main

Attack MitigationDDoS AttacksSecurity

Inside the World of Hacker Reconnaissance

March 19, 2013 — by Eyal Benishti1

The inventor of the telephone, Alexander Graham Bell once stated, "Before anything else, preparation is the key to success." Unfortunately, it appears that attackers launching DoS/DDoS attacks have embraced this line of thought and invested their efforts in reconnaissance and meticulous preparation during the "pre-attack" phase. Drawing from attacks handled by our Emergency Response Team (ERT), Radware recently conducted research on the ways in which pre-attack planning and detailed preparation dramatically increases the potency and success rate of attacks.

Rather than naively selecting a target and aimlessly launching an attack, more and more attackers are diligently preparing their strategies by studying potential targets very closely and gathering information about their vulnerabilities. This allows them to deploy the most effective attack vectors against their target(s). In fact, attackers will even conduct "dry runs" in order to evaluate the best approach for their selected attack vectors. Once attackers have learned the victim’s site and determined the vectors and strategy, they often use tools to test their findings in order to maximize the attack.

Below are just a few examples of attacker reconnaissance you’ll find in the report:

Upstream Pipe Saturation – Attackers identify weak spots that provide the best opportunity for an attack by looking for resource intensive activities of the target server, such as large image files or large PDF documents. After identifying these types of files on the target server, attackers can launch an HTTP GET Flood attack that saturates the upstream Internet pipe by repeatedly requesting these large files.

Search Engine Vulnerability – Attackers may use the pre-attack phase to identify search engine vulnerabilities. In one case, attackers used a search engine backend to conclude that search results were not cached on the target site. They then injected iFrames in another compromised website, which pointed to the target website’s search URL in order to exhaust the target server’s CPU.

Inspecting Network Layers – More advanced attackers perform a deep analysis of their target, including network implementation, web server application and the TCP stack. Putting all this data together, attackers gain an exhaustive grasp of the destination site architecture and its security devices (firewalls, IDS, IPS) in order to determine the best method for bringing the target service down.

To learn more about the different tactics being used in the pre-attack phase of successful DDoS/DoS attacks, check out our full research report, which provides in-depth analysis of these and other cases. You can read the full report here.

Eyal Benishti

One comment

Leave a Reply

Your email address will not be published. Required fields are marked *