Search

Protecting China's Financial Institutions Against DDoS Attacks Initiated Outside of China

2018-12-17

On December 11, Lorian Synaro, a suspected member of the hacker organization Anonymous, called on Twitter to launch a new round of attacks named "OpIcarus 2018 (OpIcarus 2.0)" on global central bank websites.

It is reported that the OpIcarus attack was launched in 2016 for the first time. It is mainly targeted at global financial institutions (banks) for continuous DDoS attacks, including TCP Flood/UDP Flood attacks, HTTP/HTTPS Flood attacks, a large number of HTTP POST requests, and exploits of SQL injection vulnerabilities on application systems.

Since the night of December 13, the HTTP and HTTPS online services of multiple banks in China have been plagued by attacks from addresses outside China. According to the data captured in this round of OpIcarus attacks, the attacks are hybrid attacks, which consist of NTP reflection amplification attacks and CC attacks on port 80 and port 443.

For the CC attacks on port 80 and port 443, carriers blocked attack traffic on international gateways to effectively protect the links of the attacked financial customers. Moreover, CC attack traffic at dozens of Mbps was further filtered out by carriers' devices on the MAN. However, more than 10 Mbps CC attack traffic was transmitted to the data centers of financial customers. As a result, the CPU usage of their web servers greatly increased; the response was slowed down; the normal access of users in China was affected. According to the analysis of attack information, the CC attacks include SYN, ACK, RST, Fin, TCP connection, HTTP Get, and HTTPS application attacks (with key exchange packets). The attack sources are scattered widely in America, Canada, Brazil, Indonesia, Uruguay, Ecuador, Greece, South Africa, Czech, Thailand, Hong Kong, etc.


For financial customers who have deployed anti-DDoS devices, the following defense policies are recommended:

Because the attack sources are mainly outside China, enable the geographical location-based filtering policy to shield the attack traffic outside China.

As CDN acceleration is commonly used for financial services, use the whitelist function for CDN IP addresses to prevent strict defense policy configuration from affecting normal services.

As financial services do not involve UDP traffic, limit the rate of UDP traffic to effectively protect bandwidth.

To defend against various types of CC attacks, (1) enable the following session-layer defense policies: setting the authentication mode for SYN flood attack defense to right-seq, checking ACK, FIN, and RST sessions, and limiting the rate of new and concurrent TCP sessions, and (2) enable the following application-layer attack defense policies: enabling HTTP 302 redirection and checking HTTPS session integrity (most attacks do not establish complete SSL sessions).

In addition, the attack data shows that the rate of NTP attack traffic is less than 40 Gbps. According to the statistics and analysis of previous Anonymous attack events, this hacker organization usually used small-to-moderate attack traffic to cause panic to the financial manufacturing industry, so as to express its political propositions. On a large-scale attack initiated by this hacker organization to Turkey in 2015, the peak traffic rate was only 40+ Gbps. However, the data center bandwidth of financial enterprises in China is generally 20 Gbps or below, so an attack at 40 Gbps will cause a strong impact on the financial enterprises.


Therefore, to defend against this round of DDoS attacks targeting financial enterprises, Huawei recommends layered defense for hierarchical mitigation and precise protection.

First, use cloud mitigation to effectively filter out flood attack traffic on the upstream to ensure the bandwidth availability of financial enterprises.

Then, use the anti-DDoS system deployed on the border of a financial enterprise data center to defend against small-to-moderate CC attack traffic, ensuring the availability of the entire online financial service system.

Huawei AntiDDoS products have succeeded in fighting Anonymous on Turkey Telecom network in 2015. Since December 13, Huawei AntiDDoS product team has successfully helped multiple financial customers in China defend against OpIcarus attacks. Huawei AntiDDoS product team provides effective defense policy recommendation based on the experience of defending against this round of attacks. It is recommended that financial enterprises pay attention to attack warnings and attack traffic fluctuation in real time.

TOP