Pulling Practices and Techniques from Experience – “Pathetic DDoS vs Security Sites”

Posted on

Read through Metasploit’s blog titled Pathetic DDoS vs Security Sites. It documents several key steps that many companies do not know with how to mitigate some of the impacts of a DDOS attack. In this case, we have a DDOS targeting a specific domain – metasploit.com.  Step 1 is to classify the attack. Traffic analysis – via tools like DNS logs, Netflow, IDPs, and other tools allowed Metasploit to classify where the attack was happening – the IP address and domain metasploit.com.

Next, Metasploit changes the DNS A record and services for other domains to another IP address from the one targeted. This is step 2, moving services of the targeted IP and (in this case) domain name.

Step 3 is changing the DNS A record to 127.0.0.1.  The goal is to have any new look-ups for this domain to be “poisoned,” sending all packets to the computer’s local loopback.  This is an often overlooked step. Many would think it would not be of use – with many of the BOTs in the DDOS attack using DNS implementations which would not refresh the DNS cash until the PC reboots. But, that is short-sighted. DDOS attacks like the one experienced by Metasploit, Packet Storm and Milw0rm lask for days (and in some cases weeks). Over time, moving the targeted domain to 127.0.0.1 would have a mitigated impact.

Step 4 is overlooked in the blog article. It is at this point where you need help. At a minimum, it is time for a dRTBH. Destination-Based Remote Trigger Blank Hole (dRTBH) is a tool your upstream Services Provider (SP) can use to move the packet drops on your network to the edge of their network. Yes, the DDOS attack is still underway, but the packets being dropped on your network are now moves elsewhere.

At this point, your network is restored to “partial service.” You can choose to go in several directions:

  • Asking your SP for their  “Clean Pipes” service  – which restores full services through some cleanup boxes.
  • Working with your, SP, their peers, and the security operations community to track the attack to the BOTs – then backtrace the attack to the controller – then either shutting down the controller or continuing the backtrace to he human driving the attack.
  • Wait out the attack until the people driving the attack get tired.

A word of warning. Humans drive DDOS attacks. In fact, I don’t like calling them DDOS attacks. I refer to them as extortion and retribution. These humans who have a retribution attack on Metasploit, Packet Storm and Milw0rm are watching. Assume that they will not just go away. They will shift their attacks – to a new domain, a new IP address, a new attack profile, or move it up to the SP whose routers are providing services to the SP.

Need Security Advice?

If you find your organization needs help and worry about the FUD from the industry, reach out and ask for help. You can reach me at bgreene@senki.org. Start with the Operator’s Security Toolkit. It is the no-nonsense security for all Operators. It provides details to help them build more security resilient networks. In the mean time, stay connected to the Senki Community to get updates on new empowerment and security insights.