Biggest Ddos Attack in History Hammers Spamhaus2

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen. Handler infects a large number of computers over Internet

2

Attacker sets a handler system

1

3

Zombie systems are instructed to attack a target server

Handler Compromised PCs (Zombies)

Attacker

1

Targeted Server

3

2

Handler Compromised PCs (Zombies)

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The latest run of attacks began on 18 March with a 10Gbps packet flood that saturated Spamhaus' connection to the rest of the Internet and knocked its site offline.

2

Cybercrime Related IT Operations (Servers, Software, and Services)

Trojan Command and Control Center

Crimeware Toolkit Database

Attackers

1 9 Criminal

3 7

8

4 5

Trojan upload stolen data and receives commands from command and control center

6 Victims

Malicious Affiliation Network

Legitimate Compromised Websites

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

A massive 300Gbps was thrown against Spamhaus' website but the anti-spam organisation was able to recover from the attack and get its core services back up and running.

2

Cybercrime Related IT Operations (Servers, Software, and Services)

Trojan Command and Control Center

Crimeware Toolkit Database

Attackers

1 9 Criminal

3

7

8

4

5

Trojan upload stolen data and receives commands from command and control center

6 Victims

Malicious Affiliation Network

Legitimate Compromised Websites

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Spamhaus supplies lists of IP addresses for servers and computers on the net linked to the distribution of spam

Bots connect to C&C handler and wait for instructions

Bot Command & Control Center

Bots attack a target server

Attacker sends commands to the bots through C&C

Target Server

Zombies Sets a bot C&C handler Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine

Attacker

Victim (Bot)

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers—known as open recursive resolvers or open recursors—to amplify a much smaller attack into a larger data flood. Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network.

Sends a request to the server

Victim

Server

Attacker Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Because the DNS server is not configured properly, it will respond to each request by sending the zone file to the victim's address,

overwhelming the network. By using DNS reflection, the attacker could amplify their own bandwidth by about 100-fold, turning modest resources into a large attacks, Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack. For the past week, CloudFlare has worked with Spamhaus to mitigate the latest attack.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.

Victim

Server

Attacker

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The largest source of attack traffic against Spamhaus came from DNS reflection, launched through Open DNS resolvers rather than directly via compromised networks.

Sets a bot C&C handler

Bot Command & Control Center

Attacker

Bots connect to C&C handler and wait for instructions

Bots generates fake customer clicks

Attacker sends commands to the bots through C&C

http://adworld.com

Ad’s Webpage

Attacker infects a machine

Zombies

Victim (Bot)

Bot infects other systems and create Botnet

Ad Service Provider

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number

of open DNS resolvers.The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers.The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests.The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic.The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Spamhaus's blocklists are distributed via DNS and widely mirrored in order to ensure that it is resilient to attacks.The website, however, was unreachable and the blacklists weren't getting updated.

Bots connect to C&C handler and wait for instructions

Bot Command & Control Center

Bots attack a target server

Attacker sends commands to the bots through C&C

Target Server

Zombies

Sets a bot C&C handler

Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine

Attacker

Victim (Bot)

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps - which is possible with a small sized botnet or a handful of AWS instances.

Bots connect to C&C handler and wait for instructions

Bot Command & Control Center

Bots attack a target server

Attacker sends commands to the bots through C&C

Target Server

Zombies

Sets a bot C&C handler

Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine

Attacker

Victim (Bot)

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus Handler infects a large number of computers over Internet Attacker sets a handler system

1

3

2

Zombie systems are instructed to attack a target server

Handler Compromised PCs (Zombies)

Attacker

1

Targeted Server

3

2

Handler Compromised PCs (Zombies)

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Ecosystem Malicious Site

Scan & Intrusion Botnet Market

Zero-Day Market

Botnet

Licenses MP3, DivX Financial Diversion

Owner

Crimeware Toolkit Database

C&C

Trojan Command and Control Center

Phishing

Data Theft

Emails

Client-Side Vulnerability

Redirect

Spam Mass Mailing

DDoS Malware Market

Extortion

Stock Fraud

Scams

Adverts

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojan: Shark

Command Control Center

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Poison Ivy: Botnet Command Control Center

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojan: PlugBot PlugBot is a hardware botnet project It is a covert penetration testing device (bot) designed for covert use during physical penetration tests

http://theplugbot.com Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojans: Illusion Bot and NetBot Attacker

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

To know more about these attacks and how to secure your Information Systems come to CEH Class!

Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.