A wave of DDoS attacks has disrupted US Government and South Korean web sites with network traffic. The attack has begun on Saturday night, July 4, Pacific Time, initially attacking five U.S. government Web sites. By Monday evening, the attack had expanded to more than 30 Web sites, including sites in South Korea and some U.S. commercial sites.

Compromised systems used in this attack is infected with the bot software, appeared to share code with the infamous MyDoom family of viruses. It is estimated that the size of the botnet is somewhere between 30,000 and 60,000 computers.

The DDoS attacks appear to be originating from compromised systems located primarily in the Asia Pacific region and are being delivered as floods of ping, SYN and UDP packets. The attacks directed as much as 20GB to 40GB of bandwidth per second during their height over the weekend.

Level of attack is not particularly sophisticated and appears to be more of a nuisance than a threat to security. It uses a variety of well-known distributed denial of service (DDoS) attacks that try to overwhelm Web sites with useless requests and make them unavailable for legitimate users. The botnet code behind the attack does not use typical antivirus evasion techniques.

In purview of above-mentioned DDoS attack, following recommendations may be followed to prevent this risk for critical websites.

Recommendations:

• Implement ingress and egress filtering at edge router
• Implement rate limiting at router level
• Use anti-spoofing techniques like Unicast RPF
• Block/Filter incoming ICMP requests at firewall
• Use Stateful firewalls
• Use IPS (Intrusion Prevention Systems)
• Disabled unused services and ports on the devices used at each level of defense
• Apply patches or fixes on the devices used at each level of defense
• Update regularly anti-virus and anti-spyware products installed at gateway, server and client level
• Monitor the network

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

References

http://www.securityfocus.com/news/11554/1
http://isc.sans.org/diary.html?storyid=6748
http://blogs.csoonline.com/
http://blogs.csoonline.com/
http://www.theregister.co.uk/2009/07/08/federal_websites_ ddosed/
http://www.google.com/hostednews/ap/article/ALeqM5icTKBW9_ fm-oKDzns75BI ykokSwD999UN580
http://pandalabs.pandasecurity.com/archive/DDoS-attacking-US- and-South-Korea-government-sites-.aspx
http://www.computerworld.com/s/article/9135306/No_sign_of_
N._Korean_backing_in_bot_attacks_on_U.S._sites_says_
researcher?taxonomyId=1
http://www.computerworld.com/s/article/9135327/DDOS_attack_