Biggest Ddos Attack in History Hammers Spamhaus2
Short Description
The DDos attack history...
Description
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Anti-spam service Spamhaus has been hit with what several security firms today described as the largest distributed denial of service (DDoS) attacks ever seen. Handler infects a large number of computers over Internet
2
Attacker sets a handler system
1
3
Zombie systems are instructed to attack a target server
Handler Compromised PCs (Zombies)
Attacker
1
Targeted Server
3
2
Handler Compromised PCs (Zombies)
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The latest run of attacks began on 18 March with a 10Gbps packet flood that saturated Spamhaus' connection to the rest of the Internet and knocked its site offline.
2
Cybercrime Related IT Operations (Servers, Software, and Services)
Trojan Command and Control Center
Crimeware Toolkit Database
Attackers
1 9 Criminal
3 7
8
4 5
Trojan upload stolen data and receives commands from command and control center
6 Victims
Malicious Affiliation Network
Legitimate Compromised Websites
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
A massive 300Gbps was thrown against Spamhaus' website but the anti-spam organisation was able to recover from the attack and get its core services back up and running.
2
Cybercrime Related IT Operations (Servers, Software, and Services)
Trojan Command and Control Center
Crimeware Toolkit Database
Attackers
1 9 Criminal
3
7
8
4
5
Trojan upload stolen data and receives commands from command and control center
6 Victims
Malicious Affiliation Network
Legitimate Compromised Websites
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Spamhaus supplies lists of IP addresses for servers and computers on the net linked to the distribution of spam
Bots connect to C&C handler and wait for instructions
Bot Command & Control Center
Bots attack a target server
Attacker sends commands to the bots through C&C
Target Server
Zombies Sets a bot C&C handler Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine
Attacker
Victim (Bot)
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The high attack bandwidth is made possible because attackers are using misconfigured domain-name service (DNS) servers—known as open recursive resolvers or open recursors—to amplify a much smaller attack into a larger data flood. Known as DNS reflection, the technique uses requests for a relatively large zone file that appear to be sent from the intended victim's network.
Sends a request to the server
Victim
Server
Attacker Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Because the DNS server is not configured properly, it will respond to each request by sending the zone file to the victim's address,
overwhelming the network. By using DNS reflection, the attacker could amplify their own bandwidth by about 100-fold, turning modest resources into a large attacks, Matthew Prince, CEO of CloudFlare, wrote in an analysis of the attack. For the past week, CloudFlare has worked with Spamhaus to mitigate the latest attack.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
According to CloudFlare, the majority of the attack was traffic sent using a technique called DNS (domain name system) reflection. Under normal circumstances, DNS resolvers wait for a user request, such as a lookup for the IP address for a domain name, then respond accordingly.
Victim
Server
Attacker
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The largest source of attack traffic against Spamhaus came from DNS reflection, launched through Open DNS resolvers rather than directly via compromised networks.
Sets a bot C&C handler
Bot Command & Control Center
Attacker
Bots connect to C&C handler and wait for instructions
Bots generates fake customer clicks
Attacker sends commands to the bots through C&C
http://adworld.com
Ad’s Webpage
Attacker infects a machine
Zombies
Victim (Bot)
Bot infects other systems and create Botnet
Ad Service Provider
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The basic technique of a DNS reflection attack is to send a request for a large DNS zone file with the source IP address spoofed to be the intended victim to a large number
of open DNS resolvers.The resolvers then respond to the request, sending the large DNS zone answer to the intended victim. The attackers' requests themselves are only a fraction of the size of the responses, meaning the attacker can effectively amplify their attack to many times the size of the bandwidth resources they themselves control.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
In the Spamhaus case, the attacker was sending requests for the DNS zone file for ripe.net to open DNS resolvers.The attacker spoofed the CloudFlare IPs we'd issued for Spamhaus as the source in their DNS requests.The open resolvers responded with DNS zone file, generating collectively approximately 75Gbps of attack traffic.The requests were likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X +edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address of an open DNS resolver) and the response was approximately 3,000 bytes, translating to a 100x amplification factor.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Spamhaus's blocklists are distributed via DNS and widely mirrored in order to ensure that it is resilient to attacks.The website, however, was unreachable and the blacklists weren't getting updated.
Bots connect to C&C handler and wait for instructions
Bot Command & Control Center
Bots attack a target server
Attacker sends commands to the bots through C&C
Target Server
Zombies
Sets a bot C&C handler
Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine
Attacker
Victim (Bot)
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The attacker used a DNS amplification, the attacker only needed to control a botnet or cluster of servers to generate 750Mbps - which is possible with a small sized botnet or a handful of AWS instances.
Bots connect to C&C handler and wait for instructions
Bot Command & Control Center
Bots attack a target server
Attacker sends commands to the bots through C&C
Target Server
Zombies
Sets a bot C&C handler
Bot looks for other vulnerable systems and infects them to create Botnet Attacker infects a machine
Attacker
Victim (Bot)
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus Handler infects a large number of computers over Internet Attacker sets a handler system
1
3
2
Zombie systems are instructed to attack a target server
Handler Compromised PCs (Zombies)
Attacker
1
Targeted Server
3
2
Handler Compromised PCs (Zombies)
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Ecosystem Malicious Site
Scan & Intrusion Botnet Market
Zero-Day Market
Botnet
Licenses MP3, DivX Financial Diversion
Owner
Crimeware Toolkit Database
C&C
Trojan Command and Control Center
Phishing
Data Theft
Emails
Client-Side Vulnerability
Redirect
Spam Mass Mailing
DDoS Malware Market
Extortion
Stock Fraud
Scams
Adverts
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Trojan: Shark
Command Control Center
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Poison Ivy: Botnet Command Control Center
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Trojan: PlugBot PlugBot is a hardware botnet project It is a covert penetration testing device (bot) designed for covert use during physical penetration tests
http://theplugbot.com Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Trojans: Illusion Bot and NetBot Attacker
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
To know more about these attacks and how to secure your Information Systems come to CEH Class!
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
View more...
Comments