Earlier this weekend, one of readers reported in an odd attack toward an Apache web server that he supports.   The server was getting pounded with port 80 requests like the excerpt below.   This attack had been ramping up since the 21st of July, but the "owners" of the server only detected problems with website accessibility today.  They contacted the server support staff who attempted to block the attack by scripting  a search for the particular user agent string and then dropping the IP address into iptables rules.  One big problem though.  The attack was originating from upwards of 4 million IP addresses across the past several days and about 40k each hour.  That is a significant amount of iptables rules in the chain and is generally unmanageable.  

The last ditch effort was to utilize mod_security to stop and drop anyone utilizing the user agent.  Unfortunately, a small percentage of customers may getting blocked by this effort to contain the problem.  With this implemented, the server is usable again, or until the attackers change the modus operandi.

It appears that the botnet of the day was targeting this domain for reasons that we do not really understand.  Our reader wanted to share this information as a way to help others defend against this type of activity in the future.  It is quite likely that others out there may be under attack, or will be under attack in the future.  

I would encourage our readers to think about how you would counteract an attack of this scale on your web severs.  This would be a good scenario to train and practice within your security organization and server support teams.  If you have other novel ideas of how to defend again this type of attack, please comment on this diary.

Sample of DoS attack traffic (only 7 lines of literally 4 million log lines in the past few days)
A,B,120.152 - - [21/Jul/2013:02:53:42 +0000] "POST /?CtrlFunc_DDDDDEEEEEEEFFFFFFFGGGGGGGHHHH HTTP/1.1" 404 9219 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
C.D.3.168 - - [21/Jul/2013:02:53:43 +0000] "POST /?CtrlFunc_yyyzzzzzzzzzz00000000001111111 HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
E.F.67.90 - - [21/Jul/2013:02:53:44 +0000] "POST /?CtrlFunc_FFFGGGGGGGGGGGGGGGGGGGGGGHHHHH HTTP/1.1" 404 9209 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
G.H.76.206 - - [21/Jul/2013:02:53:45 +0000] "POST /?CtrlFunc_iOeOOkzUEV8cUMTiqhZZCwwQBvH9Ot HTTP/1.0" 404 9136 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
I.J.21.174 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34778 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
K.L.57.51 - - [21/Jul/2013:02:53:45 +0000] "POST / HTTP/1.1" 200 34796 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
M.N.29.143 - - [21/Jul/2013:02:53:46 +0000] "POST /?CtrlFunc_ooppppppppppqqqqqqqqqqrrrrrrrr HTTP/1.1" 404 9213 "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"

mod_security rule:
SecRule REQUEST_HEADERS:User-Agent "^Mozilla/4.0 \(compatible; MSIE 6.0; Windows NT 5.1; SV1\)$" "log,drop,phase:1,msg:'Brute Force Attack Dropped'"


(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.

Wireshark fixes the following security issues to both versions.

The following dissector could go into a large loop in both versions:

Bluetooth SDP (CVE-2013-4927)
DIS ( CVE-2013-4929)
GSM RR (CVE-2013-4931)

The following parsers/dissectors could crash:

DVB-CI (CVE-2013-4930)
GSM A Common (CVE-2013-4932)
Netmon (CVE-2013-4933 and CVE-2013-4934)
ASN.1 PER (CVE-2013-4935)

The following parsers/dissectors could crash (applies to 1.10.1 only):

DCP ETSI (CVE-2013-4083)
P1 (CVE-2013-4920)
Radiotap (CVE-2013-4921)
DCOM ISystemActivator (CVE-2013-4922, CVE-2013-4923, CVE-2013-4924, CVE-2013-4925, CVE-2013-4926)
Bluetooth OBEX (CVE-2013-4928)
PROFINET (CVE-2013-4936)

Several other bugs have been fixed. A complete list for version 1.8.9 is available here and version 1.10.1 is available here.

[1] http://www.wireshark.org/docs/relnotes/wireshark-1.10.1.html
[2] http://www.wireshark.org/docs/relnotes/wireshark-1.8.9.html


Guy Bruneau IPSS Inc. gbruneau at isc dot sans dot edu

(c) SANS Internet Storm Center. http://isc.sans.edu Creative Commons Attribution-Noncommercial 3.0 United States License.
Columnist Mike Elgan tries out the new Google Glass eyewear and uses 'glogging,' a new social medium for sharing experiences that takes blogging to a new level.
Apple has restored key sections of its developer website, including the download center, more than a week after it took the portal offline.
The new Leap Motion Controller brings motion control to any computer. The question is: How effective is it, and does it have any practical value?

RIP Barnaby Jack: The infosec community loses a star
CSO (blog)
The world of infosec was shocked to learn today that Barnaby Jack has passed away. Jack--who worked by day as director of embedded security research at IOActive, was a hacker and security researcher known for grandiose exploits like the "jackpotting" ...

Internet Storm Center Infocon Status