Professional Documents
Culture Documents
Attacks Report
1
Report Overview
Expert Perspectives
In the first half of 2013, global botnets remained small, local, and specialized in comparison to the previous year.
The standard botnet detection techniques are based on identification of communication packet features and behaviors. New
security techniques are being developed along this basis. They help immediately indicate threats and make it possible to block
malicious traffic. These new security techniques include detection of Fast-Flux malicious domain requests, next-generation
honeynets and sandboxes, DDoS attack tracking, and cloud-based IP reputation databases for C&C and botnet hosts.
According to network attack statistics, botnet-based DDoS attacks account for the majority of network attacks, and
application-targeted DDoS attacks are increasing common but in more difficult to detect forms.
The increase in smart terminal use and rapid development of mobile applications mean more DDoS attacks are launched by
simulating mobile network features for fixed network traffic on botnets.
Hotspot Events
In March 2013, The Spamhaus Project, an international anti-spam organization based in Europe, was hit by heavy DDoS
attack traffic, peaking at up to 300 Gbit/s. It was later determined that the attack was launched using DNS reflection across
a large number DNS servers over Internet. This attack was a wakeup call for the online security community. If the large
number of open DNS servers on Internet remain online but are consistently unmanaged, they could lead to an Internet
security crisis in the near future. The Anycast-based cloud washing solution was used to defend against the heavy DDoS
attack traffic, effectively controlling the attack. The arrival of anti-DDoS Managed Security Services Providers (MSSPs)
brought with them additional means of defending against DDoS attacks. In the future, Internet Service Providers (ISPs) will
most likely deploy washing systems globally to provide powerful anti-DDoS SaaS services.
Botnet Conditions
According to a Huawei Cloud Security Center survey, botnets in China and USA account for 30.3% and 26.2% of the global
botnets, respectively. Among the botnet controllers, 42.2% are located in USA, 3.8% in China, 9.1% in Germany, 7% in
France, and 5.8% in the UK.
There are a large variety of botnet-exploiting DDoS tools online, many of which simulate the access behaviors of normal
service clients while changing attack packet features. The per-feature filtering technique does not perform well during DDoS
attacks. In response, security service providers have had to develop more effective defense techniques like behavior analysis,
session monitoring, and IP reputation.
With the proliferation of mobile applications and the rapid growth of global 3G and 4G mobile networks, the number of
malicious mobile samples are increasing quickly resulting in the advent of mobile botnets.
Fast-Flux uses changing DNS service as a C&C proxy to conceal C&C servers behind proxy botnet hosts. Thus, Fast-Flux is
widely used on the majority of botnets.
According to a Huawei Cloud Security Center survey, application-targeted DDoS attacks are increasing to such an extent
that they account for 89.11% DDoS attacks. In China, DDoS attacks primarily hit major cities, such as Beijing, Shanghai, and
Shenzhen, accounting for 81.42% of all DDoS attacks in China. One of the reasons why DDoS attacks focus on these three
cities is because they have the major Internet Data Centers (IDCs) carrying popular Internet services.
IDCs have been consistently hit with DDoS attacks. The top three targets of DDoS attacks on IDCs are e-commerce, online
gaming, and DNS services. DNS service attacks may crash essential Internet architecture and cause the widest impact on
Internet services. Among the major web attack targets, the top three are e-commerce, online gaming, and online financial
services. DDoS attacks target an IDC's network layer threaten network infrastructure components, such as firewalls, IPSs,
and load balancing devices. Application-targeted DDoS attacks cause threats to online services. Counteracting frequent
DDoS attacks requires higher IDC O&M expenditures while reduced bandwidth availability degrades user experience.
Trend Forecast
Huawei Cloud Security Center predicts in the coming years there will be an increase in mobile botnets, larger point-to-point
botnets, and more widespread use of evasion techniques like Fast-Flux.
The proliferation of Internet services and cloud computing will be accompanied by more frequent DDoS attacks on cloud
IDCs. These DDoS attacks may narrow down to light traffic application-targeted attacks and other low-speed attacks as a
means of lowering attack costs, concealing attack sources, and evading security devices without diminishing attack severity.
The spike in global LTE construction considerably increases mobile network bandwidth and there is a corresponding increase
in the number applications developed for smart mobile terminals. Application backdoors and rooted or jailbroken terminals
will be leveraged as a part of mobile botnets. DDoS attacks targeting mobile applications will become a new form of DDoS
attack. Therefore security device providers will need to develop more effective defense techniques like botnet IP reputation
and security reputation clouds that start from the source to defend against DDoS attacks.
Multi-core network security devices may unevenly distribute traffic to their multiple cores. This shortcoming may be exploited to
launch a new type of DDoS attack. Therefore, security device providers must face a new challenge on multi-core network security
device interfaces. These interfaces will need to be capable of line-rate forwarding as well as dynamic attack traffic filtering.
In the coming years, IPv4 will continue its transition to IPv6. IPv4 and IPv6 hybrid attacks will be a new type of DDoS
attacks, targeting IPv4-to-IPv6 conversion gateways. In the mean time, attacks will continue to exploit newly discovered IPv6
vulnerabilities.
Network crimes cost little to perpetrate, but may bring significant rewards. This is why many expert-level hackers are
committing such crimes by controlling botnets. Hackers have continuously evolved their methods to evade detection by
network security devices. For example, traditional IRC control servers can be transformed into HTTP-based web control
servers. This transformation makes it more difficult to monitor botnets through networks. The most common web-type
botnet tools are Darkness, BlackEnergy, SkyEye, Zeus, IMDDoS, Illusion, and Pentest. When communicating, these tools use
SSL encryption or other channel techniques to void the traditional mode match detection. Fast-Flux may be used for domain
name access to establish dynamic mapping between domain names and IP addresses. This approach evades IP-domain
name match detection. In addition, botnet control programs update quickly and may fail to be detected by signature-
recorded antivirus or anti-botnet programs.
With improved hardware performance and more powerful OSs, such as Android, IOS, and Windows Mobile, smart mobile
terminals are more PC-like, with similar capabilities and subsequent security vulnerabilities. Botnet variants proliferate to
attack mobile terminals. For example, ZitMo is a Zeus botnet variant on Android. A complete black market industry chain
has grown up around mobile botnets.
Network governance demands network security devices be capable of DDoS attack tracking and detecting malicious Fast-
Flux DNS requests, botnet communication packet features and behaviors, and botnet program updates, downloads,
and spreads. Such devices will establish IP reputation databases for C&C hosts and botnet hosts to filter malicious traffic.
Network governance also requires cloud-based global botnet monitoring and analysis. In other words, cloud centers that
monitor global botnet variants, and collect and shares IP reputation across the world in real time.
Among botnet detection techniques, the most effective would be to detect and filter Fast-Flux DNS requests, which indicate
Fast-Flux-controlled botnets account for the most part. DNS buffer servers function as the first gate for Internet connection, and
Fast-Flux DNS request detection rapidly detects botnets. In addition, network security devices only need to be deployed ahead
of DNS buffer servers, making this deployment requires the least expense compared with other solutions. If the network security
devices also incorporate global cloud-based botnet IP reputation monitoring, the botnet detection rate would be even higher.
Most importantly, botnet governance is a global responsibility, and requires cooperation among network security-related
organizations to track botnet sources, shut down the botnet source servers or C&C servers, and investigate botnet producers
for prosecution.
DDoS attacks account for the majority of network attacks - they are easy to launch, cause significant damage, are difficult to
track. Most financial crimes on networks are associated with DDoS attacks. From 2012 to mid-2013, several banks in South
Korea, USA, Brazil, and Hong Kong were hit by DDoS attacks, among which the DDoS attack on the Bank of America (BOC),
the traffic generated peaked at 70 Gbit/s. Hackers launch DDoS attacks on banks for several reasons. For example, crashing
the banking system to make a political statement, or blackmailing the bank with the threat of a crash. Additionally, a DDoS
attack can be used to obscure activities such as the theft of valuable financial information. When there is heavy DDoS attack
traffic, web-protected security devices have insufficient processing capabilities to defend against it, and hackers use this
opportunity to invade the system.
The means of executing DDoS attacks have changed little in 2013 compared to the previous year. In 2013, DDoS attacks
are mainly targeting mobile network applications and occur frequently. Though DDoS attacks on mobile applications and
fixed network applications are relatively similar, network security service providers have more to address in terms of mobile
terminals because they face the dual task of maintaining normal mobile terminal access while effectively defending against
DDoS attacks.
s
er
rv
Se
S
DN
en
Op
Victim
Attacker
When repelling the attack, CloudFlare, the DDoS attack traffic washing company, effectively defended against the attack
using the Anycast-based cloud washing technique. The effectiveness of this technique may set the precedent for of a
solution to large-scale DDoS attacks. Indeed, the Internet requires CloudFlare-like MSSPs for effective defense, as the
security defense systems deployed at network egresses alone are insufficient against ultra-heavy DDoS attack traffic. In the
predictable future, Internet service providers (ISPs) may deploy washing systems globally to provide powerful anti-DDoS SaaS
services to their customers.
As a hidden C&C server and as a technique to prolong the botnet lifecycle, Fast-Flux has fast become a standard feature for
most botnets. With this technique, botnet makers have redoubled the challenge to the Internet security industry.
With the growth of 3G/4G networks worldwide, mobile broadband speeds continue to increase, and the bandwidth
bottlenecks of mobile intelligent terminals are consistently being pushed through. Compared with traditional PCs, mobile
intelligent terminals are typically online at all times. From an attacker's perspective, this condition is ideal for using mobile
intelligent terminals to initiate a variety of network attacks. This form of attack effect is similar to those using data center
servers. (Currently, most network attacks originate from data center servers). The rapid development of mobile intelligent
terminals is fertile ground for the evolution of botnets. Examples of mobile botnets include ZitMo, used to bypass online
banking security and Android.DDoS.1.origin used to send spam messages and initiate DDoS attacks.
According to Huawei cloud security center statistics, botnets are small-scale and specialized globally, targeting at a part
instead of the whole. Botnets with less than 1000 hosts are common since they are easily controlled.
Botnet Distribution
12000 11346
According to Huawei cloud security center statistics, the global distribution of botnet hosts in China and the U.S. are
30.3% and 28.2%, respectively, much higher than that of other countries. Most botnet controllers are located in the U.S.,
occupying 42.2% of the total number and followed by Germany (9.1%), France (7%), Britain (5.8%), and China (3.8%).
In China, most zombie hosts are located in Guangdong, Beijing, and Zhejiang in descending order, and most botnet
controllers are located in Taiwan.
The five controllers, Boer_Family, Gh0st_Family, Yoddos_Family, Xyligan_Family, and IMDDOS, control most zombie hosts in
China.
Top 5 Controllers/Controlled
16000
14590
14000
12000
10000
Controlled
8000 7241
6085 Controller
6000
3678
4000
2000 1210
122 137 53 549 29
0
Boer_Family Gh0st_Family Yoddos_Family Xyligan_Family IMDDOS
Data source: Huawei Cloud Security Center
Among the zombie tools used in China, Zombie Puppet first appeared in 2006, mainly used to launch bogus source-
based network layer attacks. It has developed to support a variety of popular DDoS attacks, including the most commonly
launched CC attacks.
LOIC is a DDoS attack tool aiming at web applications. It sends TCP, UDP, and HTTP packets to launch attacks on target
websites. The hacker organization Anonymous used this tool to attack Facebook on January 28, 2012.
Another DDoS attack tool, HOIC, is dedicated to HTTP GET flood attacks. An attacker can set the HTTP application fields,
such as the URL, User-Agent, and Referer, in the attack script.
Developed by OWASP, HttpDosTool is an HTTP slow attack tool used to carry out Slow Post and Slow Header attacks. By
continuously sending incomplete Post or Header requests, the attack consumes web server resources. Currently, this attack
tool supports only HTTP.
Released by the famous German hacker group The Hacker's Choice, Thc-ssl-dos carries out new forms of DoS/DDoS attacks
on SSL servers. Such attacks make use of the fact that the overhead generated by the SSL encryption algorithm on an SSL
server is 15 times of that on the client, consuming SSL server CPU resources. The hacker organization stated that they only
require an ordinary computer and a DSL connection to breach an SSL server. To breach a large server cluster, they only
require 20 computers and 120 Kbps network bandwidth. This type of attack is and extremely "cost-effective" means of
causing significant damage.
The signatures of attack packets sent by these attack tools are free to change. Some tools are even able to randomly change
packet contents, rendering signature database-based attack detection measures much less effective. To avoid such attacks,
security device providers have to use more powerful security methods, such as source authentication, behavior analysis,
session monitoring, and IP reputation. To detect attack packets encrypted using SSL, carriers must deploy security devices
behind SSL accelerators to monitor decrypted packets or add SSL decryption to their security solutions. Essentially, DDoS
attacks use fewer resources to cause more difficulties.
ZitMo aims to bypass online banking security. The Zeus Trojan horse is installed on a PC to launch attacks while ZitMo
botnets are spread across platforms. ZitMo botnets have been detected on the Symbian, Windows Mobile, BlackBerry, and
Android platforms. ZitMo forwards short messages containing mTAN codes (online banking verification codes) to attackers,
so that the attackers can intrude into victims' bank accounts to illegally manipulate their accounts. Even though ZitMo
is only spyware that forwards short messages, it works together with the Zeus Trojan horse to bypass the mTAN security
features used to secure online banking.
Android.DDoS.1.origin, which was detected at the end of 2012, is also a typical mobile botnet malware sample. It pretends
to be the Google Play Store, starts the APP Store in the system to confuse users, and starts a service on the back end.
This service starts a thread to periodically send heartbeat packets to the control end and waits for its commands and then
performs malicious behavior according to these commands, including intercepting short messages, continuously sending
spam messages to a phone number, or launching UDP flood attacks to target IP addresses.
Fast-flux completely bypasses traditional IP-based traffic filtering. The client does not directly connect to a C&C server, but to
a zombie host on the Fast-flux botnet. The IP address of the zombie host acting as the C&C proxy changes frequently and is
unpredictable.
Although CDNs and Fast-flux botnets have similar technical principles, they have different variation rules in domain names
and IP addresses. On a CDN, the DNS IP address provided to users in the same area upon request is close to the IP addresses
of the users to ensure quality of service, unless there is a network failure. On a Fast-flux botnet, the DNS results carry the IP
addresses of proxy zombie hosts over a wide geographical area, often belonging to different AS domains, to evade security
checks. Therefore, monitoring DNS cache server domain name requests is an effective means of detecting Fast-flux botnets.
According to Huawei Cloud Security Center analysis, Zeus botnets are the most common Fast-flux botnets controlled over
HTTP. Zeus steals user computer passwords (for mailboxes, FTP download, social networking websites, and online banking).
The analysis shows that Zeus uses a total of 19 domain names, as listed in the following table.
ophaeghaev.ru is used as an example. One domain name resolution returns 20 records with a TTL of 20 seconds. The IP
addresses of the records are backwards resolved, and the autonomous system numbers (ASNs) are queried. The 20 IP
addresses belong to 14 ASs from 9 countries, outlined in Table 4-2. Zeus either simultaneously or in turn, uses domain
names and IP addresses to evade security system monitoring.
According to Huawei Cloud Security Center, 28.05% more DDoS attacks occurred in the first half of 2013, compared with
the first half of 2012.
Total DDoS attack events
DDoS attacks on the network layer severely damage the basic IDC architecture and may cause network congestion or exhaust
session resources on session-based forwarding devices, such as firewalls, IPS, and load balancing devices, which then become
network bottlenecks. DDoS attacks on the network layer affect the service systems under attack and also other client service
systems. Lower IDC bandwidth availability leads to a rise in IDC operation expenses, compromised client satisfaction, and even loss
of clients. When under a DDoS attack, IDC service systems are slow to respond or may even crash, causing significant financial losses
to ISPs. More IDC operators have come to recognize the importance of protecting these IDCs with professional anti-DDoS solutions.
DNS-targeted attacks account for 13.5% of all attacks, and most of them are DNS query flood attacks with the intent to
generate a Cache Miss. Internet service systems are usually implemented on server clusters. In comparison, DNS systems
have far more weak security and attack tolerance than server clusters. This is why DNS servers in Metropolitan Area
Networks (MAN) and enterprises' DNS authorization servers are prone to DDoS attacks.
Attack categories
40.00%
0.00%
Data source: Huawei Cloud Security Center
According to Huawei Cloud Security Center, the top three IDC service attack targets are e-commerce, online gaming, and
DNS services. Hackers launch DDoS attacks for reason including political motivations, industrial espionage, to commit
financial crime, and as a form of blackmail. In China the primary motivation is industrial espionage, with attacks focusing
on e-commerce, online gaming, and DNS authorization services. Outside China, attacks are mainly motivated by political
intentions. Attacks on online gaming are firstly due to industrial espionage and secondly as a form of blackmail. Attacks
on online financial service systems are usually motivated by political intentions, blackmail, and obscuring unauthorized
operations.
DNS service attacks are mainly DNS query flood attacks intended to generate Cache Misses. The most frequent and severe
attacks focus on DNS authorization servers, though there are also some DDoS attacks on DNS buffer servers. According to
Huawei Cloud Security Center, IDCs carrying out DNS authorization are hit by far more often than other functional IDCs. In
China, attacks on known DNS authorization servers have never stopped and the attack frequency is far higher than that for
other Internet services. DDoS attacks on DNS authorization servers are usually launched in the form of Cache Miss attacks,
which request a non-existing domain name. The Cache Miss attacks that traverse or fake live DNS buffer servers are the
most difficult to defend against. DDoS attacks targeting DNS authorization servers have increased significantly, indicating
an attack target shift from online service servers to domain name resolution servers used by online services. The Cache Miss
attacks run rampant because they require few resources and use a source faking technique to conceal the botnets behind
them. Such attacks severely affect online service availability and the associated domain name resolution for other Internet
services. They cause widespread disruptions and even threaten the basic Internet architecture. The Kmplayer event in 2009
is an example of a typical Cache Miss attack. In recent years, to quickly boost the impact of these types of attacks, attackers
launch a large number of DNS reflection attacks, resulting in more frequent DNS reply flood attacks.
Attacked applications
60.00%
50.00%
56.79% E-commerce
40.00%
25.14% Online game
30.00% 6.68% DNS service
3.53% Financial service
20.00%
7.86% Others
10.00%
0.00%
Data source: Huawei Cloud Security Center
DDoS attacks on UDP-based online gaming services are mainly UDP flood attacks; those on TCP-based online gaming
services are mainly SYN flood, TCP connection flood, and ACK flood attacks; those on HTTP-based web gaming services are
mainly HTTP GET flood (CC) attacks.
40.00%
42.14% E-commerce
35.00%
24.08% Gaming
30.00%
14.72% Finance
25.00% 6.70% Forum
20.00% 5.67% Social
3.01% Portal
15.00%
0.67% Blog
10.00%
3.01% Others
5.00%
0.00%
Data source: Huawei Cloud Security Center
HTTP GET flood attacks usually target e-commerce, online gaming services, and online payment services.
Attack traffic
40.00% 37.90%
35.00%
5.00% 3.23%
1.61%
0.00%
Data source: Huawei Cloud Security Center
The average attack bandwidth is relatively low because attacks are more commonly targeting sessions and applications
instead of bandwidth. Even low attack traffic may cause destructive effects. In addition, such low traffic attacks are even
more difficult to detect. Botnets tend to be small because they are easier to manage and conceal. Widespread DDoS attacks
may involve several botnets, resulting in a proportional increase in attack costs. If the attack targets are pre-determined,
application-targeted DDoS attacks may achieve the desired impact using low traffic. Even after the attacks stop, recovery of
service systems is usually extremely difficult.
Cross-Platform Botnet
Both mobile botnets and traditional PC botnets have massive numbers of terminals deployed and yield huge profits on the
black market. There are signs that botnet controllers are attempting to control zombies on both types of botnet, which
expands botnet coverage and more severely impacts the entire network as well as terminal users.
At the end of 2012, the Android Trojan Android.DDoS.1.origin was detected and found to be capable of launching UDP
flood attacks to a specified website based on the C&C server signals. However, due to limited mobile bandwidth, no
damage has been detected from this Trojan. Current mobile botnets generally send spam messages, steal user information,
and push advertisements. With the commercialization of LTE over the next three to five years, mobile network bandwidth
will increase rapidly. Meanwhile, mobile terminals can access networks any time. Therefore, using smartphones to launch
DDoS attacks will become a strong possibility. If the smartphone HTTP protocol stack is not secured, the Internet will face
an unprecedented challenge. With increasingly regular mobile Internet service updates and DDoS attack technologies,
security device providers have no choice but to develop more effective defense techniques, such as behavior analysis and IP
reputation.
Network security is a core customer requirement. Huawei’s security product line considers the long-term construction of cloud
security centers as a core technology that builds competitive edge and will continue making investments in the security area.
A wide range of network security experts came together to establish the Huawei Cloud Security Center, focused on building
an advanced security reputation system and cloud security architecture, safeguarding information security, and striving to
continuously develop customer service.
Drawing on Huawei’s cutting-edge security capabilities, the cloud security center collects malicious samples from various channels,
summarizes the massive number of samples into the management system, rapidly analyzes and converts these samples to compile
a signature database, and releases the database to security products deployed worldwide, so customers' networks are equipped
with the latest security defense capabilities. Besides inheriting legacy security capabilities, the cloud security center draws
together cutting-edge technologies, adapts them specifically to each field, and sets up dedicated security labs with rich technical
characteristics. The research team leverages security products and solutions to provide with an active security defense system.
As the Internet evolves, cloud computing and mobile terminals become more widespread, and innovative apps emerge,
as do subsequent new threats, posing new challenges for network security personnel. To meet these ever-increasing
challenges, Huawei continues the security capability construction and provides customized products, solutions, and services
to help customers effectively defend against global security threats and risks.
7.2 Feedback
If you have any comments about this report, please send them to secinfo@huawei.com.
Copyright © Huawei Technologies Co., Ltd. 2013. All rights reserved.
No part of this document may be reproduced or transmitted in any form or by any means without prior written consent
of Huawei Technologies Co., Ltd. All information in this document is the internal data of Huawei cloud security center and
related labs. All information is for reference only and does not constitute a warranty of any kind, express or implied.
All trademarks, pictures, logos, and brands in this document are the property of Huawei Technologies Co., Ltd. or an authorized third party.
Trademark Notice
, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd.
Other trademarks, product, service and company names mentioned are the property of their respective owners.
The information in this document may contain predictive statements including, Huawei Industrial Base
without limitation, statements regarding the future financial and operating results, Bantian Longgang
future product portfolio, new technology, etc. There are a number of factors Shenzhen 518129, P.R. China
that could cause actual results and developments to differ materially from those Tel: +86-755-28780808
expressed or implied in the predictive statements. Therefore, such information Version No.: M3-032102-20131014-C-1.0
is provided for reference purpose only and constitutes neither an offer nor an
acceptance. Huawei may change the information at any time without notice. www.huawei.com