DDoS and Geopolitics – Attack analysis in the context of the Israeli-Hamas conflict

By: Kirk Soluk -

Since its inception, the ASERT team has been looking into politically motivated DDoS events [1] and continues to do so as the relationship between geopolitics and the threat landscape evolves [2]. In 2013, ASERT published three situational threat briefs related to unrest in Syria [3] and Thailand [4] and threat activity associated with the G20 summit [5].  Recently, other security research teams, security vendors and news agencies have posited connections between “cyber” and geopolitical conflicts in Iraq [6], Iran [7], and Ukraine [8] [9].

Given the increasing connections being made between security incidents and geopolitical events, I checked Arbor’s ATLAS data to look at DDoS activity in the context of the current conflict between Israel and Hamas. Arbor’s ATLAS initiative receives anonymized traffic and DDoS attack data from over 290 ISPs that have deployed Arbor’s Peakflow SP product around the globe. Currently monitoring a peak of about 90 Tbps of IPv4 traffic, ATLAS see’s a significant portion of Internet traffic, and we can use that to look at reported DDoS attacks sourced from or targeted at various countries.

Israel as a Target of DDoS Attacks

Frequency

Figure 1 depicts the number of reported DDoS attacks initiated against Israel per day over the period June 1st through August 3rd, 2014:

Figure1

Figure 1: Number of attacks launched per day where destination country = Israel

We observe that the number of attacks begins to rise the first week in July going from an average of 30 attacks initiated per day in June to an average of 150 attacks initiated per day in July peaking at 429 attacks on July 21st. Event wise, June 30th is when Israel attributed the deaths of three Israeli teenagers to Hamas [10] then, on July 7th launched Operation Protective Edge which “its military indicated could be a long-term offensive against the Hamas-ruled Gaza Strip” [11]. The conflict, as well as the number of DDoS attacks initiated per day both intensify until we notice a precipitous drop occurring on July 28th lasting through August 2nd. This drop in the number of attacks roughly correlates with the ultimately unsuccessful cease fire talks that began on July 27th:

On July 27th, Reuters reported [13] that the U.N. Security Council agreed on a statement, drafted by Jordan, urging Israel, Palestinians and Islamist Hamas militants to implement a humanitarian truce beyond the Muslim holiday of Eid al-Fitr and that “Gaza Strip residents and Reuters witnesses said Israeli shelling and Hamas missile launches slowly subsided on Sunday, suggesting a de facto truce might be taking shape.”

On July 29th, according to the Jewish Daily Forward [14], “the Palestinian Authority announced that it had brokered a 24-hour humanitarian cease-fire with all Palestinian factions with the possibility of extending it an additional 48 hours.”

On July 31st, diplomats from the United States and United Nations announced that Israel and Hamas agreed to a 72-hour unconditional cease-fire [15].

On August 1st, the 72-hour unconditional cease-fire lasted, depending on various reports, anywhere from 90 minutes to four hours [16].

On August 3rd, we notice that the number of attacks rises again sharply. From July 28th through August 2nd, there were a total of 192 attacks. On August 3rd there were 268.

Size

In addition to the number of DDoS attacks initiated per day, we also notice an increase in the peak size of those attacks. Figure 2 illustrates that in June, no attack exceeded 12 Gbps. In July, seven attacks exceeded 12 Gbps, the largest peaking at 22.56 Gbps on July 12th. On August 3rd, after the cease-fire talks fell apart, the largest attack was observed at 29 Gbps:

Figure 2: Peak attack sizes (Gbps) for attacks launched on a given day

Figure 2: Peak attack sizes (Gbps) for attacks launched on a given day


Duration

Not only have the number and size of attacks increased in accordance with the intensity of the conflict, so has the duration. In June, the average duration of attacks was 20 minutes with a peak duration of 24 hours. In July, the average duration was 1 hour and 39 minutes with the July 19th attack still being reported as unmitigated after approximately two weeks:

Figure 3: Peak Duration (in minutes) for attacks launched on a given day

Figure 3: Peak Duration (in minutes) for attacks launched on a given day

In summary, as the intensity of the Israeli-Hamas conflict has increased, so has the number, size and duration of the DDoS attacks targeting Israel. Additionally, it even appears as if the attackers have made an effort to adhere to the “real world” calls for a cease-fire, resuming their attacks when the cease fire fell through.

Attack Methodologies and Targets

We can also provide some additional detail and insight into the nature of the attacks described above that may be helpful for practitioners. No attempt is made to relate these details to any geopolitical events.

The vast majority (47%) of the 5346 attacks summarized above involved the use of IP Fragments suggesting the use of reflection/amplification techniques. In a reflection/amplification attack, improperly configured hosts on improperly configured networks are used to magnify attack traffic. The technique allows the attacker to disguise their presence and generate significant amounts of attack traffic by issuing small queries to any number of these intermediate hosts, each of which, returns larger (amplified) responses to the victim.

DNS and NTP were the most common protocols used to perform the reflection/amplification attacks targeting Israel over this time period. For a thorough treatment of NTP-based reflection amplification attacks, including mitigation strategies, readers are referred to ASERT Threat Intelligence Brief 2014-5: Comprehensive Insight and Mitigation Strategies for NTP Reflection/Amplification Attacks, which is available upon request.

Other observed attack methodologies include malformed DNS queries against web servers (not DNS servers), layer-7 HTTP and HTTP/S attacks against web-based authentication subsystems and scripts, and repeated page downloads and GETs/POSTs against non-existent URIs. This attack pattern bears a striking resemblance to the Brobot-based attacks used in the Operation Ababil campaign against the US Financial industry in 2013 [17]. On June 30th, Forbes reported that Brobot was back in an article entitled “Bank-Busting Jihadi Botnet Comes Back to Life. But Who is Controlling it this Time?” [18]. We don’t know who is controlling it, but Brobot is being used to attack Israeli civilian governmental agencies, military agencies, financial services and Israel’s cc TLD DNS infrastructure.

References

[1] http://www.arbornetworks.com/asert/2007/12/political-ddos-ukraine-kasparov/

[2] http://www.arbornetworks.com/asert/2013/05/estonia-six-years-later/

[3] ASERT Threat Intelligence Brief 2013-5: Observed Syrian Cyber Adversary Capabilities and Indicators. Available to Arbor customers upon request.

[4] ASERT Threat Intelligence Brief 2013-7: The Impact of Protest Activity on Internet Service in Thailand. Available to Arbor customers upon request.

[5] ASERT Threat Intelligence Brief 2013-4: Potential Targeted Attacks Against Various International Interests. TLP Amber. Available to Arbor customers upon request.

[6] http://www.renesys.com/2014/06/amid-raging-violence-iraq-orders-internet-shutdowns/

[7] http://intelcrawler.com/news-20

[8] http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf

[9] http://www.theregister.co.uk/2014/03/04/ukraine_cyber_conflict/

[10] http://www.fireeye.com/blog/technical/2014/05/strategic-analysis-as-russia-ukraine-conflict-continues-malware-activity-rises.html

[11] http://www.cnn.com/2014/06/30/world/meast/israel-missing-teenagers/index.html

[12] http://www.theguardian.com/world/2014/jul/08/operation-protective-edge-israel-bombs-gaza-in-retaliation-for-rockets

[13] http://www.huffingtonpost.com/2014/07/27/un-security-council-gaza-ceasefire_n_5625621.html

[14] http://forward.com/articles/203020/palestinian-authority-announces–hour-cease-fire/

[15] http://www.cbsnews.com/news/israel-and-hamas-agree-to-72-hour-humanitarian-ceasefire/

[16] http://www.nytimes.com/2014/08/02/world/middleeast/israel-gaza-conflict.html?_r=0

[17] ASERT Threat Intelligence Brief 2013-3: Ongoing Financial Industry Threats include #OpBankster, Operation Ababil, #OpUSA and #OpIsraelReborn. Available to Arbor customers upon request.

[18] http://www.forbes.com/sites/jasperhamill/2014/06/30/bank-busting-jihadi-botnet-comes-back-to-life-but-who-is-controlling-it-this-time/

 

Comments are closed