Tracking and Analysis of the Anonymous Operation Against China

Attack and Defense

On the night of May 28, 2015, according to information obtained by NSFOCUS, Anonymous was intending to launch an operation against China (OpChina) on May 30, which was suspected to be a reaction to the recent international situation. This news, once disclosed, drew wide attention from all people concerned. Based on its knowledge of attacks launched by this hacker organization against China and years of experience in coping with such attacks, NSFOCUS Threat Response Center (TRC) made corresponding preparations, well poised for a fight against the imminent attack. This article provides an in-depth analysis of this attack and presents a targeted solution.

Attack: Anonymous and #OpChina

Anonymous is a loose hacker organization as anyone can claim to act on behalf of or as a member of this organization. This organization has its own website and its members meet regularly by means of the Internet Relay Chat (IRC). Most attacks launched by Anonymous are distributed denial-of-service (DDoS) attacks targeting government websites, enterprise websites with good reputation, and religious websites. From its inception, Anonymous has smacked strongly of political favoritism.

Generally, Anonymous launches an attack in three phases: recruiting and communications phase, reconnaissance and application attack phase, DDoS attack phase. Due to the loose organization, Anonymous often uses a hashtag to identify the planned operation in the recruiting and communications phase. #OpChina appeared on Twitter as early as 2011. Subsequently, an account named Operation China was set up on Facebook, aiming to organize attacks against China. Similar hashtags include #OpSony in 2011 and #OpSyria in 2013.

In fact, Anonymous has never ceased its attacks against China. In April 2015, in the wake of the incident happening in Hong Kong, a number of Chinese governments’ and organs’ websites, including Hunan Police Academy, were attacked. In October 2014, a cyber attack was launched as a support for the incident in Hong Kong, affecting government organs’ websites, including Hong Kong Brands and Products Expo (HKBPE). In May 2012, Anonymous launched a round of attacks against certain government websites of China, claiming that they hacked more than 400 websites, disrupted signals from website servers, and stole customer data from certain websites. The recent attack was another attack against China launched on May 29 with the #OpChina hashtag.

DDoS and Web Page Defacement

By May 30, 24:00, from the obtained information, known attack sources had been identified to be Japan, the Philippines, and Vietnam and the attack had taken the form of DDoS, plus web page defacement. For these two types of attacks, NSFOCUS has accumulated a lot of experience.

DDoS Attacks

Most large-scale DDoS attacks happen in the period of 18:00–23:00, which sees the heaviest network traffic, enabling attackers to achieve the optimal attack effect. Considering the distribution of IT companies in China, first-tier cities, such as Beijing, Shanghai, and Guangzhou, are often the targets of attacks. This can be seen in 2014 NSFOCUS DDoS Threat Report. However, up to now, we have not detected any large-scale DDoS attacks in these cities.

Based On In-Region DDoS Attack Statistics

Web Page Defacement

According to historical data, common web page defacement attacks are implemented by controlling a web server by exploiting certain vulnerabilities, cross-site scripting (XSS), DNS hijacking and poisoning, and ARP spoofing. During such an attack, visitors are tricked into accessing other web pages than the desired ones.

Current Monitoring

NSFOCUS TRC’s information sources from real-time threat monitoring, NSFOCUS’s security team, and service teams of various products. Through continuous communication and collaboration, we have found that our 200+ VIP customers have generally fared well and their 2306 websites have been free from the attack in question. We will work closely with our customers to follow up the event.

Monitoring of 200+ VIP Customers' External Websites

Locations covered by the preceding data are distributed as follows:

Geographic Distribution

Protection: Management Authorities

To cope with the attack to be launched by Anonymous, CNCERT/CC and other security management authorities made an immediate response. NICNIS issued a notification to all the related organizations on May 29, requiring technical support service providers to monitor the networks around the clock and these organizations to tighten security monitoring on critical information systems and websites.

Protection: Users

With regards to this attack, the management authority issued a prompt notification and the media immediately released news reports. In the mean time, users started using their own security systems or security devices purchased from security vendors to monitor and protect their business environments. There were also users who came to us for relevant information and continuous technical support. It is advisable for users to set up a web page defacement monitoring and protection mechanism as soon as possible.

Website Monitoring

Web page defacement occurring in this attack can be monitored by various products of NSFOCUS in real time. Take the NSFOCUS Web Security Monitoring System (WSM[1]) as an example. When a large number of websites are involved in security assessment, WSM can serve as a unified website monitoring platform to implement all-round efficient monitoring 24/7 by scanning vulnerabilities, web page trojans, and sensitive content, detecting web page defacement and domain name hijacking, and ensuring availability. This can optimize security risk management for websites.

WSM determines whether web page defacement occurs not only based on watermarking, a commonly used technique, but also by analyzing the target web pages and extracting and recording signatures of this page. The page signatures are saved to the database. By comparing these signatures with the current page, WSM can accurately determine whether the page changes are normal or the page is tampered with.

In large enterprises or organizations, the protection against attacks launched by Anonymous may not be implemented as quickly as expected considering the following factors:

  1. Availability of the business system
  2. Formulation of an overall implementation solution
  3. How to reduce the negative impact of enhancements on the business environment as much as possible

In this context, the enterprise, vendor of the vulnerable system, and security vendor should work together in a coordinated manner to promptly form a safe and effective action plan, protecting the business system from being attacked before the enhancement.

In addition, certain small websites may be incapable of promptly responding to attacks. They know what vulnerabilities exist in their websites and what threats their websites are exposed to, but can do nothing due to the limited resources and technical support available.

Protection: Security Vendors

By far, the data in hand shows that large- and medium-sized customers in first-tier cities were hardly affected by this attack and occasional reports on the attack came from second- and third-tier cities.

Check on the Cloud

In response to this attack, NSFOCUS’s security team advised users to provide their website domain names so that NSFOCUS’s security experts could, upon their authorization, carry out remote website monitoring around the clock. Once a customer’s website was found to contain security risks, NSFOCUS’s security team would lose no time to notify the customer and provide a professional security solution. In addition, NSFOCUS produces general assessment reports on a regular basis, enabling customers to grasp the security status and trend of their websites. If your business environment is susceptible to attacks, please use NSFOCUS Client Portal for security monitoring.


Protection Against the Anonymous Operation

After obtaining facts about the Anonymous operation, what to do next is obvious. Based on the preceding information, users need to take prompt actions against this attack, including vulnerability fixing, DDoS protection, and application protection. We also provide a suite of solutions for customers to build a comprehensive protection system.

Vulnerability Fix

In this operation, we also found other attacks launched by exploiting system vulnerabilities. Our experience tells us that vulnerabilities recently discovered are more liable to be exploited. At the same time, Anonymous members are trying to collect and share vulnerability exploitation methods through various channels. Users should pay prompt attention to and fix vulnerabilities reported recently.

In terms of the number of bulletins released in the past week, IBM topped the list of vendors/projects with 16 bulletins, followed by Wireshark (9), Linux (8), HP (6), and Aruba Networks (6). According to NSFOCUS Network Security Threat Weekly[2], attention should be paid to the following critical vulnerabilities recently discovered:

CVE ID CVSS Score Vendor
CVE-2015-2110 10 HP
CVE-2015-3331 9.3 Linux
CVE-2015-1550 9 Aruba Networks
CVE-2015-2123 9 HP
CVE-2015-0160 9 IBM
CVE-2014-6628 9 Aruba Networks
CVE-2015-2120 8.7 HP
CVE-2015-3810 7.8 Wireshark
CVE-2015-2122 7.8 HP
CVE-2015-2121 7.8 HP
CVE-2015-1157 7.8 Apple
CVE-2015-3812 7.8 Wireshark
CVE-2015-3809 7.8 Wireshark
CVE-2015-3808 7.8 Wireshark
CVE-2014-8147 7.5 icu_project
CVE-2015-0120 7.5 IBM
CVE-2015-0935 7.5 Bomgar
CVE-2015-0986 7.5 Moxa
CVE-2015-2945 7.5 h-fj
CVE-2014-8146 7.5 icu_project

Date Vulnerability Description
2015/05/25 PHP PHAR ‘phar_tar_process_metadata()’ Function Heap Memory Corruption Vulnerability


Description: An attacker can exploit this issue to execute arbitrary code within the context of the affected application.

CVE ID: 2015-3307

2015/05/26 Vulnerability in a Website of Wanda’s E-Commerce Sector Affects Personal Data of 46 Million Users


Description: A vulnerability in a website of Wanda’s e-commerce sector affects personal data of 46 million users.

2015/05/26 SQL Injection Vulnerability in the Website of Nanyang Municipal Public Security Bureau, Traffic Police Detachment Allows Information Disclosure


Description: An SQL injection vulnerability in the website of Nanyang Municipal Public Security Bureau, Traffic Police Detachment allows information disclosure.

2015/05/26 Injection in the Yimutian Online Shopping Website May Lead to Information Disclosure


Description: An injection vulnerability in the Yimutian online shopping website may lead to information disclosure, affecting more than 5 million users and more than 6 million businesses.

DDoS Protection

Anti-DDoS products or traffic cleaning services, after being deployed, can effectively protect websites from possible DDoS attacks. Take the NSFOCUS Anti-DDoS System (ADS) as an example. After being deployed, it can cope with common DDoS attacks at the network layer, transport layer, and application layer, such as SYN flood, UDP flood, UDP DNS query flood, (M)Stream flood, ICMP flood, HTTP GET flood, and connection exhaustion attacks. Its other functions include abnormal traffic detection, attack protection, device management, report generation, and value-added operations. In addition, it can be deployed in in-path, in-path cluster, out-of-path, and out-of-path cluster mode to meet different business needs. In out-of-path mode, ADS supports various routing protocols for traffic diversion and reinjection, suitable for use even in complex network environments.

Application Protection

Besides ADS, the deployment of a web application firewall (WAF) can better protection website applications. For a web page defacement event, NSFOCUS WAF provides an online protection solution that features in-process protection and post-event remediation. During the event, WAF filters out in real time web page defacement attack traffic (SQL injection, XSS, and so on) mixed in HTTP requests. After the event, WAF automatically monitors all web pages of a website under monitoring for their integrity. After detecting that a web page is tampered with, WAF immediately alerts the administrator by SMS and at the same time displays the normal web page before defacement to ensure that users can access the desired content. Furthermore, HWAF can be deployed for real-time website protection. Once detecting web page defacement, it will restore the previous page within seconds.

NSFOCUS product users are advised to update the rule database as soon as possible. NSFOCUS has provided rule update packages in the software upgrade bulletin. The rule database can be updated online through the web-based manager. If you cannot install the rule update package for the time being, you can find the related product on the software upgrade page, and download and install it, thus updating the rule database offline. Please visit:


Like other cyber attacks, this Anonymous operation is also a battle between people. NSFOCUS Security Cloud provides customers with professional, rapid, and efficient security assurance all the time and delivers a managed security operation solution for Internet websites. Based on website access monitoring, this solution enables customers to get all-round website security operation services before, during, and after a security event.


We Are Watching

For advanced attacks such as the OpChina attack, the key lies in the prompt obtaining of related information so as to trigger the emergency response mechanism as soon as possible. This is a very important approach for addressing both traditional security threats and advanced persistent threats (APTs). The obtaining of and responding to threat-related intelligence, to some extent, reflect a security vendor’s protection capacity. The threat intelligence service system consists of at least threat monitoring and responding, data analysis and sorting, business intelligence and delivery, risk assessment and consultancy, and security hosting and application, involving the research, products, services, operations, and marketing. NSFOCUS, through an all-round emergency response system covering the research, cloud, products, and services, promptly provides threat intelligence and follow-up services regarding Anonymous attacks for enterprises and organizations, ensuring their business continuity.

[1] NSFOCUS Web Security Monitoring System,

[2] NSFOCUS Network Security Threat Weekly, No. 201522

NSFOCUS @Infosecurity Europe 2015

This slideshow requires JavaScript.

Hope everyone had a fab time for the 3 days event – Infosecurity Europe 2015 @Olympia London. The 3-days event brought all the security professionals in one roof. We were glad that had this fantastic opportunity not only to meet our customers but also introduced NSFOCUS Anti-DDoS solutions to wider audiences. If we haven’t had a chance to talk to you during the event, please do get in touch with us by dropping us an email,, we are more than happy to give you more information regarding our solutions, or any other information regarding against DDoS attacks.

We hope to see you again.

Simple Service Discovery Protocol Adds to IoT Complexity

By Balaji Narasimhan, 29-May-2015

Much has been written about how secure–insecure, rather–IoT is. As with all forms of technology, security takes the back seat because people often concentrate on other features.

Much has been written about how secure–insecure, rather–IoT is. As with all forms of technology, security takes the back seat because people often concentrate on other features.

“I woke up and turned around to find a gun in my face.” This is something that you may read in a book by Alistair MacLean, but with the threat of IoT looming over us, this is what anybody using IoT will face–except that the gun is invisible, held by a nameless hacker 200 kilometers away.

Much has been written about how secure–insecure, rather–IoT is. As with all forms of technology, security takes the back seat because people often concentrate on other features. IoT is no exception and the threat of Simple Service Discovery Protocol (SSDP) looms large over it.

What is SSDP? Wikipedia says that SSDP has been around since 1999 (ironically, Kevin Ashton coined IoT in the same year) and is a network protocol for advertisement and discovery of network services. SSDP comes enabled by default on IoT devices; they use it discover each other on a network.

This means that SSDP can be used to compromise a network using IoT. Some reports are already highlighting the danger of SSDP–NSFOCUS, in its bi-annual DDoS Threat Report (April 2015) said that more than 7 million SSDP devices globally could be exploited. Arbor Networks monitored 126,000 SSDP reflection attacks in JFM 2015 compared to 83,000 in OND 2014. In May 2015, Akamai said that SSDP attacks–which were not observed at all in the first half of 2014–accounted for over 20 per cent of the attack vectors in 2015.

This shows how hackers are shifting focus. A blog entry on says that, while UDP (User Datagram Protocol) DDoS attacks are common and can be blocked by rule sets, SSDP attacks are rarer, which means that CIOs, CSOs and other tech people will take some time to come to grips with it.

But while it is easy to patch servers, with IoT, it could be tougher–IoT relies not on one big device but on hundreds, perhaps thousands of small sensors. Changing them–for security or other reasons–will require firmware upgrades, which will take time to implement.

The growth of IoT is so fast–Gartner said that around 26 billion IoT objects will be present in 2020, while IDC said that the worldwide market for IoT will touch $7.1 trillion in 2020–everything is at risk

Consider an example–if your car has IoT sensors that automatically tell the manufacturer about the status of critical components, a hacker may be able to use this channel to hack into the automobile company’s secure servers. He could then use some system to turn off petrol flow (that will be IoT enabled too) to a lot of cars, thus (hypothetically) bringing many cars to a standstill.

This is no pipe dream–IHS Automotive says that the number of cars connected to the Internet worldwide will touch 152 million in 2020. Any one of them could be a starting point for a hacker.

I don’t know about you, but I’m really scared. So scared that I sleep with a Smith and Wesson .44 magnum revolver under my pillow. I feel safe for now, but it’s just a matter of time before the damned thing gets an IoT sensor…

Low-and-Slow Attacks

How the low-and-slow attacks gained the notorious reputation?

By Jiong Liu (John)

Slow HTTP Post DoS attack was officially revealed to the technical community at the Open Web Application Security Project (OWASP) 2012 conference, at which Wong Onn Chee and Tom Brennan together demonstrated the power of this particular attack.

  • Low-and-slow attack is launched based on the following principles:
  • A client sets up a connection to an HTTP server that is accessible via HTTP and crafts an HTTP packet with the Content-Length field set to a great value.
  • Instead of sending it at once, the client sends it at a rather low-speed, for example, one byte every 1–10 seconds to hold this connection open.
  • If the client keeps setting up such connections, available connections on the server will run out, leading the server to deny service to legitimate users.

Low-and slow attack is more or less the same as Collapsar Challenge (CC) attack, which aims at a web server as long as it provides web services. As the HTTP protocol does not require a check on the request content before the request is received, the low-and-slow attacks can still succeed even if the request body is empty.

It is low-cost to use a client to establish a large number of useless connections in a single-thread way and keep sending packets at a very slow speed. The tests indicate that a single client can establish over 3000 connections. A low-and-slow attack from the single client will be a fatal blow to a web server, which will cause distributed denial-of-service (DDoS) attacks conducted via using zombie clusters.

The low-and-slow attack becomes popular due to the ease of exploitation, severe impact of the resulting DoS, and the evasion feature, thereby being favor in the eyes of many hackers.

Currently, low-and-slow attack falls into the following categories:

  • Slow Headers

Web applications need to receive the full HTTP header before processing an HTTP request. This is because an HTTP header contains important information, some web applications may use for request processing. This provides an opportunity for attackers to keep sending an HTTP header to saturate the server with idle connections and exhaust its memory resources.

  • Slow Body

An attacker sends an HTTP Post request with Content-Length set to a great value. After receiving the HTTP header, the web server or proxy keeps the connection ready to receive data, wrongly believing that a large request will be sent from the client. However, the attack client sends a small portion of the HTTP body each time to keep the connection alive, with a purpose of draining connections to the server and exhausting its memory resources.

  • Slow Read

The client sets up a connection to the server and sends a full HTTP request. Holding the connection open, the client reads the response from the server at a low-speed. For example, it sends a Zero Window to the server before reading the response, misleading the server into thinking that the client is busy. Until the connection is about to time out, the client reads only one byte of the response. In this way, the client drains connections to the server and consumes its memory resources.

The following illustrates how to protect against low-and-slow attacks:

Traditional cleaning devices provide threshold-based protection against CC attacks. The protection process is as follows: If the number of requests from a client exceeds the specified threshold during a given period, the cleaning device returns a verification code or special JavaScript code. A legitimate user will type the displayed code for login, while DDoS tools used on zombies by hackers to simulate a great number of HTTP requests fail to parse the returned data, let alone the JavaScript code. Therefore, when the cleaning device captures the HTTP request and returns JavaScript code, the attack fails due to the lack of JavaScript code parsing.

Sometimes, even returning the verification code or JavaScript code by cleaning devices cannot defeat low-and-slow attacks. According to characteristics of this type of attacks, you can also take the following means to fight against them: 1. Calculate the number of packets. It is an abnormal phenomenon to find too many or too few HTTP requests on a single TCP connection in a given period. The former is probably a low-and-slow attack, while the latter is potentially a CC attack. 2. Specify the maximum time allowed to receive an HTTP header. If the entire HTTP header failed to be transmitted when the specified time limit is exceeded, it is likely that a low-and-slow attack happens. The protection workflow of low-and-slow attack shows below.

Low-and-Slow Attack Protection Workflow

Jiong Liu (John)

Jiong Liu (John) is a Network Security Consultant at NSFOCUS. He has more than 15 years experience in Network and Security Industry and Telecom Industry. He has involved numbers of project such as China Mobile Project – Anti-DDoS attack project.