Tying the Bot: The Marriage of DDoS & Botnets


Published on

View this presentation to learn more about the evolution of DDoS attacks and the impact that botnets -- which have grown in sophistication recently -- have had on the size, scope and scale of DDoS attacks in recent years.

Published in: Technology
1 Comment
No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Tying the Bot: The Marriage of DDoS & Botnets

  1. Tying the Bot: The Marriage of DDoS & Botnets Presenter: Rakesh Shah, Director of Product Marketing
  2. Who is Arbor Networks?A Trusted & Proven Vendor Securing the World‟s Largest and Most Demanding Networks Percentage of world‟s Tier 1 service providers who are Arbor customers 90% Number of countries with Arbor products deployed 105 Amount of global traffic monitored by the ATLAS security intelligence 25 Tbps initiative right now Arbor market position in Carrier, Enterprise and Mobile DDoS equipment #1 markets – more than 450 customers [Infonetics Research July 2012] Number of years Arbor has been delivering innovative security and 12 network visibility technologies & products 2011 GAAP revenues [USD] of Danaher – Arbor‟s parent company $16B providing deep financial backing2
  3. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  4. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  5. What is a DDoS Attack? During a Distributed Denial of Service (DDoS) attack, compromised hosts or bots coming from distributed sourcesoverwhelm the target with illegitimate traffic so that the servers can not respond to legitimate clients.
  6. DDoS Attack Vectors Bots connect to a C&C to create an Volumetric Attacks Broadband overlay network (or botnet) Provider Corporation – Usually botnets with traffic from B BB C&C spoofed IPs generating high traffic B volume Endpoints become Internet Bots Attack – UDP based floods from spoofed IP infected Backbone take advantage of connection less B BM B UDP protocol B B – Take out the infrastructure capacity – B B routers, switches, servers, links Enterprise Broadband Attacker Server  Reflection Flood Attacks DNS Server responds to – Use a legitimate resource to amplify DNS RequestV request from an attack to a destination spoofed source. – Send a request to an IP that will yield Repeated many times a big response, spoof the source IP DNS Response is many times address to that of the actual victim larger than request. – DNS reflective amplification is a good DNS ResponseV attack example Victim
  7. DDoS Attack Vectors State Exhausting Attacks Client Server SYNC Listening… – Take advantage of stateful nature of TCP protocol Store data (connection – SYN, FIN, RST Floods SYNS, ACKC state, etc.) – TCP connection attacks Repeated many times System runs – Exhaust resources in servers, out of TCP load balancers or firewalls. listener sockets or out memory for stored stateHOIC  Application Layer Attacks – Exploit limitations, scale and functionality of specific applications – Can be low-and-slowLOIC – HTTP GET & POST, SIP INVITE floods – Can be more sophisticated: ApacheKiller, Slowloris, SlowPOST, RUDY, refref, hash collision etc..
  8. Modern DDoS Attacks Are Complex The Broad Impact of DDoS Attacks IPS Load Balancer DATA CENTER Attack Traffic Good Traffic Today‟s DDoS attacks can cause (1) saturation upstream, (2)state exhaustion, or (3) application outages – many times oneattack can result in all three – and all with the same end result: critical services are no longer available!
  9. How is DDoS Evolving?• In order to understand the DDoS threat (and how to protect ourselves) we need to know what is going on out there.• Arbor World-Wide Infrastructure Security Survey, 2011 – 7th Annual Survey – Concerns, observation and experiences of the security community – 114 respondents, broad spread of customers from around the world• Arbor ATLAS Internet Trends – 250+ Arbor customers – Hourly export of anonymized DDoS and traffic statistics
  10. Key Findings in the 2011 SurveyLarge Attacks are Now Commonplace Largest Attack in Gbps Highest BPS DDoS in 2011 120 100 100 17% 80 43% 60 Dont Know 60 49 27% > 10Gbps 40 40 24 1 - 10 Gbps 17 13% 20 10 < 1Gbps 0.14 1.2 2.5 0 2002 2003 2004 2005 2006 2007 2008 2009 2010 2011 • Aggregate attack sizes have leveled off but remain at levels capable of overwhelming most Internet operators • 13% of respondents report attacks above 10 Gbps • 40% of respondents report attacks above 1 Gbps • Largest pps attack reported is 35 Mpps keeping pace with 2010
  11. Key Findings in the 2011 SurveyApplication Layer and Multi-Vector Attacks Services Targeted by Application Have You Experienced Multi-vector Layer DDoS Attacks Application / Volumetric DDoS Attacks Other 7% IRC 11% 27% 32% SIP/VOIP 19% HTTPS 24% Dont Know SMTP 25% No DNS 67% Yes 41% HTTP 87% 0% 20% 40% 60% 80% 100%• A higher percentage of attacks reported on HTTP and IRC relative to 2010 – HTTP (87% vs. 84%) and on IRC (11% vs. 0%) relative to 2010• Lower percent of attacks on DNS, SMTP, HTTPS and VOIP – DNS (67% vs. 76%), SMTP (25% vs. 40%), HTTPS (24% vs. 35%) and VOIP (19% vs. 38%)• SSL based attacks reported included TCP and UDP floods against port 443 and Slowloris
  12. Key Findings in the 2011 SurveyAttack Frequencies Increasing Number of DDoS Attacks per Month 50% 47% 45% 40% 35% 30% 25% 20% 15% 15% 9% 10% 11% 10% 7% 5% 1% 0% 0 1 - 10 10 - 20 20 - 50 50 - 100 100 - 500 > 500 • 91% of respondents see at least 1 DDoS attack per month up from 76% in 2010 • 44% of respondents see 10 or more attacks per month up from 35% in 2010
  13. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  14. Bots: Putting the „(D)‟ in (D)DoS• “Got bot?” • A bot is a servant process on a compromised system (unbeknownst by owner) usually installed by a Trojan or Worm. • Communicates with a handler or controller via public IRC servers, social media, or other compromised systems. • A botmaster or botherder commands bots to perform any of an number of different functions. • System of bots and controller(s) is referred to as a botnet network.
  15. Botnets: “Black Market Clouds”• Each botnet represents a „black market‟ cloud• Can be built with „off the shelf‟ malware• Becoming more profitable than SPAM• Popular for: – Competitive advantage – Extortion – Hacktivism – Political – Ego-driven – Distraction from other cyber-crimes
  16. Botnets: Identity Theft & FraudGlobally, data breaches are expected to account for$130.1 billion in corporate losses this year, according “full creds”to the Ponemon Institute. Historically, about 30% ofthat total cost has been direct losses attributable tothe breaches, which would mean about $39 billionwill stolen in 2011.
  17. Botnets: Getting More Sophisticated Key Loggers – Gotta get those “full creds” Drop Sites Click Fraud Bot Trading & Marketing – .net - .$.05 – .gov - $1.00 – nasa.gov - $.05 “Better Marketing by the Botherders” – Excellent ping & uptime – Rotating IP addresses – Different ISPs – Intuitive User Interface – SLAs - 100 percent uptime guarantee!
  18. Botnets: It‟s Getting Personal Phishing Systems – Command & Control – Hosting phishing sites – Lift email addresses – Spam phishing messages – Drop Sites – All bots! [19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://you.shut.us.down.we.shut.you.down.is.it.a.trade.or.not.net" "Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.0" 200 497 "-" "Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] "GET /p898068-remove_quot_quot_from_the_domain_name.html#898068 HTTP/1.1" 200 497 "-" "Mozilla/4.0 (compatible)” [19/Feb/2007:15:10:18 +0000] "GET / HTTP/1.1" 200 497 "http://even.prolexic.cant.protect.you.net.wanna.try.akamai.ill.drop.them.too" "Mozilla/4.0 (compatible)”
  19. Smart Bots: Disable Updates, Speed Tests• Engineer around current AV DBs• Disable auto-update functions• Evaluate connectedness of asset Upon compromise, perform browser-esque speed tests to the following sites using Mozilla/4.0 (compatible; MSIE 6.0; WIN NT 5.1; Hotbar : www.nifty.com www.d1asia.com www.st.lib.keio.ac.jp www.lib.nthu.edu.tw www.above.net www.level3.com nitro.ucsc.edu www.burst.net www.cogentco.com www.rit.edu www.nocster.com www.verio.com www.stanford.edu www.xo.net de.yahoo.com www.belwue.de www.switch.ch www.1und1.de verio.fr www.utwente.nl www.schlund.net
  20. Smart Botnets: Management & Statistics• Performance statistics• Web-based user interfaces
  21. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  22. Anatomy of a DDoS Attack from a Botnet Bots connect to a C&C to create an overlay network Enterprises (botnet) DDoS Target Provider C&C Systems Become Internet Infected Backbone Bots attack Bot Master Hosting Providers Botnet master Controller Issues attack Connects Broadband Users Command
  23. Popular Botnets Used for DDoS Attacks Cutwail Zemra JKDDoS Darkness Mariposa Darkshell YoyoDDoS Dirt Jumper Erzengel Avzhan G-Bot
  24. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  25. Dirt Jumper Botnets Used for DDoS• 500+ Dirt Jumper family bots analyzed by ASERT – Each Dirt Jumper botnet can last months and attack hundreds (or more) of victims during their lifecycle• Features UDP, TCP, HTTP attacks, “anti-ddos” attacks – Actively developed, widely used commercially – Includes: • Dirt Jumper version 3 • Dirt Jumper version 5 • Pandora • DiBotnet • Khan
  26. Dirt Jumper Brings Down Electronic Trading• DirtJumper DDoS botnet impacted site 3-4 days
  27. Commercial DDoS Product – Dirt Jumper 3• Version 3 is quite popular• Anti-DDoS attacks mentioned – designed to bypass anti-DDoS defenses – A more recent innovation from the attackers
  28. Dirt Jumper Botnet Attacks August 2012• Arbor‟s Bladerunner project samples the DDoS bot population• Bladerunner observed approx. 2000 unique DDoS attacks in August 2012 from 68 botnets• Of these, we analyzed 25 Dirt Jumper botnets to observe 301 unique attacks to a variety of targets – Some attacks lasted days• Many website targets with 100+ virtual hosts• Many attacks on HTTP but we also saw attacks on HTTPS, SMTP, MySQL
  29. Dirt Jumper‟s Global Presence• Dirt Jumper Command & Control Points
  30. Commercial DDoS Product – Dirt Jumper v5• Dirt Jumper v5 has leaked in the underground
  31. Commercial DDoS Services• No DDoS capabilities in this RAT• However this is a good example of password theft
  32. Dirt Jumper Botnet Victims August 2012
  33. Commercial DDoS Product - Pandora• View of control panel – used by the botmaster to launch DDoS attacks• Originally sold for $800, cracked version for $100, also have been leaked (free)• Attacks look just like Dirt Jumper 5 and Khan bots• Appeared early 2012
  34. Commercial DDoS Product – Di BoTNet• Re-uses Dirt Jumper code, adds “bot killer” feature to eliminate the competition from infected computers• Early 2012
  35. Commercial DDoS Product – Darkness Botnet• 45,000 bots over the botnet lifetime• 6900 currently online
  36. Bot – “DarkShell”• In 2010, this bot was seen to attack industrial food processor equipment vendors.
  37. Commercial DDoS Product – Armageddon• Very popular bot, active competitor to other Russian bots• Involved in politically motivated attacks in Russia• In addition to HTTP, has attacked remote desktop, FTP, SSH
  38. One-Stop Shopping for DDoS Botnets
  39. AgendaDistributed Denial of Service (DDoS)Overview Introduction into Bots and Botnets How Botnets are Used to Launch DDoS Attacks Examples of Botnets Used for DDoS Attacks Arbor’s Solution for Stopping DDoS and Botnets Attacks
  40. Arbor Products & Services Enterprises Security Response APS NSIProtection Visibility Research Support TMS SP Service Providers Products Services40
  41. Arbor‟s Key Technologies Visibility Protection Flow Application Global Availability Botnets & CloudIntelligence Intelligence Intelligence Engine Malware Signaling Arbor‟s Arbor‟s Arbor‟s Arbor‟s Arbor‟s core Arbor‟s Security products are products proprietary products offer packet analysis & Emergency the premier leverage the protocol deep insight & blocking Response analyzers of real- enables into engine can Team (ASERT) full network time, Internet- signaling from applications stop and is conducts flow data wide visibility the enterprise and services as also immune to unique providing of the ATLAS edge to the more services all threats research intoholistic traffic & initiative to cloud for move to against botnets and security detect and stop complete standard ports. availability. malware. visibility. active threats. protection. 41
  42. Peakflow Products Visibility Protection Peakflow SP Peakflow TMSModels: CP-5500, PI-5500, BI- Models: TMS-1200, TMS-2500, TMS-5500, FS-5500 3000 Series, TMS-4000 SeriesThe Peakflow Service Provider (SP) The Peakflow Threat Managementsolution collects and analyzes System (TMS) is built for high-Flow, BGP, and SNMP data; conducts performance, carrier-class networksnetwork anomaly detection for and used for surgical mitigation ofsecurity visibility; provides user DDoS attack traffic with no additionalinterface for managed services; and latency for legitimate traffic; andmassive scale to meet the needs of serves as a protection platform for in-the world‟s largest service providers cloud managed security services.and cloud operators. 42
  43. Pravail Products Visibility Protection Pravail NSI Pravail APSModels: X-CONT-1, X-COL- Models: APS-2104, APS-2105, APS-8K32/16K, X-COL-AIC, X-VIRTUAL 2107, APS-2108The Pravail Network Security The Pravail Availability ProtectionIntelligence (NSI) collects and System (APS) provides out-of-boxanalyzes flow and raw packet data; protection for attacks while beingdetected botted users and endpoints; immune to state-exhausting attacks;and provides application-level and blocks complex application-layerpervasive security intelligence DDoS; supports a dynamic threadacross the enterprise network. from ATLAS to stop botnets; supports inline deployment models; and ability to send cloud signals upstream. 43
  44. The ATLAS Initiative The ATLAS initiative is the world‟s most comprehensive Internet monitoring & security intelligence systemServices: ATLAS Intelligence Feed (AIF), Active Threat Feed (ATF), FingerprintSharing, Global Threat Analysis PortalATLAS intelligence is seamlesslyintegrated into Arbor products and servicesincluding real-time services, global threatintelligence and insight into key Internettrends.ASERT, Arbor‟s Security Engineering andResearch Team, also leverages ATLAS toprovide expert commentary on securitytrends and to address significant Internet Active Threat Feed (ATF)research questions. 44
  45. Intelligence Feed & Active Threat Feed
  46. The Cloud Signaling CoalitionUnite the enterprise& service providers Subscriber Network Subscriber Network via Arbor‟s Cloud Internet Service Provider 1. Service OperatingSignaling Coalition Arbor Peakflow SP / TMS-based Normally DDoS Service 2. Attack Begins & Blocked by Pravail 3. Attack Grows Exceeding Bandwidth 4. Cloud Signal Arbor Pravail APS Launched Data Center Network 5. Customer Fully Firewall / IPS / WAF Protected! Cloud Signaling Status Public Facing Servers 46
  47. Arbor‟s Threat EcosystemThe Arbor ecosystem between service providers & enterprise data centers offers unique insight into emerging and active threats Service Providers Enterprise Data Centers Enterprise data center services are now fully protected!47
  48. Thank You
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.