October 21, 2014
In the last couple of weeks, Hong Kong has been under siege by a barrage of cyber attacks. Though the city boasts one of the fastest Internet speeds in the world, most targeted sites in the region still fell victim to these DDoS attacks.
Most DDoS attacks can be classified as 1) volumetric attacks or 2) application attacks. In recent years, security appliances have been improved dramatically and can generally fend off common volumetric attacks. In further analyzing these attacks against Hong Kong’s digital assets, it appears that most of these threats belonged to the second type of DDoS attacks – application attacks that appeared as legitimate traffic. These application DDoS attacks were able to fool and even bypass traditional mitigation devices, causing severe outage to websites.
I’ve studied and replicated two DDoS tools (WebHIVE and XMLRPC) to understand the attack patterns, attack logic used and the impact and risks these DDoS attacks in Hong Kong have created… and of course, the solution / method to protect one’s server against these tools.
The first tool – WebHIVE – is a web-base DDoS attack tool that contains JavaScript embedded inside a web-link. The benefit of this tool is its ease of implementation. Hacktivist have even released a simple version to better facilitate DDoS attacks in Hong Kong.
The second tool – XMLRPC – is different from WebHIVE in that one single computer can amplify a huge layer 7 (application) flood attack. This tool was also prepared by hacktivist groups to help spread DDoS attacks in Hong Kong.
For more in-depth analysis on these two attack tools and the DDoS attacks in Hong Kong, please visit my blog.