tying the bot: the marriage of ddos & botnets
DESCRIPTION
View this presentation to learn more about the evolution of DDoS attacks and the impact that botnets -- which have grown in sophistication recently -- have had on the size, scope and scale of DDoS attacks in recent years.TRANSCRIPT
Tying the Bot: The Marriage of DDoS & Botnets
Presenter: Rakesh Shah, Director of Product Marketing
2
Who is Arbor Networks?
A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks
90%Percentage of world’s Tier 1 service providers who are Arbor customers
105 Number of countries with Arbor products deployed
25 TbpsAmount of global traffic monitored by the ATLAS security intelligence initiative right now
#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment markets – more than 450 customers [Infonetics Research July 2012]
12 Number of years Arbor has been delivering innovative security and network visibility technologies & products
$16B 2011 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed
sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
What is a DDoS Attack?
Volumetric Attacks
– Usually botnets with traffic from spoofed IPs generating high traffic volume
– UDP based floods from spoofed IP take advantage of connection less UDP protocol
– Take out the infrastructure capacity – routers, switches, servers, links
Reflection Flood Attacks
– Use a legitimate resource to amplify an attack to a destination
– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual victim
– DNS reflective amplification is a good attack example
Attacker Server
DNS RequestV
DNS Server responds to request from spoofed source.
DNS Response is many times larger than request.
Repeated many times
Victim
DNS ResponseV
InternetBackbone
B
Broadband
Enterprise Broadband
B
CorporationProviderB B
B
BB
B
B
B
Endpoints become infected
BM
C&C
Bots Attack
Bots connect to a C&C to create an overlay network (or botnet)
DDoS Attack Vectors
State Exhausting Attacks– Take advantage of stateful
nature of TCP protocol
– SYN, FIN, RST Floods
– TCP connection attacks
– Exhaust resources in servers, load balancers or firewalls.
Application Layer Attacks– Exploit limitations, scale and
functionality of specific applications
– Can be low-and-slow
– HTTP GET & POST, SIP INVITE floods
– Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
Client ServerSYNC
SYNS, ACKC
Listening…
Store data(connection state, etc.)
Repeated many times System runs out of TCP listener sockets or out memory for stored state
DDoS Attack Vectors
HOIC
LOIC
Today’s DDoS attacks can cause (1) saturation upstream, (2) state exhaustion, or (3) application outages – many times one
attack can result in all three – and all with the same end result: critical services are no longer available!
Modern DDoS Attacks Are Complex
Load Balancer
DATA CENTER
Attack TrafficGood TrafficT
he
Bro
ad I
mp
act
of
DD
oS
Att
acks
IPS
How is DDoS Evolving?
• In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.
• Arbor World-Wide Infrastructure Security Survey, 2011– 7th Annual Survey– Concerns, observation and experiences of the security community– 114 respondents, broad spread of customers from around the
world
• Arbor ATLAS Internet Trends– 250+ Arbor customers– Hourly export of anonymized DDoS and traffic statistics
• Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators
• 13% of respondents report attacks above 10 Gbps• 40% of respondents report attacks above 1 Gbps• Largest pps attack reported is 35 Mpps keeping pace with 2010
Large Attacks are Now Commonplace
2002 2003 2004 2005 2006 2007 2008 2009 2010 20110
20
40
60
80
100
120
0.14 1.2 2.510
1724
4049
100
60
Largest Attack in Gbps
43%
13%
27%
17%
Highest BPS DDoS in 2011
Don't Know
> 10Gbps
1 - 10 Gbps
< 1Gbps
Key Findings in the 2011 Survey
• A higher percentage of attacks reported on HTTP and IRC relative to 2010– HTTP (87% vs. 84%) and on IRC (11% vs. 0%) relative to 2010
• Lower percent of attacks on DNS, SMTP, HTTPS and VOIP– DNS (67% vs. 76%), SMTP (25% vs. 40%), HTTPS (24% vs. 35%) and VOIP (19%
vs. 38%)
• SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris
Application Layer and Multi-Vector Attacks
HTTP
DNS
SMTP
HTTPS
SIP/VOIP
IRC
Other
0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%
87%
67%
25%
24%
19%
11%
7%
Services Targeted by Application Layer DDoS Attacks
27%
41%
32%
Have You Experienced Multi-vector Application / Volumetric DDoS At-
tacks
Don't Know
No
Yes
Key Findings in the 2011 Survey
• 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010
• 44% of respondents see 10 or more attacks per month up from 35% in 2010
0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 5000%5%
10%15%20%25%30%35%40%45%50%
9%
47%
15%
7%10% 11%
1%
Number of DDoS Attacks per Month
Key Findings in the 2011 Survey
Attack Frequencies Increasing
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
Bots: Putting the ‘(D)’ in (D)DoS
• “Got bot?”
• A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm.
• Communicates with a handler or controller via public IRC servers, social media, or other compromised systems.
• A botmaster or botherder commands bots to perform any of an number of different functions.
• System of bots and controller(s) is referred to as a botnet network.
Botnets: “Black Market Clouds”
• Each botnet represents a ‘black market’ cloud
• Can be built with ‘off the shelf’ malware
• Becoming more profitable than SPAM
• Popular for:– Competitive advantage– Extortion– Hacktivism– Political– Ego-driven– Distraction from other cyber-crimes
Botnets: Identity Theft & Fraud
Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.
“full creds”
Botnets: Getting More Sophisticated
Key Loggers– Gotta get those “full creds”
Drop Sites Click Fraud Bot Trading & Marketing
– .net - .$.05– .gov - $1.00– nasa.gov - $.05
“Better Marketing by the Botherders”– Excellent ping & uptime– Rotating IP addresses– Different ISPs– Intuitive User Interface– SLAs - 100 percent uptime guarantee!
Botnets: It’s Getting Personal
Phishing Systems– Command & Control – Hosting phishing sites– Lift email addresses– Spam phishing messages– Drop Sites– All bots!
[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.0" 200 497 "-" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.1" 200 497 "-" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://even.prolexic.cant.protect.you.net.wanna.try.akamai.ill.drop.them.too" "Mozilla/4.0 (compatible)”
Upon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar 4.3.1.0 :www.nifty.comwww.d1asia.comwww.st.lib.keio.ac.jpwww.lib.nthu.edu.twwww.above.netwww.level3.comnitro.ucsc.eduwww.burst.netwww.cogentco.comwww.rit.eduwww.nocster.comwww.verio.comwww.stanford.eduwww.xo.netde.yahoo.comwww.belwue.dewww.switch.chwww.1und1.deverio.frwww.utwente.nlwww.schlund.net
Smart Bots: Disable Updates, Speed Tests
• Engineer around current AV DBs• Disable auto-update functions• Evaluate connectedness of asset
Smart Botnets: Management & Statistics
• Performance statistics• Web-based user interfaces
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
InternetBackbone
Enterprises
Hosting ProvidersBroadband Users
DDoS TargetProvider
SystemsBecomeInfected
Bots connect to a C&C to create an overlay network
(botnet)
ControllerConnects
BotMaster
C&C
Bots attack
Anatomy of a DDoS Attack from a Botnet
Botnet masterIssues attackCommand
Mariposa
Darkness
Dirt Jumper
G-Bot
Cutwail
Erzengel
ZemraJKDDoS
YoyoDDoS
Darkshell
Avzhan
Popular Botnets Used for DDoS Attacks
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
Dirt Jumper Botnets Used for DDoS
• 500+ Dirt Jumper family bots analyzed by ASERT– Each Dirt Jumper botnet can last months and attack
hundreds (or more) of victims during their lifecycle
• Features UDP, TCP, HTTP attacks, “anti-ddos” attacks– Actively developed, widely used commercially– Includes:
• Dirt Jumper version 3• Dirt Jumper version 5• Pandora• DiBotnet• Khan
Dirt Jumper Brings Down Electronic Trading
• DirtJumper DDoS botnet impacted site 3-4 days
Commercial DDoS Product – Dirt Jumper 3
• Version 3 is quite popular• Anti-DDoS attacks mentioned – designed to
bypass anti-DDoS defenses– A more recent innovation from the attackers
Dirt Jumper Botnet Attacks August 2012
• Arbor’s Bladerunner project samples the DDoS bot population
• Bladerunner observed approx. 2000 unique DDoS attacks in August 2012 from 68 botnets
• Of these, we analyzed 25 Dirt Jumper botnets to observe 301 unique attacks to a variety of targets– Some attacks lasted days
• Many website targets with 100+ virtual hosts• Many attacks on HTTP but we also saw attacks
on HTTPS, SMTP, MySQL
Dirt Jumper’s Global Presence
• Dirt Jumper Command & Control Points
Commercial DDoS Product – Dirt Jumper v5
• Dirt Jumper v5 has leaked in the underground
Commercial DDoS Services
• No DDoS capabilities in this RAT• However this is a good example of password theft
Dirt Jumper Botnet Victims August 2012
Commercial DDoS Product - Pandora
• View of control panel – used by the botmaster to launch DDoS attacks• Originally sold for $800, cracked version for $100, also have been leaked (free)• Attacks look just like Dirt Jumper 5 and Khan bots• Appeared early 2012
Commercial DDoS Product – Di BoTNet
• Re-uses Dirt Jumper code, adds “bot killer” feature to eliminate the competition from infected computers
• Early 2012
Commercial DDoS Product – Darkness Botnet
• 45,000 bots over the botnet lifetime• 6900 currently online
Bot – “DarkShell”
• In 2010, this bot was seen to attack industrial food processor equipment vendors.
Commercial DDoS Product – Armageddon
• Very popular bot, active competitor to other Russian bots• Involved in politically motivated attacks in Russia• In addition to HTTP, has attacked remote desktop, FTP, SSH
One-Stop Shopping for DDoS Botnets
Agenda
Distributed Denial of Service (DDoS) Overview
Introduction into Bots and Botnets
How Botnets are Used to Launch DDoS Attacks
Examples of Botnets Used for DDoS Attacks
Arbor’s Solution for Stopping DDoS and Botnets Attacks
NSI
SPTMS
APS
Arbor Products & Services
40
Service Providers
Enterprises
Visib
ilityPro
tect
ion
Products Services
ResearchSupport
Security Response
41
Arbor’s Key Technologies
Visibility
Flow Intelligence
Arbor’s products are the premier analyzers of full network
flow data providing holistic traffic & security visibility.
Application Intelligence
Arbor’s products
offer deep insight into applications and services
as more services move to standard
ports.
Global Intelligence
Arbor’s products
leverage the real-time, Internet-
wide visibility of the ATLAS initiative to detect and stop active
threats.
Protection
Arbor’s core packet
analysis & blocking
engine can stop and is
also immune to all threats
against availability.
Botnets & Malware
Arbor’s Security & Emergency Response
Team (ASERT) conducts unique
research into botnets
and malware.
Cloud Signaling
Arbor’s proprietary
protocol enables signaling from the
enterprise edge to the
cloud for complete
protection.
Availability Engine
42
Peakflow Products
Visibility Protection
Peakflow TMSPeakflow SP
Models: CP-5500, PI-5500, BI-5500, FS-5500
The Peakflow Service Provider (SP) solution collects and analyzes Flow, BGP, and SNMP data; conducts network anomaly detection for security visibility; provides user interface for managed services; and massive scale to meet the needs of the world’s largest service providers and cloud operators.
Models: TMS-1200, TMS-2500, TMS-3000 Series, TMS-4000 Series
The Peakflow Threat Management System (TMS) is built for high-performance, carrier-class networks and used for surgical mitigation of DDoS attack traffic with no additional latency for legitimate traffic; and serves as a protection platform for in-cloud managed security services.
43
Pravail Products
Visibility Protection
Pravail APSPravail NSI
Models: X-CONT-1, X-COL-8K32/16K, X-COL-AIC, X-VIRTUAL
The Pravail Network Security Intelligence (NSI) collects and analyzes flow and raw packet data; detected botted users and endpoints; and provides application-level and pervasive security intelligence across the enterprise network.
Models: APS-2104, APS-2105, APS-2107, APS-2108
The Pravail Availability Protection System (APS) provides out-of-box protection for attacks while being immune to state-exhausting attacks; blocks complex application-layer DDoS; supports a dynamic thread from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream.
44
The ATLAS Initiative
The ATLAS initiative is the world’s most comprehensive Internet monitoring &
security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint Sharing, Global Threat Analysis Portal
ATLAS intelligence is seamlessly integrated into Arbor products and services including real-time services, global threat intelligence and insight into key Internet trends.
ASERT, Arbor’s Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address significant Internet research questions.
Active Threat Feed (ATF)
Intelligence Feed & Active Threat Feed
46
The Cloud Signaling Coalition
Arbor Peakflow SP / TMS-based DDoS Service
Arbor Pravail APS
Da
ta C
en
ter
Ne
two
rkFirewall / IPS / WAF
Publ
ic F
acin
g Se
rver
s
Subscriber Network Subscriber Network
Internet Service Provider1. Service Operating
Normally
2. Attack Begins & Blocked by Pravail
3. Attack Grows Exceeding Bandwidth
4. Cloud Signal Launched
5. Customer Fully Protected!
Cloud Signaling Status
Unite the enterprise & service providers via Arbor’s Cloud
Signaling Coalition
47
Arbor’s Threat Ecosystem
The Arbor ecosystem between service providers & enterprise data centers offers unique insight into emerging and active threats
Enterprise Data CentersService Providers
Enterprise data center services are now fully protected!
Thank You