biggest ddos attack in history hammers spamhaus2
DESCRIPTION
The DDos attack historyTRANSCRIPT
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Anti-spam service Spamhaus has been hit with what several
security firms today described as the largest distributed denial
of service (DDoS) attacks ever seen.
Targeted Server
Handler
Handler
Attacker
Compromised PCs (Zombies)
Compromised PCs (Zombies)
Attacker sets a handler system
Handler infects a large number of computers over
Internet Zombie systems are instructed to attack a target server
1
1
2
2
3
3
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Cybercrime Related IT Operations (Servers, Software, and Services)
Criminal Attackers
Crimeware Toolkit
Database
Trojan Command
and Control Center
Malicious Affiliation Network
Legitimate Compromised Websites
Trojan upload stolen data and receives commands from command and control center
1
2
3
4
5 6
7 8
9
Victims
The latest run of attacks began on 18 March with a 10Gbps packet flood that
saturated Spamhaus' connection to the rest of the Internet and knocked its site
offline.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Cybercrime Related IT Operations (Servers, Software, and Services)
Criminal Attackers
Crimeware Toolkit
Database
Trojan Command
and Control Center
Malicious Affiliation Network
Legitimate Compromised Websites
Trojan upload stolen data and receives commands from command and control center
1
2
3
4
5 6
7 8
9
Victims
A massive 300Gbps was thrown against Spamhaus' website but the anti-spam
organisation was able to recover from the attack and get its core services back
up and running.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker Victim (Bot)
Sets a bot C&C handler
Bot looks for other vulnerable systems and infects them to create Botnet
Bots connect to C&C handler and wait for instructions
Attacker sends commands to the bots through C&C Bot Command &
Control Center
Zombies
Target Server
Attacker infects a machine
Bots attack a target server
Spamhaus supplies lists of IP addresses for servers and computers
on the net linked to the distribution of spam
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The high attack bandwidth is made possible because attackers are using
misconfigured domain-name service (DNS) servers—known as open
recursive resolvers or open recursors—to amplify a much smaller attack
into a larger data flood. Known as DNS reflection, the technique uses
requests for a relatively large zone file that appear to be sent from the
intended victim's network.
Victim Server
Sends a request to the server
Attacker
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Because the DNS server is not configured
properly, it will respond to each request by
sending the zone file to the victim's address,
overwhelming the network.
By using DNS reflection, the attacker could
amplify their own bandwidth by about 100-fold,
turning modest resources into a large attacks,
Matthew Prince, CEO of CloudFlare, wrote in
an analysis of the attack. For the past week,
CloudFlare has worked with Spamhaus to
mitigate the latest attack.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Server Victim
Attacker
According to CloudFlare, the majority of the attack was traffic sent using
a technique called DNS (domain name system) reflection. Under normal
circumstances, DNS resolvers wait for a user request, such as a lookup for
the IP address for a domain name, then respond accordingly.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker
Victim (Bot)
Sets a bot C&C handler
Bot infects other systems and create Botnet
Bots connect to C&C handler and wait for instructions
Attacker sends commands to the bots through C&C
Bot Command & Control Center
Zombies
Ad’s Webpage
Attacker infects a machine
Bots generates fake customer
clicks
Ad Service Provider
http://adworld.com
The largest source of attack traffic against Spamhaus came from DNS
reflection, launched through Open DNS resolvers rather than directly
via compromised networks.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
The basic technique of a DNS reflection
attack is to send a request for a large DNS
zone file with the source IP address spoofed
to be the intended victim to a large number
of open DNS resolvers. The resolvers then
respond to the request, sending the large
DNS zone answer to the intended victim.
The attackers' requests themselves are only
a fraction of the size of the responses,
meaning the attacker can effectively amplify
their attack to many times the size of the
bandwidth resources they themselves
control.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
In the Spamhaus case, the attacker was sending requests for the DNS
zone file for ripe.net to open DNS resolvers. The attacker spoofed the
CloudFlare IPs we'd issued for Spamhaus as the source in their DNS
requests. The open resolvers responded with DNS zone file, generating
collectively approximately 75Gbps of attack traffic. The requests were
likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X
+edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address
of an open DNS resolver) and the response was approximately 3,000
bytes, translating to a 100x amplification factor.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker Victim (Bot)
Sets a bot C&C handler
Bot looks for other vulnerable systems and infects them to create Botnet
Bots connect to C&C handler and wait for instructions
Attacker sends commands to the bots through C&C Bot Command &
Control Center
Zombies
Target Server
Attacker infects a machine
Bots attack a target server
Spamhaus's blocklists are distributed via DNS and widely mirrored in order to
ensure that it is resilient to attacks. The website, however, was unreachable and
the blacklists weren't getting updated.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Attacker Victim (Bot)
Sets a bot C&C handler
Bot looks for other vulnerable systems and infects them to create Botnet
Bots connect to C&C handler and wait for instructions
Attacker sends commands to the bots through C&C Bot Command &
Control Center
Zombies
Target Server
Attacker infects a machine
Bots attack a target server
The attacker used a DNS amplification, the attacker only needed to
control a botnet or cluster of servers to generate 750Mbps - which is
possible with a small sized botnet or a handful of AWS instances.
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
CloudFlare reckons 30,000 unique DNS resolvers have been involved in the attack against Spamhaus
Targeted Server
Handler
Handler
Attacker
Compromised PCs (Zombies)
Compromised PCs (Zombies)
Attacker sets a handler system
Handler infects a large number of computers over
Internet Zombie systems are instructed to attack a target server
1
1
2
2
3
3
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Crimeware Toolkit Database
Trojan Command and Control Center
Zero-Day Market
Malware Market
C&C
Botnet Market
Scan & Intrusion
DDoS
Extortion Stock Fraud Scams Adverts
Financial Diversion
Malicious Site
Ph
ish
ing
Botnet
Licenses MP3, DivX
Client-Side Vulnerability
Mass Mailing
Emails
Redirect
Owner
Data Theft
Spam
Botnet Ecosystem
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Command Control Center
Botnet Trojan: Shark
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Poison Ivy: Botnet Command Control
Center
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Trojan: PlugBot
PlugBot is a hardware botnet project
It is a covert penetration testing device (bot) designed for covert use during
physical penetration tests
http://theplugbot.com
Copyright © by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
Botnet Trojans: Illusion Bot and NetBot
Attacker