DDoS progress

The Gala Coral Group reported that last year their gambling sites got hit by a 10Gb DDoS attack. The Information Security Officer spoke at the recently concluded e-Crime Congress 2008.

I'm not sure of the exaggerations but an interesting part is:

Attackers disguised the build up of traffic from up to 30,000 PC and Apple Mac botnet computers during the attack by analysing and reproducing the browsing habits of the sites' typical users.

Windows PCs no longer has the monopoly on botnet herds. The attackers also took the trouble into making it hard to defend against.

It sure is hard to separate the attacks if everything looks like legitimate access. Their firewall also proved to be worthless:

More worrying, during a second attack the botnet blocked attempts by the websites to stop them using a port firewall while continuing sending out data to carry on the attack.

Putting up a firewall during a big DDoS attack is useless even a stateless one. You need to work with your upstream provider to mitigate these attacks and since everything looks like legit, $DEITY help you.

Resistance is futile.

Post Valentine DDoS

As seen from various sources such as Arbor, Shadowserver and a couple of gambling sites, DDoS is back in the limelight. Gambling sites were getting hit since around Valentine's day.

I've noticed small 12-hour attacks from Feb 13-15 on a couple of gambling sites hosted here in the Philippines. I reckon the attack is not directed to the sites I'm monitoring but is getting affected by attacks on other sites hosted by the common provider. A sample from one of them.
     

Another site I'm monitoring which is hosted in Taiwan got hit directly from Feb 18-19, was down and now back up. You will also notice the broken lines which indicate it was up and down during the duration of the DDoS attack.
              
Attacks are a mix of non-/spoofed ICMP, UDP, TCP SYNs and HTTP GETs. DDoS really is the greatest threat to the online gambling industry and yes it won't go away anytime soon.

Geolocation blocking

A couple of online gambling sites do geolocation blocking. Either because of regulations or they just want to cater to specific geographical locations. Some of them also do blacklisting right on their network appliances facing the Internet. Geolocation blocking is commonly done on the application layer, through the game client, web application exempli gratia 301,302 redirects.

A Philippines based online casino that does geolocation blocking on their web application is RUZUZ.XLN (domains are encrypted with the jewjitsu cipher). When accessing their registration page using a Philippines IP address you will be thrown an error saying that people in your jurisdiction are not allowed to register. Using a reliable chinese proxy the blocking can be bypassed since China is one of their target markets.

HYLYVG.XLN does it a bit different since they perform the geolocation blocking on layers 2-5 with what seems to be an Internet facing network appliance id est firewall. When connecting using a Philippines IP address you will be timed-out, but it can also be bypassed using a chinese proxy.

Then there is also the clever guys at XK919.XLN. I am not sure of the purpose of the geolocation blocking rather redirecting because they have a similar unblocked page at XK9198.MVG but of course the backend could be completely different and comparing the HTTP behavior/responses they are different hosts.

Accessing XK919.XLN:

$ curl -I http://xk919.xln   
HTTP/1.1 302 Found
Date: Tue, 08 Jan 2008 08:58:07 GMT
Server: Apache
Expires: Mon,26 Jul 1997 08:00:00 GMT
Last-Modified: Tue, 08 Jan 2008 08:58:07 GMT
Cache-control: no-cache,must-revalidate
Pragma: no-cache
location: http://www.google.com.tw
Connection: close
Content-Type: text/html

$ curl -I http://xk919.xln
HTTP/1.1 302 Found
Date: Tue, 08 Jan 2008 08:58:34 GMT
Server: Apache
Expires: Mon,26 Jul 1997 08:00:00 GMT
Last-Modified: Tue, 08 Jan 2008 08:58:34 GMT
Cache-control: no-cache,must-revalidate
Pragma: no-cache
location: http://www.pchome.com.tw
Connection: close
Content-Type: text/html

$ curl -I http://xk919.xln
HTTP/1.1 302 Found
Date: Tue, 08 Jan 2008 08:58:45 GMT
Server: Apache
Expires: Mon,26 Jul 1997 08:00:00 GMT
Last-Modified: Tue, 08 Jan 2008 08:58:45 GMT
Cache-control: no-cache,must-revalidate
Pragma: no-cache
location: http://www.hinet.net
Connection: close
Content-Type: text/html

Sweet, 302 redirects to random TW domains. Using a chinese proxy:

$ curl -I -x notsoleetblacklistedproxy.cn:8080 xk919.com
curl: (52) Empty reply from server
$ curl -I -x notsoleetblacklistedproxy.tw:8080 xk919.com
curl: (7) couldn't connect to host

The connection times out or I am sent a RST. Using other blacklisted proxy hosts I confirmed that they are using a blacklist (XBL etc.). Clever of them to block these drones and or blacklisted hosts, no legitimate connections come from them anyway. To bypass the blocking you need a fresh proxy located in an allowed jurisdiction and it also should not be blacklisted. Fortunately I have one for tricky times like this.

$ curl -x veryleetproxy.tw:8080 xk919.com
HTTP/1.1 200 OK
Date: Sun, 06 Jan 2008 04:05:29 GMT
Server: Apache
Expires: Mon,26 Jul 1997 08:00:00 GMT
Last-Modified: Sun, 06 Jan 2008 04:05:29 GMT
Cache-control: no-cache,must-revalidate
Pragma: no-cache
Content-Type: text/html
Proxy-Connection: Keep-Alive
Connection: Keep-Alive

<html>
<head>
<title>Welcome BOEING</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
</head>
<frameset rows="*,0" frameborder="NO" border="0" framespacing="0">
<frame name="mem_index" src="http://xk919.xln/app/member/">
<frame name="act" scrolling="NO" noresize src="">
</frameset>
<noframes> 
<body bgcolor="#FFFFFF" text="#000000">
</body>
</noframes> 
</html>

Bypassed. Also look at that, an interesting IFRAME.

curl -D - "http://xk919.xln/app/member/"
HTTP/1.1 200 OK
Date: Tue, 08 Jan 2008 09:41:20 GMT
Server: Apache
Expires: Mon,26 Jul 1997 08:00:00 GMT
Last-Modified: Tue, 08 Jan 2008 09:41:20 GMT
Cache-control: no-cache,must-revalidate
Pragma: no-cache
Set-Cookie: agNameCookie=deleted; expires=Mon, 08-Jan-2007 09:41:19 GMT
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html

<html>

<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>Welcome</title>
<script language="javascript">
<!--//

Yup. The geolocation redirect only happens in index.php, the URL inside the IFRAME is not protected. Complete bypass accomplished.

Online gambling security: DDoS

This is the follow-up to the previous online gambling security post.

Distributed Denial of Service attacks is one if not the greatest threat to the online gaming industry and other online businesses. Decreased uptime results to damaged reputation and lost revenue.

During the course of the attack, computing resources and bandwidth are overwhelmed with illegitimate requests. The attackers will likely contact the webmasters or whoever is deemed in-charge and demand for an amount/ransom for them to stop the attack, this is cyber-extortion. DDos is also a tool for competitive sabotage. Some online gambling entities initiate attacks on competitors to boost there own earnings by luring prospective players.

The "Distributed" in DDoS refers to the method wherein several machines ranging from hundreds to thousands of zombie nodes are used to do the actual attack. These network of zombie nodes or machines is referred to as a Botnet. A 5000-strong botnet can pump as much as 1Gb of network traffic and millions of PPS.

Nodes in a botnet are usually Windows machines installed with trojans and or infected by malware. These machines are under the control of the botnet master using a command and control (C&C) server-client system. Recent advancement in C&C techniques allowed the creation of networks without the classical malware infection. JavaScript with Flash and Web 2.0 provided criminals a new vector for C&C and to also increase malware infection rate. P2P communication also can be used for running the C&C.

Zombies are not limited to Windows machines. In December 2005, Prolexic staff spent the holiday season fighting a DDoS attack from Japan wherein the zombies are Linux servers with big bandwidth. The Linux machines were compromised through PHP web application vulnerabilities.

To combat the DDoS threat you have to work with your Internet provider. Before signing up inquire about their policy on DDoS attacks. There are companies like Prolexic that provides DDoS mitigation services. Prolexic first client was online sports bookie BetCris. The company came into existence largely through the work that was done to combat DDoS attacks on BetCris.

DIY mitigating is also possible if it is a small ~1Gb attack. On Linux you can do rate limiting, cleansing and tarpitting. OpenBSD can do rate limiting and cleansing. These capabilities are the ones built-in to the Prolexic, Arbor, Top Layer devices.

There are options besides paying up the ransom. Paying is dangerous because DDoS groups are not united, turf wars are common. If you get tipped paying, others will try to extort from you. Watch as the domino effect takes its toll.

Online gambling security: $1 tip

I have been working in the online gambling industry for the past three years. Did all kinds of IT related stuff. Worked for companies that targets the Asian market.

I saw a mailing-list post that sparked interest and decided to blog about the topic. The said post is at Full-disclosure with subject "Security of online casinos". The post asked three questions:

1. Has any online casinos' software ever been cracked?
2. Who tests casinos' software for security purposes?
3. Are their random number generators really random?

The three dominant types of games associated with online gambling are sports betting, live dealer streaming and random number generator (commonly referred to as RNG) games. Based on the context of the post I assume question 1 is geared towards RNG games. Short answer, Yes.

Even though gambling companies do everything in their power to stop reports of cheating sometimes they can not just stop them. A classic paper entitled How we learned to Cheat at Online Poker: A Study in Software Security is an excellent read. There also exist the possibility of insider cheating.

Question number two can not be accurately answered because as far as I know there are no security standards that are required for online gambling to comply to. I also do not know of any online gambling operation that boast security awareness. Mostly it is up to the game developers, QA testers and random reports.

Random number generation quality varies from casino to casino. There are a number of prominent RNG game providers and each does different methods of generation. The worst casinos that opt to develop their own random number generator without testing for possible flaws can be cheated to oblivion. Read the earlier paper mentioned where an online poker game was cheated because of a flawed random number generator.

I will continue discussing online gambling security in a later blog post.