Shift Delete
Page 11
Across the world, in Tallinn, Estonia, a group of computer gurus calling themselves “Estonia with Honor” was making Washington accountable for what this group of mostly young Estonian men and handful of women considered the United States’ abandonment of their country in its critical time of need while employing an anonymity tool to mask their identities.
After the initial assault against the State Department, one of the “Estonia with Honor” student attackers employed botnet master controller’s command and control software to activate a true botnet, a large network of infected machines whose “zombies,” as the infected computers are known, blindly followed orders to attack. The network of computers was “recruited” when users unknowingly downloaded applications which contained lines of code that converted their mobile devices and computers into instruments of a cyber-attack. Botnets act like robots, from which the name botnet comes; they mindlessly take orders and carry them out faithfully, in this case to bombard the Department of State’s computer Enterprise server network with queries and requests, which inundated States’ network.
Before the attack, the students surveyed a number of U.S. Government websites and found the State Department’s to be vulnerable. Hacking their way in, the university students first defaced State’s website. When they checked back after it had been cleaned up and returned to normal, the student activists were surprised to see no further security layers had been added. As they saw it, the State Department was almost inviting attack. And so they willingly obliged.
After more than half a day under attack, the StateApp web server was finally completely inundated. This was bad. The mouthpiece of the U.S. Administration, with information on U.S. policies, the U.S. stance on issues from Afghanistan, counter-terrorism, climatic change to women’s issues, had been put out of action.
State’s CISO—an older man with a horseshoe of white hair and black horn-rimmed eyeglasses—joined Parovsky’s team at DCA’s SIC to be fully aware of the latest developments. Parovsky had never met him before; they had only talked on the phone. What the hell is this guy doing in IT? was Parovsky’s initial reaction. He was one of those old guys that makes you wonder what he’s doing in an industry where everyone is twice as young. Parovsky figured he had come of age in the IT world of mainframes and dummy terminals, and probably hadn’t touched a PC until much before reaching middle age.
His forehead was sweating profusely, which he repeatedly dabbed with a white handkerchief. Parovsky was concerned the stress might give the old guy a heart attack.
Parovsky gulped a mouthful of coffee while Loretta reported that “Estonia with Honor” set up a website to share information on their hacking campaign. “Looking at the IP trace from the logs, it seems a good portion of the connections and requests are coming from Estonia.” She licked her lips, then went on to suggest blocking all Estonia-based IP addresses.
Parovsky liked the idea; he instructed the team to define a rule on the StateApp web server to reject all requests originating from Estonia. He looked to the State’s CISO for acknowledgement of the effort, rather than approval.
“That’ll only slow down the attack,” Brendan told him.
“Then what about blocking all of Eastern Europe?” Parovsky asked.
“No, it’s the same thing. The BOTs are all over the world.”
“We can’t cut off all the legitimate users-United States citizens and our international friends—from accessing the United States government,” State’s CISO interjected.
Parovsky declared: “I can justify Estonia for now, but only temporarily.” He glanced at State’s CISO, who begrudgingly nodded his head up and down in approval.
The “no Estonia” filter slowed the attack traffic rate initially, but then new connections began sprouting from other countries, including the U.S., so overall it had done nothing of significance to thwart the malicious web traffic overwhelming StateApp.
“Like I thought,” Brendan added when they reconvened. “The BOT computers are all over the world.” He pointed to one of the graphic charts displayed on a large flat screen monitor on the wall. “Proxy servers all over the world are generating queries.”
“What about pulling the plug on State then?” Parovsky ventured, wondering what his team would say. Null-rating the traffic would drop data packets destined for State’s servers before they arrived.
State’s CISO, slouched in a chair half asleep, sprung to life. “You can’t shut down the State Department!” His voice was cracking and his forehead began to sweat again.
Loretta shook her head no and made a don’t be ridiculous face, irritating Parovsky.
She adjusted a ring on her finger which she continuously rotated as she talked with her hands. The ring made Parovsky curious. Can it be a wedding ring? Is she married? surprising himself that he even cared.
“That’s a bit drastic, wouldn’t you say?” State’ CISO continued.
“So what do you propose?” Parovsky asked with sincerity.
“Let’s get traffic rerouted to a DDOS recipient to take stress off my servers,” he suggested.
Brendan agreed. “Scrubbers will compare regular traffic with the malicious packets bombarding State’s system, and the malicious ones will be removed, making way for legitimate traffic to pass through and reach State’s web server.”
“Didn’t we do that already?” Parovsky asked, looking at Brendan and Ted.
“In process,” Ted responded.
“Good. What else?” Parovsky looked at each member of the team.
Brendan added, “We’ve implemented technical measures to slow the rate of attack, like rate limiting, timing out half-open connections more aggressively and dropping spoofed and malformed packages.”
“What’s that all about?” one of the interns asked. His eyes were weary from so many hours without sleep, for the two young men had opted to stick around, “to stay in the fight,” as one of them put it.
Brendan answered, “This checks to verify the veracity by looking at its path. If it doesn’t look right, then no ‘handshake’ is made between the incoming request with the State Department.” Sometimes people had no clue what he was talking about, while other times—like now—the handshake term helped create a mental image.
Ted added, “DDOS mitigation techniques identify legitimate traffic from the BOT-generated malicious queries flooding the system. In simple terms, they identify the real queries from the fake ones.”
Parovsky shifted his glance from Brendan to State’s CISO, who nodded his head approvingly.
“How badly will it slow things down?”
A bit annoyed by the CISO’s question, to which he had no accurate answer, Parovsky responded, “At least traffic is getting through. Unless you’ve got a better solution that offers infrastructure like that to handle the onslaught of traffic your site is being bombarded with, then we’re going with the scrubber, as you suggested.” Parovsky was throwing the CISO a bone, giving him credit for something his team already had in the works, then, a little nicer, he added, “It gets you back online.”
“Which means I’m back in the business of providing citizen services,” personally taking credit for the solution. “I can report that to the Secretary.”
As Parovsky looked up at the charts on the wall, he asked, “It’s still just State, right?”
It was humorous that the entire team simultaneously looked up at the map of the government networks on a 50” screen to ascertain that the attack was indeed limited to the State Department, which appeared bright red on the chart.
“What’s on your mind?”
“The attack on State could be a diversionary attack meant to mask other malicious activity.” The Government Network Health Indicator chart revealed major anomalies only at the State Department.
“Yeah, only State,” Ted confirmed.
“It would be one helluva diversion,” Loretta ad
ded cynically.
United States embassies and consulates were already receiving complaints, the State Department’s telephone switchboard was overwhelmed, and one cynical blogger had already posted: “U.S. Government unreachable. Intentional?”
Loretta advised about a chatroom post her people picked up saying. “Get some popcorn. It’s going to be a long fight.”
This was real warfare in the cyber age. An integral part of attacks and outright warfare, cyber-attacks were now another weapon in a commander’s arsenal. Parovsky and the entire CIRT were not just using military terminology, but also military tactics. There were attacks and blocking moves. Counter-attacks were not in DCA’s toolkit, but were certainly part of the lexicon. The stress levels were very real, like that of any commander under attack, struggling for situational awareness in the fog of war.
As a graduate student, Parovsky had once had an opportunity to be on a Navy missile boat during a simulated missile attack exercise, which he found horribly boring, much to his chagrin. Sitting in the ship’s darkened combat information center, sailors seated at computer consoles reported the status of the incoming missile and the ship’s counter-measures to the officer standing behind them. Parovsky figured the voices would be higher-pitched with tension and possibly fear, and the overall scene far different than the calmness during the exercise if a real missile were truly barreling towards them, skimming above the waves at 0.9 Mach tipped with a 165 kg high explosive warhead that could tear through their ship. Even now Parovsky was far more stressed than those young sailors. I’m no less a combatant than those guys, he thought.
***
The nature of the attack was starting to become evident to Parovsky’s Tiger team, which was convened around the SIC conference room’s polished wood table. After the opening salvo struck State’s network which DCA had identified as High Orbit Ion Cannon, a second botnet wave launched from Estonia hit the firewall and IPS network.
“These guys are good,” someone conceded.
“Yeah. We’re seeing intense impact way beyond the effects considering the number of botnets involved,” Parovsky observed. “Like a souped-up DDOS attack of some sort.”
Brendan nodded his head up and down, showing he was comprehending the situation. “What have you got?” he asked Ted, who was bringing up different gauges on a computer monitor.
“We’ve identified the botnets at work against us, but the level of traffic hitting us is way out of proportion,” Ted answered, adding, “I’ve never seen so much traffic coming from so few botnets.”
“One hundred gigabits per second hitting the servers,” Brendan read off one of the monitors before conjecturing, “Could be an amplification attack.”
Parovsky shook his head, as if to say he doesn’t understand. “Go on,” he ordered so Brendan would elaborate.
“It’s an attack vector that takes advantage of well-known protocols to amplify the attack’s traffic volume.”
“And now so we can all understand...” Parovsky snidely demanded.
“Sorry.” Brendan’s smile said that he wasn’t doing this intentionally. “These attacks generate amplified responses of up to 300 times when it comes to bandwidth and up to 50 times the traffic volume.” He continued, bringing it down to a technical level all were comfortable with. “Remember, a botnet is basically a whole bunch of infected computers called into action for a DDOS attack. Because the botnet’s ‘constituent’ computers—the ‘hosts’- are infected randomly, it’s just that: random. They can be anywhere in the world. And not every computer has vast bandwidth available, which limits the size of their attack.”
“OK.” Parovsky opened his eyes wider, as if to say. Get on with it...
Brendan continued. “So lots of ‘bots’ are required to comprise a DDOS attack of any significance.”
The heads moving up and down and facial expressions showed that the team was starting to get it.
“With this new type of attack vector, we’ve seen the effect.” and here he pointed his index figure to stress the last word, “of massive amounts of botnets achieved by a relatively small number of computers. Yet they’re reaching the same attack volume.”
Ted piped up, half asking and half explaining in layman’s terms. “So it’s like a pair of fighter aircraft on a mission today with some smart bombs accomplishing what required a whole bunch of B-17’s back in World War II.”
Brendan nodded his head in acceptance of the simile. “Not bad for an Army guy!”
“Back then it was the Army Air Force, don’t forget!” Ted smiled and winked at Brendan.
Brendan continued, “This type of attack targets the Network Time Protocol, which is a common Internet protocol used to synchronize activity of all the computers in a network.”
Parovsky loved when this guy spoke, always amazed at the depth of his knowledge and familiarity with all things cyber. While Parovsky was at times frustrated by Brendan’s overly-technical speak, he attributed much of his own industry knowledge to Brendan. He recalled first meeting him and his shock at the rough reality of the cyber world. “People either don’t know or don’t want to know.” Brendan had told him. “But they’ve all been hacked. Every organization in the government, military and intelligence.” Parovsky found it hard to believe that our country’s most venerable institutions could be hacked, but he came to trust Brendan; he knew.
“The bad guys attacking us may be taking advantage of the NTP protocol’s distribution which is based on UDP traffic, which doesn’t require a handshake procedure,” Brendan offered. What was happening was that a server dominated by the Estonians was spoofing IP source addresses, creating a large number of false UDP batches with a false IP address.
“Huh?” Parovsky asked, trying not to get annoyed.
“In simple terms,” Ted interjected. “It falsifies an IP address and then bombards its target.”
“Any way we can we shut down the servers producing the attacks?” State’s CISO wanted to know.
Brendan nodded his head in the affirmative.
“I’ll put in a call to my contacts at FBI and NSA,” Loretta took the action, “I’ll tell them it’s Estonia”
“Not necessarily,” Brendan responded. “Remember, geography is meaningless since servers in one country can produce an attack virtually anywhere.”
“Yeah. Silk Road’s server was in Iceland,” Parovsky added, referring to the billion-dollar Deep Web illegal drug market busted by the FBI.
Brendan continued: “Usually we find this vulnerability in older versions of the NTP service that allow a remote attacker to use the device to attack.”
“The NTP isn’t the target,” Ted added. “It’s just an unknowing accomplice to a DDOS attack.”
“What is this NTP again?” Parovsky asked, slightly embarrassed.
Ted answered, explaining that Network Protocol keeps all servers and clients in sync from a time perspective, meaning that all devices on the network are on the same time.
“So what do we do about it?” Parovsky asked.
“Can we disable the NTP’s?” Loretta asked.
“It’s an option,” Brendan responded, before turning to State’s CISO and adding, “We definitely need to harden them. I can help with that.”
Ted shook his head in agreement.
Parovsky wasn’t sure what that entailed, but could be confident that if Brendan suggested it and took it as an action, it would be done.
Brendan would ensure that the State Department hardened its network infrastructure by stress tests that assault with applications, security attacks and high stress load to probe for weaknesses and vulnerabilities. “You need to subject them to real-world conditions prior to deployment,” he told State’s CISO.
“We’ve done that,” the old man responded. “We’ve done volume-based attacks, protocol-based and application-layer attacks looking for vulnerabilities wit
hin the network.”
“And what about after patches and configuration changes?” Brendan asked.
This was met by silence, revealing where some of the weaknesses may have been found and exploited. Looking to State’s rep, Ted added that State needs to deploy the latest version of NTP.
“Why weren’t we protected against this?” Agencies had a tendency to pass the blame as a way of covering their own assess after a cyber- attack.
“First of all, State is responsible for State,” Parovsky admonished him. “You know that every agency manages its own IT systems. Don’t try to pin the blame on DCA.”
“No, I didn’t mean it that way,” he backed off apologetically. It was getting late in the day, and all were tired and edgy.
“It’s all about managing risks,” Parovsky told him. “You cannot defend each and every server. No one has the resources nor money for that. It’s the same as physical defenses. You don’t deploy all of your forces at the border. You build a fence and install sensors and remote surveillance equipment at various intervals for monitoring. And a dynamic force responds to threats.” Parovsky stopped for a second and smiled, proud at himself for the military analogy, thinking how the colonel would have been proud of him if only he had been in the room to hear this—his star disciple.
“Here’s what we’re gonna’ do,” Parovsky offered. “We’re going to work through each page and section on your site, manually testing user input including POST, GET, COOKIE, and SESSION variables.”
“Sounds thorough enough,” the CISO consented, nodding his head in agreement.
“The test takes anywhere from ten to 28 hours, depending upon how detailed or extensive an audit you want us to do.”