2013 Botnets and DDoS Attacks Report

Transcription

1 2013 Botnets and DDoS Attacks Report

2 1 Report Overview Expert Perspectives In the first half of 2013, global botnets remained small, local, and specialized in comparison to the previous year. The standard botnet detection techniques are based on identification of communication packet features and behaviors. New security techniques are being developed along this basis. They help immediately indicate threats and make it possible to block malicious traffic. These new security techniques include detection of Fast-Flux malicious domain requests, next-generation honeynets and sandboxes, DDoS attack tracking, and cloud-based IP reputation databases for C&C and botnet hosts. According to network attack statistics, botnet-based DDoS attacks account for the majority of network attacks, and application-targeted DDoS attacks are increasing common but in more difficult to detect forms. The increase in smart terminal use and rapid development of mobile applications mean more DDoS attacks are launched by simulating mobile network features for fixed network traffic on botnets. Hotspot Events In March 2013, The Spamhaus Project, an international anti-spam organization based in Europe, was hit by heavy DDoS attack traffic, peaking at up to 300 Gbit/s. It was later determined that the attack was launched using DNS reflection across a large number DNS servers over Internet. This attack was a wakeup call for the online security community. If the large number of open DNS servers on Internet remain online but are consistently unmanaged, they could lead to an Internet security crisis in the near future. The Anycast-based cloud washing solution was used to defend against the heavy DDoS attack traffic, effectively controlling the attack. The arrival of anti-ddos Managed Security Services Providers (MSSPs) brought with them additional means of defending against DDoS attacks. In the future, Internet Service Providers (ISPs) will most likely deploy washing systems globally to provide powerful anti-ddos SaaS services. Botnet Conditions According to a Huawei Cloud Security Center survey, botnets in China and USA account for 30.3% and 26.2% of the global botnets, respectively. Among the botnet controllers, 42.2% are located in USA, 3.8% in China, 9.1% in Germany, 7% in France, and 5.8% in the UK Botnets and DDoS Attacks Report

3 In China, the top five botnet controllers are Boer_Family, Gh0st_Family, Yoddos_Family, Xyligan_Family, and IMDDoS. There are a large variety of botnet-exploiting DDoS tools online, many of which simulate the access behaviors of normal service clients while changing attack packet features. The per-feature filtering technique does not perform well during DDoS attacks. In response, security service providers have had to develop more effective defense techniques like behavior analysis, session monitoring, and IP reputation. With the proliferation of mobile applications and the rapid growth of global 3G and 4G mobile networks, the number of malicious mobile samples are increasing quickly resulting in the advent of mobile botnets. Fast-Flux uses changing DNS service as a C&C proxy to conceal C&C servers behind proxy botnet hosts. Thus, Fast-Flux is widely used on the majority of botnets. DDoS Attack Conditions Hackers launch DDoS attacks for different reasons including political motivations, industrial espionage, to commit financial crime, and as a form of blackmail. According to a Huawei Cloud Security Center survey, application-targeted DDoS attacks are increasing to such an extent that they account for 89.11% DDoS attacks. In China, DDoS attacks primarily hit major cities, such as Beijing, Shanghai, and Shenzhen, accounting for 81.42% of all DDoS attacks in China. One of the reasons why DDoS attacks focus on these three cities is because they have the major Internet Data Centers (IDCs) carrying popular Internet services. IDCs have been consistently hit with DDoS attacks. The top three targets of DDoS attacks on IDCs are e-commerce, online gaming, and DNS services. DNS service attacks may crash essential Internet architecture and cause the widest impact on Internet services. Among the major web attack targets, the top three are e-commerce, online gaming, and online financial services. DDoS attacks target an IDC's network layer threaten network infrastructure components, such as firewalls, IPSs, and load balancing devices. Application-targeted DDoS attacks cause threats to online services. Counteracting frequent DDoS attacks requires higher IDC O&M expenditures while reduced bandwidth availability degrades user experience. Trend Forecast Huawei Cloud Security Center predicts in the coming years there will be an increase in mobile botnets, larger point-to-point botnets, and more widespread use of evasion techniques like Fast-Flux. The proliferation of Internet services and cloud computing will be accompanied by more frequent DDoS attacks on cloud IDCs. These DDoS attacks may narrow down to light traffic application-targeted attacks and other low-speed attacks as a means of lowering attack costs, concealing attack sources, and evading security devices without diminishing attack severity. The spike in global LTE construction considerably increases mobile network bandwidth and there is a corresponding increase in the number applications developed for smart mobile terminals. Application backdoors and rooted or jailbroken terminals will be leveraged as a part of mobile botnets. DDoS attacks targeting mobile applications will become a new form of DDoS attack. Therefore security device providers will need to develop more effective defense techniques like botnet IP reputation and security reputation clouds that start from the source to defend against DDoS attacks. Multi-core network security devices may unevenly distribute traffic to their multiple cores. This shortcoming may be exploited to launch a new type of DDoS attack. Therefore, security device providers must face a new challenge on multi-core network security device interfaces. These interfaces will need to be capable of line-rate forwarding as well as dynamic attack traffic filtering. In the coming years, IPv4 will continue its transition to IPv6. IPv4 and IPv6 hybrid attacks will be a new type of DDoS attacks, targeting IPv4-to-IPv6 conversion gateways. In the mean time, attacks will continue to exploit newly discovered IPv6 vulnerabilities Botnets and DDoS Attacks Report 2

4 2 Expert Perspectives Network crimes cost little to perpetrate, but may bring significant rewards. This is why many expert-level hackers are committing such crimes by controlling botnets. Hackers have continuously evolved their methods to evade detection by network security devices. For example, traditional IRC control servers can be transformed into HTTP-based web control servers. This transformation makes it more difficult to monitor botnets through networks. The most common web-type botnet tools are Darkness, BlackEnergy, SkyEye, Zeus, IMDDoS, Illusion, and Pentest. When communicating, these tools use SSL encryption or other channel techniques to void the traditional mode match detection. Fast-Flux may be used for domain name access to establish dynamic mapping between domain names and IP addresses. This approach evades IP-domain name match detection. In addition, botnet control programs update quickly and may fail to be detected by signaturerecorded antivirus or anti-botnet programs. With improved hardware performance and more powerful OSs, such as Android, IOS, and Windows Mobile, smart mobile terminals are more PC-like, with similar capabilities and subsequent security vulnerabilities. Botnet variants proliferate to attack mobile terminals. For example, ZitMo is a Zeus botnet variant on Android. A complete black market industry chain has grown up around mobile botnets. Network governance demands network security devices be capable of DDoS attack tracking and detecting malicious Fast- Flux DNS requests, botnet communication packet features and behaviors, and botnet program updates, downloads, and spreads. Such devices will establish IP reputation databases for C&C hosts and botnet hosts to filter malicious traffic. Network governance also requires cloud-based global botnet monitoring and analysis. In other words, cloud centers that monitor global botnet variants, and collect and shares IP reputation across the world in real time. Among botnet detection techniques, the most effective would be to detect and filter Fast-Flux DNS requests, which indicate Fast-Flux-controlled botnets account for the most part. DNS buffer servers function as the first gate for Internet connection, and Fast-Flux DNS request detection rapidly detects botnets. In addition, network security devices only need to be deployed ahead of DNS buffer servers, making this deployment requires the least expense compared with other solutions. If the network security devices also incorporate global cloud-based botnet IP reputation monitoring, the botnet detection rate would be even higher. Most importantly, botnet governance is a global responsibility, and requires cooperation among network security-related organizations to track botnet sources, shut down the botnet source servers or C&C servers, and investigate botnet producers for prosecution. DDoS attacks account for the majority of network attacks - they are easy to launch, cause significant damage, are difficult to track. Most financial crimes on networks are associated with DDoS attacks. From 2012 to mid-2013, several banks in South Korea, USA, Brazil, and Hong Kong were hit by DDoS attacks, among which the DDoS attack on the Bank of America (BOC), the traffic generated peaked at 70 Gbit/s. Hackers launch DDoS attacks on banks for several reasons. For example, crashing the banking system to make a political statement, or blackmailing the bank with the threat of a crash. Additionally, a DDoS attack can be used to obscure activities such as the theft of valuable financial information. When there is heavy DDoS attack traffic, web-protected security devices have insufficient processing capabilities to defend against it, and hackers use this opportunity to invade the system Botnets and DDoS Attacks Report

5 As growing number of Internet applications are carried over HTTP, HTTP-targeted DDoS attacks will occur more frequently and without notice. The attack methods have changed from HTTP GET flood, to slow attacks like HTTP slow header/post flood, and HTTP retransmissions, and SSL-encapsulated flow attacks like SSL-DoS/DDoS, HTTP slow header/post flood, and HTTP retransmissions. In addition, DNS is an ideal target because it is easily susceptible to attack and is critical to Internet architecture. DDoS attacks targeting DNS authorization servers have increased significantly, indicating a target shift from online service servers to domain name resolution servers used by those online services. The means of executing DDoS attacks have changed little in 2013 compared to the previous year. In 2013, DDoS attacks are mainly targeting mobile network applications and occur frequently. Though DDoS attacks on mobile applications and fixed network applications are relatively similar, network security service providers have more to address in terms of mobile terminals because they face the dual task of maintaining normal mobile terminal access while effectively defending against DDoS attacks Botnets and DDoS Attacks Report 4

6 3 Typical Events 3.1 Attack Events In March 2013, The Spamhaus Project, an international anti-spam organization based in London and Geneva, was hit by heavy DDoS attack traffic, peaking at up to 300 Gbit/s. Spamhaus maintains a huge blacklist of likely spammers, which is used by colleges, research institutions, Internet service providers, military, and businesses. CyberBunker, a service hosting company in the Netherlands, was allegedly behind the DDoS attacks on Spamhaus, in retaliation for its inclusion in the blacklist. 3.2 Event Analysis On March 18, 2013, the Spamhaus website was hit by a DDoS attack, with the attack traffic quickly rising to 75 Gbit/ s disabling the website from service. On March 27, the attack traffic peaked at 300 Gbit/s, the highest ever recorded. The ultra-heavy attack traffic was aggregated into the top carriers' networks in Europe, congesting networks across Europe. In defense against the attack, ISPs attempted to block the attack using blacklist filtering but were unsuccessful. Then Spamhaus turned to CloudFlare, a professional website protection and DDoS traffic washing company, for help. Finally, CloudFlare mitigated the attack using the Anycast technique. Specifically, it used Anycast's shortest path selection technique to distribute the Spamhaus-destined traffic to over 20 independent DDoS traffic washing centers around the world, each of which filtered attack traffic on its own and then forwarded the clean traffic to the Spamhaus data center. Open DNS Servers Victim Attacker DNS reflection attack Botnets and DDoS Attacks Report

7 As there were a large number of open DNS servers online, the attacker duplicated attack traffic 100 times using DNS reflection. Specifically, the attacker sent a request to resolve the ripe.net domain name to over 30,000 DNS servers and disguised the source IP address as the Spamhaus IP address. The DNS request packet was 36 bytes long while the reply packet was approximately 3000 bytes long. Then the open DNS servers reflected the traffic to generate 100 duplicates. Attackers could launch a 300 Gbit/s attack by controlling only one botnet capable of generating 3 Gbit/s traffic. During the attack process, each DNS server sent only 10 Mbps traffic, which was too subtle to be detected by the DNS service monitoring system. In fact, there are a large number of open DNS servers on Internet, far more than 30,000. If these open DNS servers stay online but remain unmanaged, many such DNS attacks may occur in the future, probably on a larger scale. 3.3 Impact of Events This attack created awareness of the significant danger unmanaged open DNS servers on Internet pose to Internet security. If they remain unmanaged, more, larger-scale DDoS attacks will follow. The DDoS attack targeting The Spamhaus Project affected Internet access across all of Europe. From this perspective, network security is not merely an enterprise's responsibility, but a responsibility of whole world's. When repelling the attack, CloudFlare, the DDoS attack traffic washing company, effectively defended against the attack using the Anycast-based cloud washing technique. The effectiveness of this technique may set the precedent for of a solution to large-scale DDoS attacks. Indeed, the Internet requires CloudFlare-like MSSPs for effective defense, as the security defense systems deployed at network egresses alone are insufficient against ultra-heavy DDoS attack traffic. In the predictable future, Internet service providers (ISPs) may deploy washing systems globally to provide powerful anti-ddos SaaS services to their customers Botnets and DDoS Attacks Report 6

8 4 Botnets 4.1 Botnet Conditions Analysis on malicious code captured from around the world shows that the botnet, as one of the biggest and most easily spread threats, is becoming more specialized. The transmission methods, anti-detection techniques, and means of concealment have botnets more difficult to detect and prevent. In addition to DDoS attacks and identity theft, botnet are more often used to steal bank account information, spread spam, and even implement APT attacks. Botnets make use of encryption and P2P protocols to evade traditional pattern matching-based detection techniques. Integration with worms and cross-dissemination between zombies accelerate the spread of botnets. As a hidden C&C server and as a technique to prolong the botnet lifecycle, Fast-Flux has fast become a standard feature for most botnets. With this technique, botnet makers have redoubled the challenge to the Internet security industry. With the growth of 3G/4G networks worldwide, mobile broadband speeds continue to increase, and the bandwidth bottlenecks of mobile intelligent terminals are consistently being pushed through. Compared with traditional PCs, mobile intelligent terminals are typically online at all times. From an attacker's perspective, this condition is ideal for using mobile intelligent terminals to initiate a variety of network attacks. This form of attack effect is similar to those using data center servers. (Currently, most network attacks originate from data center servers). The rapid development of mobile intelligent terminals is fertile ground for the evolution of botnets. Examples of mobile botnets include ZitMo, used to bypass online banking security and Android.DDoS.1.origin used to send spam messages and initiate DDoS attacks. According to Huawei cloud security center statistics, botnets are small-scale and specialized globally, targeting at a part instead of the whole. Botnets with less than 1000 hosts are common since they are easily controlled Botnet Distribution <1K 1K-5K 5K-20K 20K-50K 50K-100K >100K According to Huawei cloud security center statistics, the global distribution of botnet hosts in China and the U.S. are 30.3% and 28.2%, respectively, much higher than that of other countries. Most botnet controllers are located in the U.S., occupying 42.2% of the total number and followed by Germany (9.1%), France (7%), Britain (5.8%), and China (3.8%) Botnets and DDoS Attacks Report

9 Global Botnet Control Server Distribution In China, most zombie hosts are located in Guangdong, Beijing, and Zhejiang in descending order, and most botnet controllers are located in Taiwan. Zombie Host Distribution in China The five controllers, Boer_Family, Gh0st_Family, Yoddos_Family, Xyligan_Family, and IMDDOS, control most zombie hosts in China. Top 5 Controllers/Controlled Boer_Family Gh0st_Family Yoddos_Family Xyligan_Family IMDDOS Controlled Controller 2013 Botnets and DDoS Attacks Report 8

10 4.2 DDoS Zombie Tools The zombie tools popular in mainland China for DDoS attacks are Zombie Puppet, Storm, Madman, and Traversal Challenge Collapsar (CC); their overseas counterparts are LOIC, HOIC, HttpDosTool, Slowhttptest, and Thc-ssl-dos. Among the zombie tools used in China, Zombie Puppet first appeared in 2006, mainly used to launch bogus sourcebased network layer attacks. It has developed to support a variety of popular DDoS attacks, including the most commonly launched CC attacks. LOIC is a DDoS attack tool aiming at web applications. It sends TCP, UDP, and HTTP packets to launch attacks on target websites. The hacker organization Anonymous used this tool to attack Facebook on January 28, Another DDoS attack tool, HOIC, is dedicated to HTTP GET flood attacks. An attacker can set the HTTP application fields, such as the URL, User-Agent, and Referer, in the attack script. Developed by OWASP, HttpDosTool is an HTTP slow attack tool used to carry out Slow Post and Slow Header attacks. By continuously sending incomplete Post or Header requests, the attack consumes web server resources. Currently, this attack tool supports only HTTP Botnets and DDoS Attacks Report

11 Similar to HttpDosTool, SlowHTTPTest is another HTTP slow attack tool supporting HTTP and HTTPS. HTTP slow attack packets encrypted by SSL are more covert, and difficult to detect. Released by the famous German hacker group The Hacker's Choice, Thc-ssl-dos carries out new forms of DoS/DDoS attacks on SSL servers. Such attacks make use of the fact that the overhead generated by the SSL encryption algorithm on an SSL server is 15 times of that on the client, consuming SSL server CPU resources. The hacker organization stated that they only require an ordinary computer and a DSL connection to breach an SSL server. To breach a large server cluster, they only require 20 computers and 120 Kbps network bandwidth. This type of attack is and extremely "cost-effective" means of causing significant damage. The signatures of attack packets sent by these attack tools are free to change. Some tools are even able to randomly change packet contents, rendering signature database-based attack detection measures much less effective. To avoid such attacks, security device providers have to use more powerful security methods, such as source authentication, behavior analysis, session monitoring, and IP reputation. To detect attack packets encrypted using SSL, carriers must deploy security devices behind SSL accelerators to monitor decrypted packets or add SSL decryption to their security solutions. Essentially, DDoS attacks use fewer resources to cause more difficulties. 4.3 Mobile Botnets According to a report released by the IT market research firm Canalys, in 2011, total global shipments of smart phones has surpassed PC shipments, indicating that PCs no longer dominate the Internet access terminal market. According to a report released by the China Internet Network Information Center (CNNIC), by the end of June 2012, approximately 66% of Chinese Internet users use a mobile phone to access the Internet. Mobile phones rank No.1 in the Internet access terminal market in terms of quantity, surpassing desktop computers for the first time. With the arrival of the mobile Internet era, the number of malicious mobile Internet programs is dramatically increasing. According to Kaspersky monitoring results, by the end of 2012, approximately 70,000 malicious mobile Internet programs had been discovered, among which about 35,000 were found in A total of approximately 12,418,000 mobile Internet malware samples had been captured, among which about 6,147,000 were captured in 2012, indicating rapid growth in the number of mobile malware samples. Most malicious programs steal private information, consume account balance, push unwanted advertisements, and perpetrate fraud. Botnets with complex network interconnections are beginning to emerge, for example ZitMo and Android. DDoS.1.origin. It is estimated that more advanced mobile botnet threats will significantly increase over the next five years. ZitMo aims to bypass online banking security. The Zeus Trojan horse is installed on a PC to launch attacks while ZitMo botnets are spread across platforms. ZitMo botnets have been detected on the Symbian, Windows Mobile, BlackBerry, and Android platforms. ZitMo forwards short messages containing mtan codes (online banking verification codes) to attackers, so that the attackers can intrude into victims' bank accounts to illegally manipulate their accounts. Even though ZitMo is only spyware that forwards short messages, it works together with the Zeus Trojan horse to bypass the mtan security features used to secure online banking. Android.DDoS.1.origin, which was detected at the end of 2012, is also a typical mobile botnet malware sample. It pretends to be the Google Play Store, starts the APP Store in the system to confuse users, and starts a service on the back end. This service starts a thread to periodically send heartbeat packets to the control end and waits for its commands and then performs malicious behavior according to these commands, including intercepting short messages, continuously sending spam messages to a phone number, or launching UDP flood attacks to target IP addresses. 4.4 Fast-Flux Botnets Fast-flux botnet hackers use the DNS service to quickly change C&C-proxy zombie hosts (with multiple IP addresses for one or more domain names), through which HTTP requests to C&C are redirected. As a result, only zombie hosts access the actual C&C. When Fast-flux botnets are detected, only zombie hosts' IP addresses are obtained, and not the IP address of the actual C&C server hidden behind the zombie hosts Botnets and DDoS Attacks Report 10

12 In essence, both Content Distribution Networks (CDNs) and Fast-flux botnets use DNS to implement redundancy and load balancing. That is, DNS resolves a domain name into multiple IP addresses and uses a small time to live (TTL) value to make IP addresses quickly change. Fast-flux completely bypasses traditional IP-based traffic filtering. The client does not directly connect to a C&C server, but to a zombie host on the Fast-flux botnet. The IP address of the zombie host acting as the C&C proxy changes frequently and is unpredictable. Although CDNs and Fast-flux botnets have similar technical principles, they have different variation rules in domain names and IP addresses. On a CDN, the DNS IP address provided to users in the same area upon request is close to the IP addresses of the users to ensure quality of service, unless there is a network failure. On a Fast-flux botnet, the DNS results carry the IP addresses of proxy zombie hosts over a wide geographical area, often belonging to different AS domains, to evade security checks. Therefore, monitoring DNS cache server domain name requests is an effective means of detecting Fast-flux botnets. According to Huawei Cloud Security Center analysis, Zeus botnets are the most common Fast-flux botnets controlled over HTTP. Zeus steals user computer passwords (for mailboxes, FTP download, social networking websites, and online banking). The analysis shows that Zeus uses a total of 19 domain names, as listed in the following table. Table 4-1 Zeus domain name list No. Domain Name No. Domain Name 1 goldencaravela.net 11 mafisiengo.ru 2 aroolohnet.ru 12 oashae2ieyek.ru 3 esvr1.ru 13 ophaeghaev.ru 4 esvr3.ru 14 phaizeipeu.ru 5 esvr4.net 15 promojoy.net 6 hazelpay.ru 16 turbo-force.org 7 hesneclimi.ru 17 zeferesds.com 8 hgaragesales.net 18 indextech.info 9 jademason.com 19 allaboutc0ntrol.cc 10 kldmten.net ophaeghaev.ru is used as an example. One domain name resolution returns 20 records with a TTL of 20 seconds. The IP addresses of the records are backwards resolved, and the autonomous system numbers (ASNs) are queried. The 20 IP addresses belong to 14 ASs from 9 countries, outlined in Table 4-2. Zeus either simultaneously or in turn, uses domain names and IP addresses to evade security system monitoring. Table 4-2 ophaeghaev.ru backwards resolution results Domain Name IP Address TTL ASN Country ophaeghaev.ru BR ophaeghaev.ru MX ophaeghaev.ru MX ophaeghaev.ru CL ophaeghaev.ru MX ophaeghaev.ru MX ophaeghaev.ru CL ophaeghaev.ru US ophaeghaev.ru DZ ophaeghaev.ru ES ophaeghaev.ru ES ophaeghaev.ru ES ophaeghaev.ru IE ophaeghaev.ru BR ophaeghaev.ru CL ophaeghaev.ru CO ophaeghaev.ru AR ophaeghaev.ru BR ophaeghaev.ru BR ophaeghaev.ru BR Botnets and DDoS Attacks Report

13 5 DDoS Attacks 5.1 DDoS Attack Conditions Hackers usually launch DDoS attacks for reasons including political motivations, industrial espionage, to commit financial crime, and as a form of blackmail. Loosely managed hosts in cyber cafes, IDC servers, free Internet proxies, and open DNS servers are easy targets for botnets and DDoS attacks. According to Huawei Cloud Security Center, 28.05% more DDoS attacks occurred in the first half of 2013, compared with the first half of Total DDoS attack events First half of 2012 First half of Geographical Distribution of DDoS Attacks In China, DDoS attacks primarily hit major cities, such as Beijing, Shanghai, and Shenzhen, accounting for 81.42% of all DDoS attacks in China. According to statistics on attacks that occurred in the first half of 2013, the average IDC in these three cities were hit by an average of over 200 DDoS attacks each month. The attacks targeted the IDCs' online services, such as e-commerce, online gaming, DNS authorization services, online banking systems, social media websites, forums, blogs, and portals. One of the main motives behind these attacks is industrial espionage. More profitable online service systems are prone to more frequent and longer DDoS attacks. The longest attack recorded on an e-commerce client lasted for 349 hours, 36 minutes, and 42 seconds. In the first half of 2013, DDoS attacks hit every IDC. Actually, IDCs have become the areas most severely affected during DDoS attacks. DDoS attacks on the network layer severely damage the basic IDC architecture and may cause network congestion or exhaust session resources on session-based forwarding devices, such as firewalls, IPS, and load balancing devices, which then become network bottlenecks. DDoS attacks on the network layer affect the service systems under attack and also other client service systems. Lower IDC bandwidth availability leads to a rise in IDC operation expenses, compromised client satisfaction, and even loss of clients. When under a DDoS attack, IDC service systems are slow to respond or may even crash, causing significant financial losses to ISPs. More IDC operators have come to recognize the importance of protecting these IDCs with professional anti-ddos solutions Botnets and DDoS Attacks Report 12

14 Distribution of DDoS attacks in China 5.3 Attack Categories According to Huawei Cloud Security Center, DDoS attacks are commonly launched in the forms of SYN flood and UDP flood attacks. However, as HTTP-based Internet applications are growing fast, HTTP GET flood attacks follow SYN flood attacks as a common DDoS attack form. DNS-targeted attacks account for 13.5% of all attacks, and most of them are DNS query flood attacks with the intent to generate a Cache Miss. Internet service systems are usually implemented on server clusters. In comparison, DNS systems have far more weak security and attack tolerance than server clusters. This is why DNS servers in Metropolitan Area Networks (MAN) and enterprises' DNS authorization servers are prone to DDoS attacks % Attack categories 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 35.90% SYN Flood 25.20% HTTP Get Flood 19.24% UDP Flood 11.40% DNS Query Flood 2.40% ACK Flood 2.10% TCP Flag Error 2.01% ICMP Flood 0.78% UDP Fragment Flood 0.39% DNS Reply Flood 0.00% According to Huawei Cloud Security Center, the top three IDC service attack targets are e-commerce, online gaming, and DNS services. Hackers launch DDoS attacks for reason including political motivations, industrial espionage, to commit financial crime, and as a form of blackmail. In China the primary motivation is industrial espionage, with attacks focusing on e-commerce, online gaming, and DNS authorization services. Outside China, attacks are mainly motivated by political intentions. Attacks on online gaming are firstly due to industrial espionage and secondly as a form of blackmail. Attacks on online financial service systems are usually motivated by political intentions, blackmail, and obscuring unauthorized operations Botnets and DDoS Attacks Report

15 Attacks on e-commerce are mainly launched in the form of HTTP GET flood (CC) attacks. Attacks leverage botnets to send frequent uniform resource identifier (URI) access requests (database query operations) to servers to exhaust their processing capacity. Such attacks originate from the same source and exhibit a high query per second (QPS) rate, and they request access to a fixed URI. DNS service attacks are mainly DNS query flood attacks intended to generate Cache Misses. The most frequent and severe attacks focus on DNS authorization servers, though there are also some DDoS attacks on DNS buffer servers. According to Huawei Cloud Security Center, IDCs carrying out DNS authorization are hit by far more often than other functional IDCs. In China, attacks on known DNS authorization servers have never stopped and the attack frequency is far higher than that for other Internet services. DDoS attacks on DNS authorization servers are usually launched in the form of Cache Miss attacks, which request a non-existing domain name. The Cache Miss attacks that traverse or fake live DNS buffer servers are the most difficult to defend against. DDoS attacks targeting DNS authorization servers have increased significantly, indicating an attack target shift from online service servers to domain name resolution servers used by online services. The Cache Miss attacks run rampant because they require few resources and use a source faking technique to conceal the botnets behind them. Such attacks severely affect online service availability and the associated domain name resolution for other Internet services. They cause widespread disruptions and even threaten the basic Internet architecture. The Kmplayer event in 2009 is an example of a typical Cache Miss attack. In recent years, to quickly boost the impact of these types of attacks, attackers launch a large number of DNS reflection attacks, resulting in more frequent DNS reply flood attacks % Attacked applications 50.00% 40.00% 30.00% 20.00% 56.79% E-commerce 25.14% Online game 6.68% DNS service 3.53% Financial service 7.86% Others 10.00% 0.00% DDoS attacks on UDP-based online gaming services are mainly UDP flood attacks; those on TCP-based online gaming services are mainly SYN flood, TCP connection flood, and ACK flood attacks; those on HTTP-based web gaming services are mainly HTTP GET flood (CC) attacks % 90.00% 80.00% 70.00% 60.00% 50.00% 40.00% 30.00% 20.00% 10.00% 0.00% 87.11% Attacked application protocols 3.04% 2.65% 1.18% 1.31% 4.71% 87.11% HTTP 3.04% DNS 2.65% HTTPS 1.18% SMTP 1.31% SIP/VOIP 4.71% OTHERS 2013 Botnets and DDoS Attacks Report 14

16 According to Huawei Cloud Security Center, as HTTP-based Internet applications become more widespread, HTTP-targeted DDoS attacks have increased to up to 87.11% of total DDoS attacks. Attack frequency varies with attack type: highest for HTTP GET flood (CC) attacks, then for SYN flood, UDP flood, ACK flood, and ICMP flood attacks % HTTP GET flood applications 40.00% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 42.14% E-commerce 24.08% Gaming 14.72% Finance 6.70% Forum 5.67% Social 3.01% Portal 0.67% Blog 3.01% Others 0.00% HTTP GET flood attacks usually target e-commerce, online gaming services, and online payment services. Attack traffic 40.00% 37.90% 35.00% 30.00% 25.00% 20.00% 15.00% 10.00% 5.00% 0.00% 27.42% 14.52% 15.32% 3.23% 1.61% 14.52% Below 500M 15.32% 500M-1G 37.90% 1G-2G 27.42% 2G-10G 3.23% 10G-20G 1.61% 20G 以 上 The average attack bandwidth is relatively low because attacks are more commonly targeting sessions and applications instead of bandwidth. Even low attack traffic may cause destructive effects. In addition, such low traffic attacks are even more difficult to detect. Botnets tend to be small because they are easier to manage and conceal. Widespread DDoS attacks may involve several botnets, resulting in a proportional increase in attack costs. If the attack targets are pre-determined, application-targeted DDoS attacks may achieve the desired impact using low traffic. Even after the attacks stop, recovery of service systems is usually extremely difficult Botnets and DDoS Attacks Report

17 6 Trend Forecast 6.1 Growth Trends of Botnets Evolution of the Fast-Flux Service Network In recent years, the Fast-Flux service network has been evolving into service network with a greater number of malicious domain names. In most cases attackers apply for multiple Internet domain names and use dynamic load balancing to apply to multiple domain names simultaneously or in turn, or even use the Domain Generation Algorithm (DGA) to generate domain names dynamically. In this way, they launch network attacks without exposing the origin of the attack source to evade the detection and blocking by security devices, such as firewalls. Cross-Platform Botnet Both mobile botnets and traditional PC botnets have massive numbers of terminals deployed and yield huge profits on the black market. There are signs that botnet controllers are attempting to control zombies on both types of botnet, which expands botnet coverage and more severely impacts the entire network as well as terminal users. 6.2 Growth Trends of DDoS Attacks Data Centers Continue to Be the Hardest-Hit Areas of DDoS Attacks The attack statistics from Mainland China, Taiwan, Hong Kong, and the United States indicate data centers are the hardesthit areas of DDoS attacks. Attack targets are primarily data center online services, including e-commerce, online gaming, DNS authorization, online banking payment systems, social networking websites, forums, blogs, and portals. The attack event statistics show that online service systems that yield more profits are more frequently attacked and the attacks last longer. Many aspects of data center stress testing software have been exploited as DDoS attack tools for high profits. Facing an increasing number of application-layer attacks on data center service systems, many data center experts turn pale at the mention of CC attacks. In the coming years, the growth of Internet services and cloud computing will be accompanied by more frequent DDoS attacks on cloud IDCs. These DDoS attacks may evolve to light traffic application-targeted attacks and other low-speed attacks, intended to lower attack costs, conceal attack sources, and evade security devices while maintaining attack impact. Mobile Terminals Become DDoS Attack Sources With the popularization of smartphones and mobile apps, DDoS attacks simulating smartphones to attack mobile apps have 2013 Botnets and DDoS Attacks Report 16

18 occurred repeatedly on the Internet. Although the attack type and method of the mobile app-targeted DDoS attacks are essentially the same as DDoS attacks on fixed networks, no DDoS attacks from an actual smartphone have been detected to date. At the end of 2012, the Android Trojan Android.DDoS.1.origin was detected and found to be capable of launching UDP flood attacks to a specified website based on the C&C server signals. However, due to limited mobile bandwidth, no damage has been detected from this Trojan. Current mobile botnets generally send spam messages, steal user information, and push advertisements. With the commercialization of LTE over the next three to five years, mobile network bandwidth will increase rapidly. Meanwhile, mobile terminals can access networks any time. Therefore, using smartphones to launch DDoS attacks will become a strong possibility. If the smartphone HTTP protocol stack is not secured, the Internet will face an unprecedented challenge. With increasingly regular mobile Internet service updates and DDoS attack technologies, security device providers have no choice but to develop more effective defense techniques, such as behavior analysis and IP reputation. DDoS Attacks Occur More Frequently Due to Uneven Traffic Distribution With the extensive use of multi-core network security devices, attackers may construct special DDoS attack packets to cause the multi-core network security devices to unevenly distribute traffic across the cores. Detection data shows that this type of DDoS attacks has exceeded 10 Gbit/s in traffic during peak hours. This type of DDoS attack challenges the performance of gateway devices or DDoS traffic cleaning devices. If the gateways or DDoS traffic cleaning devices cannot divert traffic packet by packet, or the interfaces are incapable of dynamic filtering, traffic to the multi-core network security device will be diverted to specific CPUs. Therefore, the majority of CPUs will be idle and only the specified CPUs are processing traffic. In this case, the performance of the device consists of only the running CPUs. That is, uneven traffic distribution degrades the overall performance of the network security device. To resolve this problem, multi-core network security devices must be capable of line-rate forwarding and dynamic attack traffic filtering. In the coming years, as long as multi-core network security devices are extensively deployed, this type of DDoS attacks will increase rapidly and challenge the performance of these devices. IPv6 Network DDoS Attacks The transition from IPv4 to IPv6 will continue over the coming years. During the transition, the dual stack is available on network devices for online services. Therefore, IPv4 and IPv6 hybrid attacks will become a new type of DDoS attack. Inevitably, session resources on IPv4-to-Pv6 conversion gateways will become a new target for this type of DDoS attack. With the evolution of IPv6 networks, IPv6 vulnerabilities will be constantly exploited to launch massive attacks Botnets and DDoS Attacks Report

19 7 About Huawei Security Product Line Network security is a core customer requirement. Huawei s security product line considers the long-term construction of cloud security centers as a core technology that builds competitive edge and will continue making investments in the security area. A wide range of network security experts came together to establish the Huawei Cloud Security Center, focused on building an advanced security reputation system and cloud security architecture, safeguarding information security, and striving to continuously develop customer service. Drawing on Huawei s cutting-edge security capabilities, the cloud security center collects malicious samples from various channels, summarizes the massive number of samples into the management system, rapidly analyzes and converts these samples to compile a signature database, and releases the database to security products deployed worldwide, so customers' networks are equipped with the latest security defense capabilities. Besides inheriting legacy security capabilities, the cloud security center draws together cutting-edge technologies, adapts them specifically to each field, and sets up dedicated security labs with rich technical characteristics. The research team leverages security products and solutions to provide with an active security defense system. As the Internet evolves, cloud computing and mobile terminals become more widespread, and innovative apps emerge, as do subsequent new threats, posing new challenges for network security personnel. To meet these ever-increasing challenges, Huawei continues the security capability construction and provides customized products, solutions, and services to help customers effectively defend against global security threats and risks. 7.1 Botnet Research Lab The botnet research lab is affiliated with Huawei cloud security center. With Huawei s security reputation system, the botnet research lab analyzes the collected samples and builds a monitoring system based on botnet behavior lifecycles to effectively identify botnet behaviors. By monitoring and analyzing botnet behaviors, the botnet research lab identifies and collects C&C IP addresses, Fast-Flux domain names, and malicious program files on botnets, and forms IP reputation, file reputation, domain reputation, and web reputation in the security reputation system. In addition, the research lab performs long-term tracing on botnets that cause severe damage and implements reverse analysis and behavior analysis to determine the control signals of the controller and trace the IP addresses the controller uses to log in as evidence for botnet source tracing and control. 7.2 Feedback If you have any comments about this report, please send them to secinfo@huawei.com. Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. All information in this document is the internal data of Huawei cloud security center and related labs. All information is for reference only and does not constitute a warranty of any kind, express or implied. All trademarks, pictures, logos, and brands in this document are the property of Huawei Technologies Co., Ltd. or an authorized third party Botnets and DDoS Attacks Report 18

20 Copyright Huawei Technologies Co., Ltd All rights reserved. No part of this document may be reproduced or transmitted in any form or by any means without prior written consent of Huawei Technologies Co., Ltd. Trademark Notice, HUAWEI, and are trademarks or registered trademarks of Huawei Technologies Co., Ltd. Other trademarks, product, service and company names mentioned are the property of their respective owners. General Disclaimer The information in this document may contain predictive statements including, without limitation, statements regarding the future financial and operating results, future product portfolio, new technology, etc. There are a number of factors that could cause actual results and developments to differ materially from those expressed or implied in the predictive statements. Therefore, such information is provided for reference purpose only and constitutes neither an offer nor an acceptance. Huawei may change the information at any time without notice. HUAWEI TECHNOLOGIES CO., LTD. Huawei Industrial Base Bantian Longgang Shenzhen , P.R. China Tel: Version No.: M C-1.0