Alibaba Cloud Offers a Security Emergency Response Plan for Global Bank Websites Targeted by Hackers
By Shuang Le，
Recently, Alibaba Cloud CloudMonitor has detected attacks against global central bank websites by Anonymous members. So far, more than two important websites in China have been attacked, primarily by high volume DDoS and HTTP flood attacks.
Alibaba Cloud has detected DDoS and HTTP flood attacks through threat intelligence, as the main attacks of this incident. So far, attacks have caused intermittent access failures of multiple websites.
Alibaba Cloud security experts have come up with five attack characteristics:
- Attacks lasted one month, from 06:13, November 12, 2018 to December 14, 2018.
- In a single attack event, 15,423,249 malicious requests were launched, and 1,439 attack source IP addresses were counted. The attack IP addresses were scattered, and mainly distributed in China. The following figure shows the distribution of the attack sources.
- A large number of resource-based files (.zip, .apk, .js and .png) were requested to consume user bandwidth resources. Random parameters were used to bypass the frequency detection of regular pretection rules and cache of CDN, as shown in the following figure.
- Attackers forge the user-agent and referer fields to disguise attack traffic.
- During sustained attack events, some victims were affected for half a month. In order to bypass the security rules and to cause the biggest impact, attackers kept changing their attack patterns and methods.
Emergency Response Plan: Building a Robust Security Defense System
Alibaba Cloud responds to high-risk incidents with a defense system that integrates Anti-DDoS Service Pro and WAF. The solution can be simply deployed by updating DNS resolution, and available for both cloud and on-premises (including non-Alibaba Cloud) systems.
Anti-DDoS Service Pro implements the SaaS security service to effectively defend against DDoS attacks when origin servers become unavailable under a large volume of DDoS attack traffic. This ensures the stability and reliability of the origin site.
Based on the powerful big data capability of Alibaba Cloud, WAF defends against SQL injection, XSS, common web server plugin vulnerabilities, Trojan uploads, unauthorized access to core resources, and other common OWASP attacks. It filters out massive numbers of malicious attempts to prevent leakage of users’ website assets and data, helping enforce website’s security and availability.
Alibaba Cloud Anti-DDoS Features
Alibaba Cloud Security’s Anti-DDoS provides the following features and benefits:
- Full coverage of common DDoS attack types
- Alibaba Cloud Security’s DDoS mitigation system defends Alibaba Cloud users against various types of DDoS attacks targeting the network layer, transportation layer, and application layer (including HTTP Flood, SYN Flood, UDP flood, UDP DNS Query Flood, (M)Stream Flood, ICMP Flood and all other types of DDoS attacks). It also sends SMS messages in real time to inform users of the attack events.
- Quick auto-response to enable protection in five seconds
- Alibaba Cloud Security’s DDoS mitigation system adopts world?class detection and protection technologies and implements attack discovery, traffic redirection, and traffic mitigation in five seconds, greatly reducing the network jitter. Meanwhile, the system triggers the protection by referring to the traffic threshold, and statistics and judgment of network behaviors, so as to precisely identify DDoS attacks, thus ensuring the service availability in case of a DDoS attack.
- Highly elastic and redundant Anti-DDoS capabilities
- Each basic unit in Alibaba Cloud Security’s DDoS mitigation system can filter 10 Gbps attack traffic. Powered by the high scalability and high redundancy of the cloud computing architecture, the Anti-DDoS system supports seamless scale-up in the cloud environment to implement the highly scalable Anti-DDoS capability.
- Bidirectional protection to avoid abuse of cloud resources
- Alibaba Cloud Security Anti-DDoS system can not only defend against DDoS attacks launched outside Alibaba Cloud, but also detect abuse of cloud resources as well. Once a cloud server is detected to be used to launch DDoS attacks, the cloud network traffic monitoring system will collaborate with the host security protection system to restrict the network access behavior of the abused cloud server and generate an alarm, so as to effectively control the internal host.
Alibaba Cloud WAF Features
Alibaba Cloud Security’s WAF provides the following features and benefits:
- Supported protocols
- Provides web security protection for the HTTP, HTTPS, HTTP2, and WebSocket traffic of websites.
- Protection against common web application attacks
- Defends against common OWASP attacks, including SQL injection, XSS, webshell uploading, backdoor isolation, command injection, illegal HTTP protocol requests, common web server vulnerability attacks, unauthorized access to core resources, path traversing, and scan protection.
- Origin stealth
- The IP address of origin server is not exposed to attackers, so attack packets cannot bypass the WAF to attack your website directly.
- Regular updates of 0-day patch
- Protection rules are synchronized with Taobao. Latest vulnerability patches are provided to global users simultaneously to secure websites.
- Friendly observation mode
- With observation mode enabled for new website services, possible attacks matching the protection rules trigger warnings but are not blocked. This makes it easy to collect statistics on the false positive rate of your services.
- Protection against HTTP flood attacks
- Precise access control
- Provides a friendly configuration console interface and supports condition combinations for common HTTP fields, including IP, URL, Referer, and User-Agent. This allows you to create powerful, precise access control policies that are applicable to scenarios such as anti-leeching and website background protection. Establishes comprehensive multi-layer protection with the security modules for protection against common Web attacks and HTTP flood attacks, easily distinguishing between secured and malicious traffic based on your needs.
- Virtual patches
- Updating web protection rules to provide enough protection even before official patches of web application vulnerabilities are released.
- Attack event management
- Supports centralized management and analysis of attack events, attack traffic, and attack scales.
Additional Suggestions from Alibaba Cloud Security Experts
Considering the high complexity and resistance of this attack, you should contact a professional security service vendor and a service staff member to create a comprehensive solution.
Alibaba Cloud experts can help you to implement a robust security solution to protect your system against such attacks. The benefits of Alibaba Cloud security services include:
- Alibaba Cloud security products can identify and intercept such attacks through the HTTP flood protection and mitigate malicious back-to-source traffic by leveraging cloud benefits.
- Alibaba Cloud provides a large-scale threat intelligence database for collaborative defense.
- Alibaba Cloud security engineers currently provide 24/7 emergency services to analyze attack variants and update protection policies.