SUMMARY

AFFECTED PRODUCTS

This attack poses no direct threat to Blue Coat end users browsing Web content because the attack generates outbound traffic rather than serving malicious Web content.

Nevertheless, the nature of this attack is an indicator that servers on these IP addresses have been compromised by hackers resulting in an increased level of security risk. To protect our customers from the possibility of these compromised servers being further utilized to serve malicious Web content, Blue Coat WebFilter systems have been updated by categorizing the IP addresses in the advisory list as “Suspicious”.

As always, Blue Coat Security Labs will be monitoring traffic to these IP addresses via the WebPulse community cloud. If further investigation in the future reveals that the compromised sites have become sources of malware
then the categorization on these IP addresses will be changes to “Spyware/Malware Sources”.

Blue Coat Security Labs recommends that customers using ProxySGs as reverse proxies black list the IP addresses identified as initiator sites in the advisory in their Firewall configuration. This action blocks the inbound traffic for DDOS attack. The list of these sites is available in the US-Cert CIIN-0918801 advisory.

ISSUES

On July 7, 2009 US-CERT issued advisory CIIN-0918801 to US federal agencies stating that multiple US Government Websites were under massive Distributed Denial of Service (DDOS) attacks utilizing UDP and TCP traffic since July 4, 2009. The advisory contained a list of IP addresses where these DDOS attacks were
originating.

REFERENCES