The attacks that you nor your security provider know about, the classic “unknown unknowns”, are often seen as the biggest challenge.
I met with Jag Baines, CTO of DOSarrest some time ago on a visit to the UK with general manager Mark Teolis, who talked of such an attack vector that had not been as widely reported as they had hoped.
The two admitted that the methods of denial-of-service (DoS) attack had changed in the past few years, to the use of sophisticated botnets, and with more access power to compromised computing power, that gives access to tools such as “headless browsers”.
Baines explained that a headless browser is a web browser for all intents and purposes, just without the graphical elements; a legitimate browser web kit that has been modified to run a series of queries and target basic UIs on your website.
“It is gaining popularity on the ‘big and dumb’ attacks. You have no web application firewall and no box is going to be able to figure out what this thing is doing,” Baines said.
“You can download the software for free and modify it, PhantomJS is the most popular headless browser and people use it for legitimate purposes like monitoring services. We looked at adding a monitoring service to see how our website was doing a couple of years ago, and you can add a sensor and a certain location and tell it to tell you the load times of each element of the site, but others are modifying it for less than gallant reasons.”
Baines said that any attacker would need access to the tool, and while you cannot effectively run headless browsers, an attacker would need to load up the program and need a victim to actively run it.
“An attacker accesses it and loads it up via a VBScript, the victim sends back a response and the headless browser tells you it looks like a legitimate session to get access to what they can find. It works because the attacker understands how the website is designed, tells you where the weaknesses are and point it at it. You cannot set up a web application firewall to prevent it as it is using the same protocol as a real visitor would.”
Teolis said that this attack form is low and slow, and the headless browser would infect a laptop, go to a command and control centre and await instructions. “It could download code, but the idea is to exhaust resources – it is Slow Loris attack version 2,” he said.
Baines said that there tends to be a focus on volumetric attacks, but while users are scared of that, a lot of the headless browser attacks are TCP-based, so only around five to ten Gbps, but it is in the background and that is what is killing the site. “You’ll never see it, it runs as a separate process in the background. The only way you’ll know is to run a NetStack to see what is running out of port 80 and it is very sophisticated.”
DOSarrest admitted that there is no detection of a large collection of botnets for this service, but they predicted that this will happen as a victim can be hit 10 times or 50 times a minute.
Baines said: “You can rent a botnet for $10 an hour, but with a headless browser you have to be sophisticated to use it. It takes time and effort to get it installed, so you can run it on 10/15 machines to be effective and once you have your sophisticated botnet you are not going to share that, you are going to keep it and use it when the time calls for it. These guys are motivated either politically or commercially and will bring it out like a sniper only when they see fit.”
Asked if this could be used as part of a targeted attack, Teolis said that this is different as it uses DoS tactics, but if there are 10,000 different IPs attacking every ten minutes or every hour, then it will be hard to deal with.
Baines said: “If you look at it from the perspective of the cyber criminal, they want to cover their tracks and pull out data without anyone knowing and using headless browsers for any purposes, but there is going to be some footprint left behind. I don’t see it as a tool for theft, it is more about how to make the website unavailable and how does the attacker look like every other visitor.
“The intentions are different and to leave no logs or trace. There will be difference in patterns but it takes a dogged support guy to figure it out.”
The concept was presented last summer at the Def Con conference in Las Vegas, and Teolis said that the response was positive from delegates. In terms of how to protect against it, the solution does lay with a pure play DDoS protection service as this does not require signature-based solution. Teolis said that it offers support to parse it, run analysis on it and see the pattern and anything in particular that wasn’t there an hour ago.
“We are defending our customers during non attack periods , to compare and contrast and look at the pattern, look at the implementation. At the worst case we can put our finger in the dyke and block it, or we look at rate limiting expressions, maybe sanitise the options that come through – it is all dependant on what data we can gather,” he said.
“With real time support there is a human involved and you can develop some rule sets to determine what is going on and implement this module. We can do that in seconds, and that is part of our software and we can do it in under a minute.”