Prolexic Quarterly Global DDoS Attack Report

Transcription

1 Prolexic Quarterly Global DDoS Attack Report Q Malicious actors choose reflection, not infection to launch high-bandwidth attacks

2 Akamai s State of the Internet Report: Gain insight into the critical Internet metrics, events and trends that impact your business online. Download the report and associated infographics at akamai.com/stateoftheinternet. Download the new State of the Internet ios app, now available in the Apple App Store. Akamai is a leading provider of cloud services for delivering, optimizing and securing online content and business applications. At the core of the company s solutions is the Akamai Intelligent Platform providing extensive reach, coupled with unmatched reliability, security, visibility and expertise. Akamai removes the complexities of connecting the increasingly mobile world, supporting 24/7 consumer demand, and enabling enterprises to securely leverage the cloud. To learn more about how Akamai is accelerating the pace of innovation in a hyperconnected world, please visit or blogs.akamai.com, and on Twitter.

3 Prolexic Quarterly Global DDoS Attack Report Q Letter from the editor As you may be aware, Akamai completed the acquisition of Prolexic, a leader in DDoS mitigation services, in February Prolexic s Global DDoS Attack Report and Akamai s State of the Internet Report both cover DDoS attacks and related trends and statistics. In the coming quarters, we will consolidate these publications with the goal of publishing a combined report that delivers an unparalleled level of insight into the Internet threat landscape. on Twitter for more information.

4 Prolexic Quarterly Global DDoS Attack Report Q Table of contents Analysis and emerging trends...5 Compared to Q Compared to Q Total attack vectors...7 Infrastructure layer attacks...8 Application layer attacks...8 Comparison: Attack vectors (Q1 2014, Q4 2013, Q1 2013)...9 Target industries...11 Media and entertainment...11 Software and technology...11 Security...11 Financial services...11 Gaming...12 Summary...12 Top 10 source countries...13 Comparison: Top 10 source countries (Q1 2014, Q4 2013, Q1 2013)...14 Total attacks per week (Q vs. Q1 2013)...16 Comparison: Attack campaign start time per day (Q1 2014, Q4 2013, Q1 2013)...17 Attack spotlight: Q1 s record-setting DDoS attack...18 Overview...18 Validated attack vectors used in this campaign...19 DNS amplification...20 NTP monlist reflection...21 POST flood...21 Analysis of associated malware...21 Visualization of sourced traffic...26 Source countries of the DNS reflection attacks...26 Source countries for the NTP reflection attacks...27 Source countries for POST attacks from the Drive toolkit...28 Case study: A reflected application DDoS attack...29 Overview...29 Characteristics of the WordPress DDoS pingback application reflection attack...29 Highlighted campaigns...31 Campaign A (Internet media company)...31 Campaign B (A Prolexic/Akamai site)...33 Recommended detection rules...34 Conclusion...34 Looking forward...35 About Prolexic Security Engineering & Response Team (PLXsert)...36 About Prolexic...36

5 Prolexic Quarterly Global DDoS Attack Report Q At a glance Compared to Q % increase in total DDoS attacks 9% decrease in average attack bandwidth 68% increase in infrastructure (Layer 3 & 4) attacks 21% decrease in application (Layer 7) attacks 50% decrease in average attack duration: 35 vs. 17 hours 133% increase in average peak bandwidth Compared to Q % increase in total DDoS attacks 39% increase in average attack bandwidth 35% increase in infrastructure (Layer 3 & 4) attacks 36% decrease in application (Layer 7) attacks 24% decrease in average attack duration: 23 vs. 17 hours 114% increase in average peak bandwidth Analysis and emerging trends Q continued the trend of increasing botnet construction and decreasing traditional malware infection. This is a result of the widespread availability of reflection-based distributed denialof-service (DDoS) toolkits for malicious actors to build and deploy botnets for DDoS attacks. Crime ware toolkits that use reflection and amplification techniques to abuse Internet protocols allow malicious actors to launch massive attacks by using vulnerable servers and devices without the traditional need for malware infection. Since 2013, attackers have been abusing communication protocols such as Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS). These are all based on the User Datagram Protocol (UDP) which indirectly allows attackers to conceal their identities via address spoofing so they are not immediately identified as the source of an attack. Attackers send small request packets to intermediary victim servers, and those servers in turn respond to the attacker s intended target. The availability of these vulnerable protocols, which are often enabled by default in server software, make the Internet a ready-to-use botnet of potential victim devices that can be exploited by malicious actors to launch huge attacks. In Q1, malicious attackers delivered attacks more frequently and at higher packet per second rates than in the previous quarter. This quarter saw a 39 percent increase in average bandwidth. What s more, the largest-ever DDoS attack to cross the Prolexic (now part of Akamai) DDoS mitigation network occurred during this quarter. The attack used a combination of reflection techniques to target the infrastructure along with a traditional botnet-based application attack. The attack, which exceeded 10 hours in length, peaked at more than 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). The larger than average Q1 attack bandwidth rates were correlated with a significant trend toward volumetric, infrastructure-based attacks, a type of attack that seeks to consume as much bandwidth as possible. There was a corresponding reduction in the use of application-layer attacks. This trend echoes the availability of DDoS tools that are designed to use infrastructure attacks. Innovation in the DDoS marketplace is resulting in tools that inflict more damage with fewer resources. Q1 s high-volume attacks were made possible by the availability of easy-to-use DDoS tools from the DDoS-as-a-Service marketplace. These tools can be used with minimal skill on the part of the attacker. Application-layer attacks, which were less popular this quarter, typically require greater skill and coordination by attackers.

6 Prolexic Quarterly Global DDoS Attack Report Q In Q1, NTP reflection attacks surged, likely due to the availability of DDoS attack tools that use this reflection technique. In this quarter, the NTP flood method went from accounting for less than 1 percent of all attacks in the prior quarter to reach nearly the same popularity as SYN flood attacks. In Q1 2013, neither CHARGEN nor NTP attack vectors were observed. In Q1 2014, however, these two attack vectors accounted for 23 percent of all infrastructure attacks mitigated by Prolexic. The Media and Entertainment industry was the most frequently targeted industry in Q1. This industry received large portions of NTP reflection attack traffic and application-based attacks, including GET floods. Moreover, the Media and Entertainment vertical was targeted by 54 percent of the malicious packets mitigated by Prolexic during active DDoS attacks in Q1. A large amount of malicious activity continued to come from Asian countries in Q1, six of which appear in the Top 10 source countries. They accounted for 60 percent of attacks. Compared to Q Compared to the same quarter one year ago, the total number of DDoS attacks increased 47 percent. This increase occurred despite a 21 percent drop in application-layer attacks, marking a continuing shift towards infrastructurebased methods. Some of the increase in infrastructure attacks can be attributed to the emergence of CHARGEN and NTP reflection attack vectors, neither of which was observed in Q These two attack vectors alone accounted for 23 percent of the infrastructure attacks mitigated by Prolexic in Q Figure 1: Peak bandwidth average (Q1 2014, Q4 2013, Q1 2013) Average attack duration decreased this quarter compared with Q1 2013, dropping to 17 hours versus 35 hours. Average bandwidth dropped 9 percent in Q compared to a year earlier while packets per second (pps) increased 24 percent. In short, Q DDoS attack campaigns were as disruptive as those from the previous year. The major difference was the attack execution style: malicious actors delivered more frequent DDoS attacks with higher packet per second rates than a year ago. Despite lower average bandwidths than in Q1 2013, Q attacks also saw the largest peak attack rates (bps) to date.

7 Prolexic Quarterly Global DDoS Attack Report Q Compared to Q Figure 2: Peak packets per second (Q1 2014, Q4 2013, Q1 2013) frequent DDoS attacks, along with an uptick in infrastructure-based attacks. Prolexic observed an 18 percent increase in total attacks in Q compared to the prior quarter. The number of infrastructure attacks increased 35 percent, a rise led by a significant increase in the use of the NTP flood attack. NTP floods were starting to surge at the end of Q4. This trend continued through Q1, making NTP one of the more popular attack types this quarter. Comprising almost 17 percent of the attacks mitigated, the NTP flood method reached nearly the same level of usage as the SYN flood. Another notable change this quarter was a 39 percent increase in average bandwidth. This statistic was highlighted by the largest-ever DDoS attack mitigated by Prolexic, which occurred this quarter and exceeded 200 Gbps. This quarter saw the continuation of more Total attack vectors In the first quarter of the year, infrastructure layer attacks took a more dominant position over application layer attacks, a change from the recent historical trend and an increase of 11 percent over the prior quarter. Infrastructure-layer attack vectors represented 87 percent of the attacks, while application layer attack vectors represented only 13 percent. This trend echoes the increased availability and convenience of DDoS attack tools and DDoS-for-hire sites that use infrastructure-based attack methods. In addition, malicious actors are increasingly using DDoS attacks that rely on high bandwidth saturation, by leveraging the amplification factor available by using reflection tactics. Another contributing factor is their ability to launch DDoS attacks without the need for malware infection. Instead, they are leveraging the Internet as a ready-to-use botnet and victimizing legitimate network devices via common Internet protocols.

8 Prolexic Quarterly Global DDoS Attack Report Q Figure 3: DDoS attack vectors and their relative distribution in Q Infrastructure layer attacks Infrastructure-based attacks, also known as volumetric attacks, seek to consume as much bandwidth as possible. These attacks target the network infrastructure and are the attack vectors preferred by today s malicious actors. The Internet is replete with misconfigured and open servers that are vulnerable to protocol abuse. Character Generator (CHARGEN), Network Time Protocol (NTP) and Domain Name System (DNS) are three protocols commonly abused, as observed by PLXsert. The frequency of such protocol abuse in DDoS campaigns is usually driven by the appearance of new tools that can produce more effective attacks. Prolexic noticed an 11 percent increase in infrastructure-based attacks this quarter compared to last quarter, and a similar increase of 11 percent in comparison to the same quarter a year earlier. In addition, there is a noticeable difference in the types of infrastructure attacks employed in Q This included a surge in the number of NTP-based attacks to 17 percent and a decrease in SYN floods to 18 percent. Other protocol-based attacks included UDP floods at 10 percent, ICMP at 10 percent, DNS at 9 percent, and CHARGEN at 3 percent. Application layer attacks Application layer attacks require a higher level of knowledge and sophistication to execute than infrastructure attacks. They are directed at applications (layer 7) such as the Hypertext Transfer Protocol (HTTP) and are not necessarily focused on bandwidth consumption. Unlike volumetric attacks, they seek to cause specific application to fail or to become unresponsive to legitimate users.

9 Prolexic Quarterly Global DDoS Attack Report Q For example, an outage can be caused by a surge in simultaneous connection attempts. It is important to note application protocols such as HTTP are allowed to pass through many traffic inspection and firewall devices. These DDoS attacks often mimic legitimate traffic produced by web applications, which makes them more difficult to detect before they reach full force. Encrypted SSL attacks add another level of difficulty for DDoS mitigation, requiring the allocation of additional controls and resources. PLXsert analyzed the use of an application attack involving reflection techniques in which malicious actors were able to abuse features of a web framework suite, specifically WordPress, to cause a massive number of requests to overwhelm a targeted website (see Case study: A reflected application DDoS attack later in this document). In recent quarters, PLXsert observed a trend where application-based DDoS attacks were gaining ground and being used in greater numbers by malicious actors, topping 20 percent of the total attacks in observed campaigns. The number of observed application-based attacks in this quarter, however, differed markedly from recent quarters. Application layer attacks showed a decrease this quarter, accounting for only 13 percent of observed attacks. HTTP GET floods were the dominant application layer attack at 9 percent, followed by HTTP POST floods at 2 percent, HEAD floods at 0.4 percent, PUSH floods at 0.3 percent, SSL GET floods at 0.1 percent and SSL POST floods at 0.1 percent. Comparison: Attack vectors (Q1 2014, Q4 2013, Q1 2013) Significant differences were observed between Q1 2013, Q and this quarter. The first difference was a decline in the use of application attack vectors in the first quarter of 2014 (13 percent of the total) in comparison to the first quarter of 2013 (23 percent) for a decrease of almost 11 percent. The drop is also observable when comparing Q to the fourth quarter of 2013 (23 percent), a decrease of 10 percent. This quarter s numbers break a trend observed since 2012 of a sustained increase in the use of applicationlayer vectors compared to the use of infrastructure-layer vectors. Using an application-layer attack vector usually requires a higher degree of skill, as well as more significant effort to build a botnet and coordinate the attack (as was seen with the itsoknoproblembro attacks). Such application attack campaigns started to wane since the end of the third quarter of Since then, Prolexic has not observed any campaigns using the application-layer attack vector with as much effectiveness, power and duration as the itsoknoproblembro campaigns. However, this could change. For example, a modified brobot botnet could reappear and be used with high frequency against specific industries. A difference in the use of application-based vectors can also be observed in the use of HTTP GET floods, which were the most common application attack vector in Q (19 percent of all attacks) and Q (20 percent of all attacks), but only represented 9 percent of all attacks in Q a significant drop. These numbers point to a preference by malicious actors in Q for the use of infrastructure-based attack vectors. This is possibly driven by the availability of new tools that facilitate infrastructure DDoS attacks using protocols and services susceptible to reflection and amplification, such as NTP and DNS, along with the availability of open or misconfigured DNS and NTP servers on the Internet. There was an overall decrease in application-based attacks of more than 12 points in comparison to Q (23 percent) and Q (23 percent). The data also show NTP was the most frequently used infrastructure-based amplification attack at 17 percent, followed by DNS at 9 percent and CHARGEN at 3 percent, in contrast with last quarter when DNS was in first place with 10 percent, followed by CHARGEN at 6 percent, and NTP at 0.3 percent.

10 Prolexic Quarterly Global DDoS Attack Report Q Figure 4: Attack vectors in Q1 2014, Q4 2013, Q1 2013

11 Prolexic Quarterly Global DDoS Attack Report Q Target industries Prolexic has introduced a new metric to the DDoS Global Attack Report to provide insight into the industries targeted by malicious actors in DDoS campaigns. Media and Entertainment took the brunt of DDoS attacks, accounting for 50 percent of the attack targets in Q1. Software and Technology was the second most often hit at 17 percent. Security accounted for 12 percent of attacks. Finance was targeted 9 percent of the time. Gaming was the last of the top five industry targets with 7 percent of all observed attacks. Media and entertainment The Media and Entertainment industry accounted for a majority of the attacks against Prolexic customers. This fact provides insight into the motivations of attackers. Attacks against the Media and Entertainment vertical offer several perks for malicious actors, including press coverage and high visibility, benefits that may influence their choice of target. High visibility allows campaign organizers to more effectively reach out to supporters and recruit others to join their cause. The Media and Entertainment industry experienced some of the highest volume attacks from both application and infrastructure attack vectors. Forty-two percent of all NTP reflection and amplification attacks in Q1 targeted Media and Entertainment. Prolexic continues to see a major interest by attackers in targeting the Media and Entertainment industry to spread fear and propaganda through political or socially motivated DDoS campaigns. The Media and Entertainment industry was targeted with 54 percent of the malicious packets consumed by Prolexic during active DDoS attacks. Software and technology The Software and Technology industry includes companies that provide solutions such as Software as a Service (SaaS) and other cloud-based technologies. This industry was hit with the second greatest number of attacks, accounting for 17 percent. The Software and Technology industry was mainly targeted by infrastructure-layer attacks. The most popular attack vectors against this industry were DNS and NTP reflection and amplification attacks. Software and Technology was the target of these types of attacks 23 and 22 percent of the time, respectively. Security The Security vertical includes companies that provide security-based solutions, such as Prolexic. This industry faced 12 percent of all DDoS attacks. The motive behind attacks against the Security vertical is to take down a critical service that leaves a customer susceptible to other attacks. The Security industry also sees a high amount of infrastructure-based attacks, accounting for 12 percent of all NTP attacks, 8 percent of all DNS attacks and 6 percent of all CHARGEN attacks. Financial services The Financial Services industry includes major financial institutions, such as banks and trading platforms. It was targeted in 9 percent of total attacks in the first quarter. Financial institutions have been the target of many organized attacks, such as those orchestrated by organized cyber-crime group Izz ad-din al-qassam Cyber Fighters (QCF) using itsoknoproblembro. Fortunately, the Financial industry did not experience many major campaigns this quarter.

12 Prolexic Quarterly Global DDoS Attack Report Q A quiet quarter does not necessarily reflect a diminished interest by attackers against this industry. Infrastructure-layer attacks pose the greatest threat to this industry due to the importance of the alwayson services they provide. Recently, there have been indicators that suggest major campaigns against the financial vertical could resume. Malicious actors may be pursuing more refined methodologies and information-gathering tools to introduce new attack vectors against this vertical. Gaming The Gaming industry includes any company related to online gaming or gaming-related content. Gaming was the fifth most-targeted industry, accounting for 7 percent of total attacks. Attacks against the Gaming industry are frequently motivated by players seeking to gain a competitive advantage. The Gaming industry receives mostly application-layer attacks; 13 percent of GET floods and 23 percent of POST floods targeted Gaming in Q1. Summary The data discussed represents only a portion of active DDoS attack campaigns that occurred in this quarter against the named industries. Prolexic will continue to analyze and take the necessary measures to provide real-time insight into DDoS attacks against specific verticals. Figure 5: Distribution of attacks targeting key industries

13 Prolexic Quarterly Global DDoS Attack Report Q Top 10 source countries The pie chart shown in Figure 6 represents the Top 10 sources of malicious, non-spoofed DDoS traffic in Q1. The United States was the main source of DDoS attacks in Q1 2014, accounting for 21 percent of attacks. China took second place at 18 percent, relinquishing its spot as the number one source of DDoS attacks for the second quarter in a row. Thailand retained its spot in third place, accounting for 15 percent of attacks. Making a debut in the fourth place spot, Turkey accounted for 13 percent. Germany came in fifth at 8 percent to round off the top five source countries of malicious DDoS traffic. The remainder of the top 10 includes Brazil (6 percent), Italy (5 percent), Indonesia (5 percent), South Korea (5 percent) and Saudi Arabia (4 percent). There was a noticeable presence of Asian countries in the top 10 source countries. Growing economies and an expanding IT infrastructure, plus large online populations, fuel DDoS attack campaigns. There were also indicators of an increasing amount of hacktivist group activity from Asia. Social and political issues are also known to play major roles in certain countries presence on the Top 10 source list, such as Turkey. Figure 6: Top 10 source countries for non-spoofed DDoS attacks in Q1 2014

14 Prolexic Quarterly Global DDoS Attack Report Q Comparison: Top 10 source countries (Q1 2014, Q4 2013, Q1 2013) A look at the source countries from the most recent quarter, as well as Q and Q1 2013, illustrates how country rankings in the top 10 fluctuate as new vulnerabilities arise, attack agendas vary, malicious actors change, and existing attacks shift due to DDoS toolkit economics. There was only a slight decrease in the percentage of attacks originating from the United States (21 percent) from Q1 compared to the previous quarter (24 percent), and a decrease of 1 percent from Q (22 percent). The United States continues to top China as the main source of DDoS attacks. China (18 percent) retained its spot in second place this quarter, despite a decrease of 1 percent from last quarter (19 percent) and a 23 percent decrease from Q when China was responsible for almost half of all attacks. Malicious traffic from Turkey (13 percent) surged in Q1, resulting in the country taking the number four spot with an increase of 7 percent from last quarter (6 percent). Looking at data from the three individual quarters reveals that Asian countries have continually dominated the top 10. In Q1, Asian countries accounted for 60 percent of attacks among the Top 10, with six Asian countries making the list. Last quarter, Asian countries accounted for 57 percent of the attacks from the top 10, again with six Asian countries making the list. A year ago, Asian countries accounted for 54 percent of attacks from the top 10 list with four Asian countries making the list. While several of the Asian countries have rotated on and off the list, in every quarter an Asian country has ranked either first or second among the top producers of DDoS attacks.

15 Prolexic Quarterly Global DDoS Attack Report Q Figure 7: Top 10 source countries for non-spoofed DDoS attacks in Q1 2014, Q4 2013, Q1 2013

16 Prolexic Quarterly Global DDoS Attack Report Q Total attacks per week (Q vs. Q1 2013) As seen in the chart below, Q had a peak in total attacks from February 12-18, a week that showed a 191 percent increase in DDoS attacks as compared to the same week in Q This surge was due to the increase in CHARGEN and NTP reflection attacks. The highest volume of DDoS attacks per week in Q1 was 47 percent greater than the highest volume of attacks registered in any week in Q Although the quarter marked a 21 percent reduction in application attacks, overall there was a 47 percent increase in total attacks. This rise was attributed to a 68 percent increase in total infrastructure attacks compared to Q Figure 8: Changes in DDoS attacks per week Q vs. Q1 2013

17 Prolexic Quarterly Global DDoS Attack Report Q Comparison: Attack campaign start time per day (Q1 2014, Q4 2013, Q1 2013) In Q1, a shift occurred in the time of day that DDoS attacks took place. In Q and Q the majority of attacks occurred around 20:00 GMT (12 p.m. PST and 3 p.m. EST) while attacks in Q peaked around 12:00 GMT (4 a.m. PST and 7 a.m. EST). Q continued to see similar timeframes with the highest attack rates taking place between 11:00 GMT (3 a.m. PST and 6 a.m. EST) and 14:00 GMT. One conclusion that may be drawn from this change in attack timing is the introduction of new attack campaigns and political and social influences that may motivate certain organizations or individuals to participate in a DDoS attack. Figure 9 outlines the distribution of attack start times in three quarters. The data indicate a shift in the time of day that the majority of DDoS attacks took place in Q versus Q and Q Figure 9: Attack campaign start time Q1 2014, Q4 2013, Q1 2013

18 Prolexic Quarterly Global DDoS Attack Report Q Attack spotlight: Q1 s record-setting DDoS attack Campaign included NTP, DNS reflection techniques as well as Dirt Jumper botnet Overview In Q1 2014, Prolexic successfully mitigated its largest confirmed DDoS attack campaign against a Prolexic customer. The malicious actors used a powerful combination of Network Time Protocol (NTP) reflection and Domain Name System (DNS) reflection as the main attack vectors, which also included variations of the POST flood attack, a Layer 7 application attack vector. The attack exceeded 10 hours in duration and was directed at a European Internet media company. PLXsert successfully identified the tools used in the campaign. These tools included the latest NTP and DNS reflection attack tools, as well as a popular DDoS toolkit known as Drive, which is a Dirt Jumper variant that utilizes a traditional botnet architecture achieved through malware infection. As described in PLXsert threat advisories and a series of Distributed Reflection Denial of Service (DrDoS) white papers, the NTP and DNS protocols are susceptible to abuse by malicious actors. By abusing features of the protocols, attackers produce amplified responses much larger packet sizes than the originating requests. In addition, these two protocols are based on User Datagram Protocol (UDP), which makes them susceptible to spoofing, allowing attackers to hide the source of the requests. Using these amplification and reflection techniques, this campaign peaked at 200 Gbps (gigabits per second) and 53.5 Mpps (million packets per second). The list in Figure 10 shows peak malicious traffic rates at each of the five Prolexic scrubbing centers that routed traffic for DDoS mitigation during the attack campaign: San Jose London Hong Kong Washington, DC Frankfurt Peak bits per second (bps) Peak packets per second (pps) 11 Gbps 50 Gbps 18 Gbps 30 Gbps 100 Gbps 3 Mpps 10 Mpps 5.5 Mpps 8 Mpps 27 Mpps Figure 10: Attack metrics for traffic routed through each of five scrubbing centers during this attack campaign As shown in Figure 11, the majority of attack traffic traversed Prolexic s European scrubbing centers in Frankfurt and London.

19 Prolexic Quarterly Global DDoS Attack Report Q Figure 11: Attack bandwidth distribution per scrubbing center Figure 12 displays an aggregated view of the progression of attack traffic over time and the subsequent DDoS mitigation at the border in packets per second (pps). Figure 12: Attack and mitigation timeline in packets per second (pps) Validated attack vectors used in this campaign Malicious actors typically mix and match attack vectors to inflict the greatest possible damage on their targets. The particular mix of attack vectors in this campaign was dangerous.

20 Prolexic Quarterly Global DDoS Attack Report Q The effectiveness of DDoS strategies is determined not only by the tools used but also by the attack operation. Attackers may switch attack vectors and malicious signature payloads in an effort to bypass automated DDoS mitigation. In the most effective campaigns, attackers will preemptively study, footprint and identify default mitigation procedures in available commercial mitigation technologies. The effectiveness of DDoS strategies is determined not only by the tools used but also by the attack operation. Attackers may switch attack vectors and malicious signature payloads in an effort to bypass automated DDoS mitigation. In the most effective campaigns, attackers will preemptively study, footprint and identify default mitigation procedures in available commercial mitigation technologies. Three main attack vectors were observed in this campaign: DNS reflection, which targets Layer 3 and Layer 4 NTP monlist reflection, which targets Layer 3 and Layer 4 Drive POST1 and POST2 floods, which target Layer 7 DNS amplification A DNS ANY request flood was detected during the campaign. A sample of the request executed via the domain information groper (dig) command is shown in Figure 13. The ANY request results in a 4,112-byte response. Figure 14 shows the payload. $ dig ANY ;; Truncated, retrying in TCP mode. ; <<>> DiG P1 <<>> ANY ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: ;; flags: qr rd ra; QUERY: 1, ANSWER: 255, AUTHORITY: 0, ADDITIONAL: 0 ;; QUESTION SECTION: ; IN ANY ;; ANSWER SECTION: IN A xxx.xxx.xxx.xxx IN A xxx.xxx.xxx.xxx <snip> ;; MSG SIZE rcvd: 4112 Figure 13: An example ANY request for the domain involved in the attack (domain name not shown). Responses contained 255 A records.

21 Prolexic Quarterly Global DDoS Attack Report Q :39: IP > x.x.x.x.53: /0/1 A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A , A[ domain] Figure 14: The payload for the DNS ANY query flood NTP monlist reflection An NTP reflection attack signature was also observed during the campaign, as shown in Figure 6. 13:52: IP > x.x.x.x.19276: NTPv2, Reserved, length :52: IP > x.x.x.x.13520: NTPv2, Reserved, length :52: IP > x.x.x.x.13520: NTPv2, Reserved, length :52: IP > x.x.x.x.13520: NTPv2, Reserved, length :52: IP > x.x.x.x.54159: NTPv2, Reserved, length :52: IP > x.x.x.x.54159: NTPv2, Reserved, length :52: IP > x.x.x.x.54159: NTPv2, Reserved, length 440 Figure 15: NTP reflection attack signature POST flood An application layer attack (Layer 7) was observed. This attack generated multiple HTTP (POST) requests with several different signatures in an attempt to bypass DDoS mitigation technologies. PLXsert identified packet signatures that have been associated with the Drive DDoS malware kit. Analysis of associated malware The POST flood Layer 7 attacks witnessed during this campaign all seem to match those generated by the Dirt Jumper Drive malware. A drive binary potentially associated with the attack was analyzed by PLXsert and is shown in Figure 16.

22 Prolexic Quarterly Global DDoS Attack Report Q d1e499f1f8253af19b (Dirt Jumper Drive) Figure 16: The MD5# Drive binary variant The Dirt Jumper Drive malware has undergone several iterations since its inception in the underground. Some of the features added to later editions include a -smart command, and more recently, a revamped authentication parameter and command and control (CC or C2) architecture. The binary associated with this campaign, however, included none of the additions of the newer variants. This leads PLXsert to conclude that the first iterations of the toolkit are still being used for large-scale attacks, such as the one highlighted here. The behavior of the Drive binary, which is common to all its known variants, drops a payload to the Windows system directory and executes it as a Windows Service process. Once a successful connection with the C2 has been established, the malware will await for commands from the C2. The variant associated with this campaign supports the following nine attack vectors: GET POST1 POST2 IP IP2 UDP request timeout thread During this campaign, the POST flood attacks may have been the only commands issued to the infected hosts. The POST floods used a hardcoded string that is populated by the malware during runtime to flood its target. The signature of the POST flood can be seen inside of the malware toolkit, as shown in Figure 17: login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_login_ username=[50]&vb_login_md5password=[50] Figure 17: A POST flood signature observed in this campaign

23 Prolexic Quarterly Global DDoS Attack Report Q The Drive DDoS malware toolkit uses randomization features when creating its user agent headers in order to make DDoS mitigation more difficult. In this particular binary, PLXsert identified five different user agents being used, with other randomized components added dynamically to the string (Figure 18): ASCII Mozilla/5.0 (Windows NT ASCII.1 ASCII ; rv: ASCII.0) Gecko/ Firefox/ ASCII.0 ASCII Opera/9.80 (Windows NT ASCII.1 ASCII ; U; Edition ASCII Local; ru) Presto/ Version/ ASCII.0 ASCII Mozilla/4.0 (compatible; MSIE 8.0; Windows NT ASCII.1 ASCII ; Trident/4.0; SLCC2;.NET CLR 2.0. ASCII ;.NET CLR 3.5. ASCII ;.NET CLR 3.0. Figure 18: Example user agents identified during this campaign Random country strings may also be added to the user agent header. Those shown in Figure 19 were extracted from the malware toolkit s memory. ASCII Bangladesh ASCII Russia ASCII United Kingdom ASCII Egypt ASCII China ASCII Iran ASCII Mongolia ASCII India ASCII Grenada ASCII Thailand ASCII Romania ASCII Germany ASCII France ASCII Ukraine ASCII United States Figure 19: Country strings options A full dump of the network traffic is shown in Figure 20 to illustrate the connection process between the bot and C2. Once an attack command is received, the bot commences the POST flood, as shown in Figure 22. The k parameter is an identifier of the Drive toolkit making connection attempts to its C2. This parameter identifies the bot to the C2 during authentication.

24 Prolexic Quarterly Global DDoS Attack Report Q CONNECT TO C2 POST /drv/ HTTP/1.1 Host: xxxxxxx.com User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Trident/4.0; SLCC2;.NET CLR ;.NET CLR ;.NET CLR Accept: text/html Connection: Keep-Alive Content-Length: 17 Content-Type: application/x-www-form-urlencoded k=kpy3er8zr51ov04 <-K parameter necessary for bot identification in Dirt Jumper Drive ATTACK POST HTTP/1.1 Host: xxxx User-Agent: Opera/9.80 (Windows NT 5.1; WOW64; U; Edition Thailand Local; ru) Presto/ Version/10.05 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443 Content-Type: application/x-www-form-urlencoded Figure 20: C2 instructions to infected bots, including the k parameter common to the Drive DDoS toolkit...5..p]...b...p...xh..post HTTP/1.1 Host: /victim User-Agent: Opera/9.80 (Windows NT 5.1; U; Edition Germany Local; ru) Presto/ Version/5.03 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443.e..E...@.2....dd.P...H.`.....~..Q..POST HTTP/1.1 Host: victim User-Agent: Opera/9.80 (Windows NT 6.1; U; Edition United States Local; ru) Presto/ Version/7.08 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443 continued on next page>

25 Prolexic Quarterly Global DDoS Attack Report Q HTTP/1.1 Host: victim User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2;.NET CLR ;.NET CLR ;.NET CLR Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443 percent.z p.- {o...}f.post HTTP/1.1 Host: victim User-Agent: Mozilla/5.0 (Windows NT 5.1; WOW64; rv:12.0) Gecko/ Firefox/12.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443 Content-Type: {o...}b.post HTTP/1.1 Host: victim User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; WOW64; Trident/4.0; SLCC2;.NET CLR ;.NET CLR ;.NET CLR Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip,deflate Accept-Language: ru-ru,ru;q=0.8,en-us;q=0.5,en;q=0.3 Connection: Keep-Alive Referer: Content-Length: 2443 Content-Type: application/x-www-form-urlencoded Figure 21: POST flood attack signatures observed in this campaign The YARA rule shown in Figure 22 was written by PLXsert in order to identify the Dirt Jumper Drive toolkit used during this campaign. YARA is an open source tool for identifying malware. Running the rule against a potential attack binary should return positive hits for dirtjumper_drive_variant, if any of the command strings or the POST flood payload is found in the executable.

26 Prolexic Quarterly Global DDoS Attack Report Q rule dirtjumper_drive_variant { strings: $cmd1 = -get fullword $cmd2 = -post1 fullword $cmd3 = -post2 fullword $cmd4 = -ip fullword $cmd5 = -ip2 fullword $cmd6 = udp fullword $cmd7 = -request fullword $cmd8 = -timeout fullword $cmd9 = -thread fullword $str1 = login=[1000]&pass=[1000]&password=[50]&log=[50]&passwrd=[50]&user=[50]&username=[50]&vb_ login_username=[50]&vb_login_md5password=[50] $str2 = Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 $str3 = Accept-Encoding: gzip,deflate } condition: 4 of ($cmd*) and all of ($str*) Figure 22: YARA rule for the detection of the Drive toolkit An example run of YARA 2.0 would return the result shown in Figure 23: yara -g ~/Desktop/dirtjumper_drive_variant.yar ~/samples/ dirtjumper_drive_variant [] /samples//drive.exe dirtjumper_drive_variant [] /samples//764436a7759df842cc660a726db74323c4c27a c502ada a ad9 Figure 23: The result from an example run of the YARA rule Visualization of sourced traffic The following graphics display visualizations by attack vector. As stated before, the main attack vectors for this campaign were NTP and DNS reflection and amplification, as well as an application layer attack in the form of POST request floods (identified as signatures of Drive). The top source countries for each attack type are shown below. Source countries of the DNS reflection attacks The majority of DNS reflectors were from the United States, followed by Russia and Brazil, as shown in Figure 24. The next countries in the top ten sources of DNS attack were Indonesia, Turkey, China, Netherlands, Australia, Canada and Germany.

27 Prolexic Quarterly Global DDoS Attack Report Q Figure 24: Top three source countries of the DNS reflection activity, based on a 12,718-source IP sample set Source countries for the NTP reflection attacks The NTP reflection sources originated from several countries. The three source countries with largest number of reflector servers used within this DDoS attack were South Korea, Russia and the Ukraine, as shown in Figure 25. The rest of top countries represented were the United States, China, Japan, Romania, Germany, Netherlands and Great Britain. Figure 25: Top 3 source countries of NTP reflection, based on a 5,175-source IP sample set

28 Prolexic Quarterly Global DDoS Attack Report Q Source countries for POST attacks from the Drive toolkit The principal sources of the application layer attack type within this campaign were identified as the countries of Turkey, Iran and Argentina, as shown in Figure 26. The remaining top ten countries were identified as Brazil, Mexico, Venezuela, Russia, Spain, India and Poland. Figure 26: Top 3 source countries of Layer 7 POST attacks, based on a 5,922-source IP sample set PLXsert was able verify that the majority of sources from these countries match CPE device signatures. This suggests the source of the Dirt Jumper Drive attack traffic was compromised Microsoft Windowsbased computers behind home cable/dsl connections.

29 Prolexic Quarterly Global DDoS Attack Report Q Case study: A reflected application DDoS attack Overview The Prolexic Security Engineering and Response Team (PLXsert) has observed the abuse of the WordPress pingback function in recent DDoS attack campaigns. One of the attacks highlighted in this case study targeted an Internet media firm that is a customer of Prolexic (now part of Akamai). This reflected application attack vector exploits a vulnerability in the WordPress pingback function, identified by Common Vulnerabilities and Exposures CVE in The pingback functionality, which has been available since WordPress version 2.1.3, is enabled by default in recent versions (3.5 and higher). WordPress applied fixes to validate source Uniform Resource Identifiers (URIs). However, this attempt to prevent potential DDoS attacks still allows attackers to abuse the pingback functionality by using reflection techniques. Characteristics of the WordPress DDoS pingback application reflection attack Pingback is an automated function that notifies website administrators when their posts or documents are linked by other websites, so they can track and manage references to their material. Attackers abuse this feature by crafting pingback requests that redirect the responses to the target of the malicious actor, overwhelming the target site with a flood of GET requests. The pingback functionality is important for those sites that depend upon syndication and content distribution. For those sites, turning this feature off is not usually an option. The main source of this vulnerability is found in the WordPress XML-RPC (XML remote procedure call) file: xmlrpc.php. XML-RPC is a set of specifications used to execute remote procedure calls transported via HTTP and encoded via XML. This allows the transmission and processing of data in disparate operating systems over the Internet. During these pingback DDoS attacks, malicious actors craft POST requests to an intermediary (victim) WordPress site. These POST requests are spoofed, so that they appear to come from the target site. The pingback response is then reflected to the target site. During an attack, hundreds of thousands of victim WordPress sites could be abused to generate pingback requests to the target site. (Learn more about reflection attacks in our DrDoS white paper series at Figure 27 shows the attack signature recorded from the targeted site. The signature has some specific items such as the User-Agent: WordPress(version) and the specification of the target domain in the Host: parameter.

30 Prolexic Quarterly Global DDoS Attack Report Q :11: IP x.x.x.x > x.x.x.x.80: Flags [P.], seq 1:111, ack 1, win 229, options [nop,nop,ts val ecr ], length 110 d.*^f1!...p..v.w..u....jv{,o..get / HTTP/1.0 User-Agent: WordPress/3.8.1; Host: targetdomain Accept: */* Figure 27: WordPress pingback attack signature, as seen by the target Figure 28 shows the POST request, crafted in curl. This illustrates how the pingback attack is executed. A series of parameters had to be specified to generate the pingback response from the victim to the target. $ curl -D - -H Content-type: text/xml -d <methodcall> <methodname> pingback.ping </methodname> <params> <param> <value> <string> </string> </value> </param> <param> <value> <string> </string> </value> </param> </params> </methodcall> Figure 28: POST request sent to the victim to generate the pingback response to the target These parameters include (methodcall), (methodname), (string), (param), (params) and (value). After this request is crafted and executed, the victim server produces an HTTP 200 OK response, indicating the request was executed successfully (see Figure 29).

31 Prolexic Quarterly Global DDoS Attack Report Q HTTP/ OK Date: Thu, 13 Mar :11:48 GMT Server: Apache/ (CentOS) X-Powered-By: PHP/5.3.3 Connection: close Content-Length: 370 Content-Type: text/xml; charset=utf-8 <?xml version= 1.0 encoding= UTF-8?> <methodresponse> <fault> <value> <struct> <member> <name>faultcode</name> <value><int>0</int></value> </member> <member> <name>faultstring</name> <value><string></string></value> </member> </struct> </value> </fault> </methodresponse> Figure 29: The HTTP 200 OK response indicates a successful request The effectiveness of this attack lies in the leveraging of victim WordPress websites that have pingback functionality enabled. This attack vector typically succeeds by exhausting the number of connections to the target site, rather than by overwhelming the target with bandwidth floods. Highlighted campaigns During Q1 2014, PLXsert observed two campaigns where the WordPress pingback attack was identified as the main attack vector. One of the campaigns was against an Internet media site and the second campaign was against a Prolexic/Akamai website. Campaign A (Internet media company) The first campaign peaked at approximately 50,000 connections per second and lasted nearly nine hours. The attack was based solely on the WordPress pingback attack vector. Through traffic inspection, we identified thousands of victim sites sending pingback responses to the targeted site.

32 Prolexic Quarterly Global DDoS Attack Report Q Attack Types: GET Flood Target Port: 80 Event Time Start: Mar 12, :50:00 UTC Event Time End: Mar 13, :48:15 UTC San Jose London Hong Kong Washington, DC Peak bits per second (bps) 8.82 Mbps 7.81 Mbps 1.89 Mbps Mbps Peak packets per second (pps) 1.36 Kpps 2.50 Kpps 0.60 Kpps 4.89 Kpps Peak connections 8.61 Kcon Kcon 4.05 Kcon Kcon Figure 30: Campaign A attack traffic distribution by data center Figure 31: Global distribution of Campaign A connections Figure 32: Aggregated view of DDoS campaign over time When the targeted site is not powered by WordPress, DDoS mitigation is simpler. The WordPress pingback has a specific signature, and is highlighted Campaign B.