The Brobot botnet that devastated banks with DDoS floods in 2013 may be back. And the techniques that built it – exploiting vulnerabilities in the software that powers websites and cloud companies – is all too alive. Get the full details about this cybercrime threat in the Akamai/Prolexic Q1 2014 DDoS attack report, available for a free download at http://bit.ly/1meTkfu
Case Study: Q2 2014 Global DDoS Attack Report | Akamai Document
1. 1
Q2 2014 DDoS Attack Report: Case Study
Selected excerpts
The Security Engineering and Research Team (PLXsert) at Prolexic (now part of Akamai) recently published the Global DDoS Attack Report for Q2 of 2014, investigating and analyzing the trends and details of DDoS activity over that period. Studied in detail was the rise in botnet building, based on the exploitation of web vulnerabilities, and its implications. The full Global DDoS Attack Report includes mitigation details and a more in-depth look at this material, including a technical analysis of an attack script.
As cybercriminals constantly pursue new ways to achieve their ends, defenders keep thwarting them by hardening workstations and shutting down unnecessary services and protocols on servers. These defensive actions have driven malicious actors to find the remaining vulnerabilities, including those that are exposed on the Internet via web services and web application frameworks.
It is nearly impossible to develop web services and applications with no vulnerabilities, and so these services – especially popular open-source Content Management Systems (CMS) and web server management applications like WordPress, Joomla, Kloxo, Drupal, and others widely used across the web – make prime targets. Most of these are based on the LAMP (Linux, Apache, MySQL, and PHP) stack – the most popular web server configuration on the Internet – providing criminal developers with a common platform to work from and offering a powerful economy of scale.
What makes these web-based botnets so powerful?
These botnets are not particularly difficult to construct. Attackers visit websites that publish vulnerabilities in these open source applications, and then search for servers with such vulnerabilities among servers on the Internet. This can be easily done with open source scanning tools, or even by searching for the affected vulnerable frameworks with a simple Google search.
In some cases, patience, research and advanced planning are not even required for malicious actors to take advantage of web vulnerabilities. Take for example the WordPress XMLRPC pingback DDoS attack, analyzed in the Q1 2014 Global DDoS Attack Report by PLXsert. The malicious actor could simply identify the host, craft the request and direct it to a target.
The proliferation of PaaS, SaaS, and cloud hosting providers has made the exploitation of web vulnerabilities an even more attractive target for malicious actors – and an even greater threat to the hosts of these services. Attackers can embed malware and crimeware into sites hosting web
2. 2
applications, hiding behind the IP reputation of these trusted servers. These sites have a reputation for providing non-malicious traffic, and so automated DDoS mitigation technologies are much less likely to blacklist or block DDoS traffic coming from them.
In recent years, malicious actors have launched effective DDoS attack campaigns with botnets built almost entirely through the exploitation of web vulnerabilities. The most notorious and most studied attack campaign of this type is Operation Ababil, which was based on the Brobot DDoS kit itsoknoproblembro, which spread through exploitation of the Kloxo web administration panel. This campaign, which lasted two years, resulted in more than 249 total hours of downtime for a robust target – major US banks. The publicity and success of these attacks will drive further adoption of such tactics in the future, making cleanup and management of web vulnerabilities imperative.
Researchers in the information security community are leading the effort to discover and disclose these web vulnerabilities. Channels of communication and collaboration among developers, vendors and security researchers will need to be streamlined to promote faster and more efficient mitigation, as well as instituting regular update and patching procedures. Many of the vulnerabilities that allowed the Operation Ababil attacks were promptly patched even while the attack campaign occurred, but for the majority of vulnerable hosts, the patches went unapplied, therefore enabling further attacks.
Get the full Q2 2014 Global DDoS Attack Report for a full analysis of DDoS trends, statistics, and technical details.
The full report includes:
• Analysis of recent DDoS attack trends
• Breakdown of average Gbps/Mpps statistics
• Year-over-year and quarter-by-quarter analysis
• Types and frequency of application layer attacks
• Types and frequency of infrastructure attacks
• Trends in attack frequency, size and sources
• Where and when DDoSers launch attacks
• Case study on server-side botnet construction based on Web vulnerabilities. Learn why Brobot attacks may resume at any time.
• Spotlight on a May attack campaign involving Domain Name Service (DNS) query floods and a SYN attack
About Prolexic
Prolexic Technologies, now part of Akamai, has successfully stopped DDoS attacks for more than a decade. Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers.
Learn more at http://www.prolexic.com.