tying the bot: the marriage of ddos & botnets

Tying the Bot: The Marriage of DDoS & Botnets

Presenter: Rakesh Shah, Director of Product Marketing

2

Who is Arbor Networks?

A Trusted & Proven Vendor Securing the World’s Largest and Most Demanding Networks

90%Percentage of world’s Tier 1 service providers who are Arbor customers

105 Number of countries with Arbor products deployed

25 TbpsAmount of global traffic monitored by the ATLAS security intelligence initiative right now

#1 Arbor market position in Carrier, Enterprise and Mobile DDoS equipment markets – more than 450 customers [Infonetics Research July 2012]

12 Number of years Arbor has been delivering innovative security and network visibility technologies & products

$16B 2011 GAAP revenues [USD] of Danaher – Arbor’s parent company providing deep financial backing

Agenda

Distributed Denial of Service (DDoS) Overview

Introduction into Bots and Botnets

How Botnets are Used to Launch DDoS Attacks

Examples of Botnets Used for DDoS Attacks

Arbor’s Solution for Stopping DDoS and Botnets Attacks

During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed

sources overwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.

What is a DDoS Attack?

Volumetric Attacks

– Usually botnets with traffic from spoofed IPs generating high traffic volume

– UDP based floods from spoofed IP take advantage of connection less UDP protocol

– Take out the infrastructure capacity – routers, switches, servers, links

Reflection Flood Attacks

– Use a legitimate resource to amplify an attack to a destination

– Send a request to an IP that will yield a big response, spoof the source IP address to that of the actual victim

– DNS reflective amplification is a good attack example

Attacker Server

DNS RequestV

DNS Server responds to request from spoofed source.

DNS Response is many times larger than request.

Repeated many times

Victim

DNS ResponseV

InternetBackbone

B

Broadband

Enterprise Broadband

B

CorporationProviderB B

B

BB

B

B

B

Endpoints become infected

BM

C&C

Bots Attack

Bots connect to a C&C to create an overlay network (or botnet)

DDoS Attack Vectors

State Exhausting Attacks– Take advantage of stateful

nature of TCP protocol

– SYN, FIN, RST Floods

– TCP connection attacks

– Exhaust resources in servers, load balancers or firewalls.

Application Layer Attacks– Exploit limitations, scale and

functionality of specific applications

– Can be low-and-slow

– HTTP GET & POST, SIP INVITE floods

– Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..

Client ServerSYNC

SYNS, ACKC

Listening…

Store data(connection state, etc.)

Repeated many times System runs out of TCP listener sockets or out memory for stored state

DDoS Attack Vectors

HOIC

LOIC

Today’s DDoS attacks can cause (1) saturation upstream, (2) state exhaustion, or (3) application outages – many times one

attack can result in all three – and all with the same end result: critical services are no longer available!

Modern DDoS Attacks Are Complex

Load Balancer

DATA CENTER

Attack TrafficGood TrafficT

he

Bro

ad I

mp

act

of

DD

oS

Att

acks

IPS

How is DDoS Evolving?

• In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.

• Arbor World-Wide Infrastructure Security Survey, 2011– 7th Annual Survey– Concerns, observation and experiences of the security community– 114 respondents, broad spread of customers from around the

world

• Arbor ATLAS Internet Trends– 250+ Arbor customers– Hourly export of anonymized DDoS and traffic statistics

• Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators

• 13% of respondents report attacks above 10 Gbps• 40% of respondents report attacks above 1 Gbps• Largest pps attack reported is 35 Mpps keeping pace with 2010

Large Attacks are Now Commonplace

2002 2003 2004 2005 2006 2007 2008 2009 2010 20110

20

40

60

80

100

120

0.14 1.2 2.510

1724

4049

100

60

Largest Attack in Gbps

43%

13%

27%

17%

Highest BPS DDoS in 2011

Don't Know

> 10Gbps

1 - 10 Gbps

< 1Gbps

Key Findings in the 2011 Survey

• A higher percentage of attacks reported on HTTP and IRC relative to 2010– HTTP (87% vs. 84%) and on IRC (11% vs. 0%) relative to 2010

• Lower percent of attacks on DNS, SMTP, HTTPS and VOIP– DNS (67% vs. 76%), SMTP (25% vs. 40%), HTTPS (24% vs. 35%) and VOIP (19%

vs. 38%)

• SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris

Application Layer and Multi-Vector Attacks

HTTP

DNS

SMTP

HTTPS

SIP/VOIP

IRC

Other

0% 10% 20% 30% 40% 50% 60% 70% 80% 90%100%

87%

67%

25%

24%

19%

11%

7%

Services Targeted by Application Layer DDoS Attacks

27%

41%

32%

Have You Experienced Multi-vector Application / Volumetric DDoS At-

tacks

Don't Know

No

Yes


• 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010

• 44% of respondents see 10 or more attacks per month up from 35% in 2010

0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 5000%5%

10%15%20%25%30%35%40%45%50%

9%

47%

15%

7%10% 11%

1%

Number of DDoS Attacks per Month


Attack Frequencies Increasing

Agenda






Bots: Putting the ‘(D)’ in (D)DoS

• “Got bot?”

• A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm.

• Communicates with a handler or controller via public IRC servers, social media, or other compromised systems.

• A botmaster or botherder commands bots to perform any of an number of different functions.

• System of bots and controller(s) is referred to as a botnet network.

Botnets: “Black Market Clouds”

• Each botnet represents a ‘black market’ cloud

• Can be built with ‘off the shelf’ malware

• Becoming more profitable than SPAM

• Popular for:– Competitive advantage– Extortion– Hacktivism– Political– Ego-driven– Distraction from other cyber-crimes

Botnets: Identity Theft & Fraud

Globally, data breaches are expected to account for $130.1 billion in corporate losses this year, according to the Ponemon Institute. Historically, about 30% of that total cost has been direct losses attributable to the breaches, which would mean about $39 billion will stolen in 2011.

“full creds”

Botnets: Getting More Sophisticated

Key Loggers– Gotta get those “full creds”

Drop Sites Click Fraud Bot Trading & Marketing

– .net - .$.05– .gov - $1.00– nasa.gov - $.05

“Better Marketing by the Botherders”– Excellent ping & uptime– Rotating IP addresses– Different ISPs– Intuitive User Interface– SLAs - 100 percent uptime guarantee!

Botnets: It’s Getting Personal

Phishing Systems– Command & Control – Hosting phishing sites– Lift email addresses– Spam phishing messages– Drop Sites– All bots!

[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.0" 200 497 "-" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.1" 200 497 "-" "Mozilla/4.0 (compatible)”[19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://even.prolexic.cant.protect.you.net.wanna.try.akamai.ill.drop.them.too" "Mozilla/4.0 (compatible)”

http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net/

http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net/

http://even.prolexic.cant.protect.you.net.wanna.try.akamai.ill.drop.them.too/

Upon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar 4.3.1.0 :www.nifty.comwww.d1asia.comwww.st.lib.keio.ac.jpwww.lib.nthu.edu.twwww.above.netwww.level3.comnitro.ucsc.eduwww.burst.netwww.cogentco.comwww.rit.eduwww.nocster.comwww.verio.comwww.stanford.eduwww.xo.netde.yahoo.comwww.belwue.dewww.switch.chwww.1und1.deverio.frwww.utwente.nlwww.schlund.net

Smart Bots: Disable Updates, Speed Tests

• Engineer around current AV DBs• Disable auto-update functions• Evaluate connectedness of asset

Smart Botnets: Management & Statistics

• Performance statistics• Web-based user interfaces

Agenda






InternetBackbone

Enterprises

Hosting ProvidersBroadband Users

DDoS TargetProvider

SystemsBecomeInfected

Bots connect to a C&C to create an overlay network

(botnet)

ControllerConnects

BotMaster

C&C

Bots attack

Anatomy of a DDoS Attack from a Botnet

Botnet masterIssues attackCommand

Mariposa

Darkness

Dirt Jumper

G-Bot

Cutwail

Erzengel

ZemraJKDDoS

YoyoDDoS

Darkshell

Avzhan

Popular Botnets Used for DDoS Attacks

Agenda






Dirt Jumper Botnets Used for DDoS

• 500+ Dirt Jumper family bots analyzed by ASERT– Each Dirt Jumper botnet can last months and attack

hundreds (or more) of victims during their lifecycle

• Features UDP, TCP, HTTP attacks, “anti-ddos” attacks– Actively developed, widely used commercially– Includes:

• Dirt Jumper version 3• Dirt Jumper version 5• Pandora• DiBotnet• Khan

Dirt Jumper Brings Down Electronic Trading

• DirtJumper DDoS botnet impacted site 3-4 days

Commercial DDoS Product – Dirt Jumper 3

• Version 3 is quite popular• Anti-DDoS attacks mentioned – designed to

bypass anti-DDoS defenses– A more recent innovation from the attackers

Dirt Jumper Botnet Attacks August 2012

• Arbor’s Bladerunner project samples the DDoS bot population

• Bladerunner observed approx. 2000 unique DDoS attacks in August 2012 from 68 botnets

• Of these, we analyzed 25 Dirt Jumper botnets to observe 301 unique attacks to a variety of targets– Some attacks lasted days

• Many website targets with 100+ virtual hosts• Many attacks on HTTP but we also saw attacks

on HTTPS, SMTP, MySQL

Dirt Jumper’s Global Presence

• Dirt Jumper Command & Control Points

Commercial DDoS Product – Dirt Jumper v5

• Dirt Jumper v5 has leaked in the underground

Commercial DDoS Services

• No DDoS capabilities in this RAT• However this is a good example of password theft

Dirt Jumper Botnet Victims August 2012

Commercial DDoS Product - Pandora

• View of control panel – used by the botmaster to launch DDoS attacks• Originally sold for $800, cracked version for $100, also have been leaked (free)• Attacks look just like Dirt Jumper 5 and Khan bots• Appeared early 2012

Commercial DDoS Product – Di BoTNet

• Re-uses Dirt Jumper code, adds “bot killer” feature to eliminate the competition from infected computers

• Early 2012

Commercial DDoS Product – Darkness Botnet

• 45,000 bots over the botnet lifetime• 6900 currently online

Bot – “DarkShell”

• In 2010, this bot was seen to attack industrial food processor equipment vendors.

Commercial DDoS Product – Armageddon

• Very popular bot, active competitor to other Russian bots• Involved in politically motivated attacks in Russia• In addition to HTTP, has attacked remote desktop, FTP, SSH

One-Stop Shopping for DDoS Botnets

Agenda






NSI

SPTMS

APS

Arbor Products & Services

40

Service Providers

Enterprises

Visib

ilityPro

tect

ion

Products Services

ResearchSupport

Security Response

41

Arbor’s Key Technologies

Visibility

Flow Intelligence

Arbor’s products are the premier analyzers of full network

flow data providing holistic traffic & security visibility.

Application Intelligence

Arbor’s products

offer deep insight into applications and services

as more services move to standard

ports.

Global Intelligence

Arbor’s products

leverage the real-time, Internet-

wide visibility of the ATLAS initiative to detect and stop active

threats.

Protection

Arbor’s core packet

analysis & blocking

engine can stop and is

also immune to all threats

against availability.

Botnets & Malware

Arbor’s Security & Emergency Response

Team (ASERT) conducts unique

research into botnets

and malware.

Cloud Signaling

Arbor’s proprietary

protocol enables signaling from the

enterprise edge to the

cloud for complete

protection.

Availability Engine

42

Peakflow Products

Visibility Protection

Peakflow TMSPeakflow SP

Models: CP-5500, PI-5500, BI-5500, FS-5500

The Peakflow Service Provider (SP) solution collects and analyzes Flow, BGP, and SNMP data; conducts network anomaly detection for security visibility; provides user interface for managed services; and massive scale to meet the needs of the world’s largest service providers and cloud operators.

Models: TMS-1200, TMS-2500, TMS-3000 Series, TMS-4000 Series

The Peakflow Threat Management System (TMS) is built for high-performance, carrier-class networks and used for surgical mitigation of DDoS attack traffic with no additional latency for legitimate traffic; and serves as a protection platform for in-cloud managed security services.

43

Pravail Products

Visibility Protection

Pravail APSPravail NSI

Models: X-CONT-1, X-COL-8K32/16K, X-COL-AIC, X-VIRTUAL

The Pravail Network Security Intelligence (NSI) collects and analyzes flow and raw packet data; detected botted users and endpoints; and provides application-level and pervasive security intelligence across the enterprise network.

Models: APS-2104, APS-2105, APS-2107, APS-2108

The Pravail Availability Protection System (APS) provides out-of-box protection for attacks while being immune to state-exhausting attacks; blocks complex application-layer DDoS; supports a dynamic thread from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream.

44

The ATLAS Initiative

The ATLAS initiative is the world’s most comprehensive Internet monitoring &

security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), Fingerprint Sharing, Global Threat Analysis Portal

ATLAS intelligence is seamlessly integrated into Arbor products and services including real-time services, global threat intelligence and insight into key Internet trends.

ASERT, Arbor’s Security Engineering and Research Team, also leverages ATLAS to provide expert commentary on security trends and to address significant Internet research questions.

Active Threat Feed (ATF)

Intelligence Feed & Active Threat Feed

46

The Cloud Signaling Coalition

Arbor Peakflow SP / TMS-based DDoS Service

Arbor Pravail APS

Da

ta C

en

ter

Ne

two

rkFirewall / IPS / WAF

Publ

ic F

acin

g Se

rver

s

Subscriber Network Subscriber Network

Internet Service Provider1. Service Operating

Normally

2. Attack Begins & Blocked by Pravail

3. Attack Grows Exceeding Bandwidth

4. Cloud Signal Launched

5. Customer Fully Protected!

Cloud Signaling Status

Unite the enterprise & service providers via Arbor’s Cloud

Signaling Coalition

47

Arbor’s Threat Ecosystem

The Arbor ecosystem between service providers & enterprise data centers offers unique insight into emerging and active threats

Enterprise Data CentersService Providers

Enterprise data center services are now fully protected!

Thank You

tying the bot: the marriage of ddos & botnets

Technology