On December 11, Lorian Synaro, a suspected member of the hacker organization Anonymous, called on Twitter to launch a new round of attacks named "OpIcarus 2018 (OpIcarus 2.0)" on global central bank websites.
It is reported that the OpIcarus attack was launched in 2016 for the first time. It is mainly targeted at global financial institutions (banks) for continuous DDoS attacks, including TCP Flood/UDP Flood attacks, HTTP/HTTPS Flood attacks, a large number of HTTP POST requests, and exploits of SQL injection vulnerabilities on application systems.
Since the night of December 13, the HTTP and HTTPS online services of multiple banks in China have been plagued by attacks from addresses outside China. According to the data captured in this round of OpIcarus attacks, the attacks are hybrid attacks, which consist of NTP reflection amplification attacks and CC attacks on port 80 and port 443.
For the CC attacks on port 80 and port 443, carriers blocked attack traffic on international gateways to effectively protect the links of the attacked financial customers. Moreover, CC attack traffic at dozens of Mbps was further filtered out by carriers' devices on the MAN. However, more than 10 Mbps CC attack traffic was transmitted to the data centers of financial customers. As a result, the CPU usage of their web servers greatly increased; the response was slowed down; the normal access of users in China was affected. According to the analysis of attack information, the CC attacks include SYN, ACK, RST, Fin, TCP connection, HTTP Get, and HTTPS application attacks (with key exchange packets). The attack sources are scattered widely in America, Canada, Brazil, Indonesia, Uruguay, Ecuador, Greece, Russia, South Africa, Czech, Thailand, Hong Kong, etc.
•Because the attack sources are mainly outside China, enable the geographical location-based filtering policy to shield the attack traffic outside China.
•As CDN acceleration is commonly used for financial services, use the whitelist function for CDN IP addresses to prevent strict defense policy configuration from affecting normal services.
•As financial services do not involve UDP traffic, limit the rate of UDP traffic to effectively protect bandwidth.
•To defend against various types of CC attacks, (1) enable the following session-layer defense policies: setting the authentication mode for SYN flood attack defense to right-seq, checking ACK, FIN, and RST sessions, and limiting the rate of new and concurrent TCP sessions, and (2) enable the following application-layer attack defense policies: enabling HTTP 302 redirection and checking HTTPS session integrity (most attacks do not establish complete SSL sessions).
In addition, the attack data shows that the rate of NTP attack traffic is less than 40 Gbps. According to the statistics and analysis of previous Anonymous attack events, this hacker organization usually used small-to-moderate attack traffic to cause panic to the financial manufacturing industry, so as to express its political propositions. On a large-scale attack initiated by this hacker organization to Turkey in 2015, the peak traffic rate was only 40+ Gbps. However, the data center bandwidth of financial enterprises in China is generally 20 Gbps or below, so an attack at 40 Gbps will cause a strong impact on the financial enterprises.
To learn more about Huawei AntiDDoS products, please click:https://e.huawei.com/en/products/enterprise-networking/security/anti-ddos/8000