DDoS Free-For-All: MasterCard, Visa, Other Major Websites Hit In WikiLeaks Fallout

MasterCard and Visa today were among the latest high-profile victims of backlash distributed denial-of-service (DDoS) attacks led by the so-called Anonymous hacking group in support of WikiLeaks and its founder in what the attackers have dubbed Operation Payback.

The credit-card giants joined a list of targets, such PayPal, a Swiss Bank that froze WikiLeaks' founder Julian Assange's bank account, the Swedish prosecutor's site, and even Sarah Palin's website, which were hammered with Web traffic by Anonymous hacktivists and their volunteer supporters of WikiLeaks, many of whom donated their own computing resources to the attacks. As of this posting, all of these organizations' websites for the most part had been restored. But the free-for-all barrage of DDoS attacks was still in full swing, with tweets on Twitter feeds calling for other sites to attack, including foxnews.com. And the unrelenting attacks are leaving all types of organizations wondering what they can do if they find themselves in the bull's eye of a crippling DDoS attack by Anonymous or any other attackers.

MasterCard earlier today officially announced it was "experiencing heavy traffic" on its mastercard.com external website. PandaLabs, which is tracking the attacks recorded more than 11 hours of downtime for mastercard.com, as well as intermittent interruptions and downtime at visa.com and PayPal.com. MasterCard's SecureCode service for secure online payments also suffered disruption today. Meantime, MasterCard's home page now says: "MasterCard has made significant progress in restoring full-service to its corporate website. Our core processing capabilities have not been compromised and cardholder account data has not been placed at risk. While we have seen limited interruption in some web-based services, cardholders can continue to use their cards for secure transactions globally."

There's no way to prevent a DDoS or stop one in its tracks, but there are some do-it-yourself techniques and strategies for fighting back and minimizing its impact. Just ask HD Moore, creator of Metasploit and chief security officer for Rapid7, who once single-handedly fought back a DDoS attack on the Metasploit site. Moore was able to turn the tables on the attackers that hammered away at Metasploit's servers by changing DNSes in an attempt to evade the attackers. Moore narrowed down the C&C domains after enlisting the help of botnet researchers who blackholed one of the domains, and Moore then executed a "reverse" on the other two C&C domains, pointing the traffic that was flooding his Metasploit site back onto the attackers' domains so they were DDoS'ing themselves.

But that's not a technique for the faint of heart or inexperienced botnet handlers. "In my case, there were only three C&Cs for the entire botnet ... I got a copy of" the binary used to compromise the bot machines, he says.

Moore suggests having DNS servers hosted externally by a provider that can handle large traffic loads, and to be sure that Web servers and email servers are run in separate hosted environments, for example. "If not, you could be shut down with one moderate DDoS," he says.

In the case of MasterCard, the company mostly runs its own data centers, he says. "Once you've reached the capacity of all the servers [in a DDoS], you can't do anything [to stop a DDoS]," he says. DDoS protection services such as those offered by Arbor Networks filter and scrub out the DDoS traffic, he says.

Secure Web hosting provider FireHost gets hit with DDoS attacks multiple times each day, says Chris Drake, founder and CEO of FireHost, which began hosting Kevin Mitnick's websites last year after the former convicted hacker's sites were targeted so much that his then-hosting provider dropped him as a customer.

"The most important thing is to have a plan, if you are with a hosting company or [if you are] hosting your own servers. DDoS can easily happen: It can be brought by an individual or a group going after you, or you could be a victim of a random attack," Drake says. "It's so crippling to have your site down. You run around with your head cut off if you don't have a plan."

FireHost starts with a fat pipe that can absorb DDoS'ed traffic. "[Your hosting providers] have to have a big enough pipe to absorb one meg or five gigs so if they are attacked, they are so big that you won't be impacted," Drake says.

Once it has detected the bad traffic, FireHost blocks it by "blackholing" the offending IP addresses. "Our goal is to block the bad traffic so our client can stay online" and not to take the site's IP address offline to protect it, he says, a method called "null route." Drake says his firm then reports those blackholed IPs to their respective ISPs.

The Anonymous group's DDoS marathon employs a toolkit called Low Orbit Cannon that users download in order to join the botnet, which then zeroes in on the target website, delivering waves of HTTP requests that ultimately can bring a site to its knees.

"Operation Payback is recruiting people from within their own network. They are actually asking supporters to download the piece of code, the DDoSing malware itself, that upon wake-up call the computer engages in the DoS. There is no victimized machine, as the participants knowingly engage in what they call an act of defiance," says Noa Bar Yosef, senior security strategist for Imperva.

And no one is immune from a DDoS, either. "You can't make a DDoS stop, but you can make it noneffective," FireHost's Drake says. Even if an organization isn't a high-profile one like MasterCard, Visa, or PayPal, it's still at risk. "Everybody should worry about it. A DDoS can happen for any reason," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.