You are here

DDOS attack from botnet "Miner"

Keywords: 
"Miner" botnet
Description: 

Germany's "Bundesamt für Sicherheit in der Informationstechnik (BSI)" released a warning "BSI IT-Sicherheitswarnung 22/2011, DDoS-Angriffe auf deutsche Webseiten" on September 8th 2011. This document describes new activities by botnet "Miner", which tries to attack and tear down German Web applications.

Resolution: 

It is best to block recognizable requests. This can be done by configuring the Web application appropriately. A better way is to use a Web Application Firewall (like Airlock) to separate security tasks from business functionality.

With Airlock, follow this procedure:

  • Log in to the Airlock Configuration Center
  • Go to "Expert Settings" - "Security Gateway"
  • Search for "AuthproxyFilterDenyHeaderRegex"
  • If you do not find an entry, insert the following line:

SecurityGateway * AuthproxyFilterDenyHeaderRegex.3 "^Accept-Language:[[:space:]]*ru"

  • If you do find an entry, follow this procedure, else activate and you are done.
  • Note the highest index, e.g. "3"
  • If the value for this index is not "_undefined_", increment the index by 1 and add following line:

SecurityGateway * AuthproxyFilterDenyHeaderRegex.<new index> "^Accept-Language:[[:space:]]*ru"

  • Activate and you are done.

This will prevent all requests with HTTP header "Accept-Language: ru" from reaching the back-end application.

This configuration potentially prevents users based in Russia from reaching the back-end application.

Airlock Vulnerability Status: 
Does not affect Airlock
Back-end Vulnerability Status: 
Airlock protects, requires changes in configuration