Time line-of-ddos-campaigns-against-mit-threat-advisory
1. 1
Case Study: Time-line of DDoS campaigns against MIT
Authored by Wilber Mejia, Akamai SIRT
1.0 / OVERVIEW / THIS publication details a series of DDoS attack campaigns against the
Massachusetts Institute of Technology (MIT) network. So far in 2016, MIT has received more than 35
DDoS campaigns against several different targets which have been mitigated by at least one of our
cloud solutions.
Further investigation by Akamai SIRT revealed that close to 43% of attack vectors leveraged during these
campaigns included DDoS reflection and amplification attack vectors. The full vector list consisted of
ACK , CHARGEN, DNS, GET, ICMP, NTP, NETBIOS, RESERVE protocol, SNMP, SSDP, SYN, TCP anomaly,
UDP, and UDP FRAGMENT floods. Attackers targeted multiple destination IPs within the MIT network
during the campaigns. Attacks originated from a combination of devices vulnerable to reflection abuse
and spoofed IP sources. The full vector distribution breakdown for all attacks is listed in Figure 4.
The analysis is based on fingerprinted signatures collected from attack reports as well as the source IPs
from our mitigation devices. The largest attack campaign peaked at 295 Gbps consisting of only a UDP
flood attack vector. Prior to that, the largest attack peaked at 89.35 using a combination of UDP flood,
DNS flood, and UDP fragment attack vectors. During this campaign attackers targeted a total of three
destination IP addresses. These attack types have commonly been included in sites offering so called
booter or stresser services.
UDP and DNS reflections attack vectors generated the majority of attack traffic from the investigated
campaigns. However, on May 6th of 2015, MIT experienced a very large DDoS campaign which included
a specific padded SYN flood. Additional information surrounding this campaign is described in more
detail within the Q3 2015 State of the Internet - Security Report.
2.0 / HIGHLIGHTED ATTACK CAMPAIGN ATTRIBUTES / Although Xor DDoS BOTNET attacks were
persistent, they did not produce the largest amount of malicious traffic against MIT. As mentioned
previously, the largest attack peaked at 295 Gbps | 58.6 Mpps while the second largest attack peaked at
89.35 Gbps | 8.37 Mpps. The latter attack was launched using attacks and tools commonly offered in
booter/stresser suites. The 295 Gbps attack was comprised of a specific UDP flood signature which is
believed to be part of a malware variant known as STD/Kaiten. An ongoing investigation is being
conducted by Akamai SIRT regarding this malware. Listed below are some campaign highlights:
TLP: WHITE
Issue Date: 7.22.2016
2. 2
LARGEST ATTACK CAMPAIGN
● Event Time Start: Jun 7, 2016 22:48:55 UTC
● Event Time End: Jun 8, 2016 17:04:04 UTC
● Peak bandwidth: 295 Gigabits per second
● Peak packets per second: 58.6 Million Packets per second
● Attack Vector: UDP Flood, UDP Fragment, DNS Flood
● Source port: randomized
● Destination port: 80
UDP Flood:
22:48:55.057813 IP x.x.x.x.48679 > x.x.x.x.80: UDP, length 600
22:48:55.057815 IP x.x.x.x.46076 > x.x.x.x.80: UDP, length 600
22:48:55.057819 IP x.x.x.x.34698 > x.x.x.x.80: UDP, length 600
22:48:55.057848 IP 181.136.97.12.34161 > x.x.x.x.80: UDP, length 600
22:48:55.057853 IP 181.136.97.12.34161 > x.x.x.x.80: UDP, length 600
22:48:55.057863 IP 201.232.6.199.44219 > x.x.x.x.80: UDP, length 600
23:58:08.871990 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
23:58:08.871999 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
23:58:08.872005 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
23:58:08.872011 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
23:58:08.872014 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
23:58:08.875194 IP x.x.x.x.4751 > x.x.x.x.80: UDP, length 1
Figure 1: Largest documented UDP Flood campaign against MIT
SECOND LARGEST ATTACK CAMPAIGN
● Event Time Start: Apr 2, 2016 04:17:00 UTC
● Event Time End: Apr 2, 2016 14:45:11 UTC
● Peak bandwidth: 89.35 Gigabits per second
● Peak packets per second: 8.37 Million Packets per second
● Attack Vector: UDP Flood, UDP Fragment, DNS Flood
● Source port: 53, randomized
● Destination port: randomized
Unlike Xor, these kinds of attacks are more accessible to a much larger population of malicious actors.
The fact is almost anyone with motivation and enough knowledge to determine the IP of their target can
launch these attacks at low cost. A recent look at a pricing of popular sites offering DDoS “stresser”
services show this can be performed for as little as 19.99/month.
7. 7
4.0 / ATTACK CAMPAIGNS IN 2015 / In 2015, 30 DDoS campaigns were detected and mitigated over our
distributed scrubbing centers. One of the largest DDoS attack campaigns occurred on May 5th 2015
consisting of an Xor botnet SYN Flood.
● Event Time Start: May 5, 2015 00:00:00 UTC
● Event Time End: May 6, 2015 01:16:48 UTC
● Peak bandwidth: 41.5 Gigabits per second
● Peak packets per second: 5.5 Million Packets per second
● Attack Vector: SYN Flood
● Source port: Random
● Destination port: 80
This vector is confirmed to be produced by the Xor DDoS malware. This was the last of a series of 4
attacks from this botnet. A later attack followed in December. In particular the malware is of Chinese
origin. Attacks matching this payload have mostly targeted organizations in Asia. The few cases of
attacks out of Asia indicate the botnet was under control by malicious actors operating out of China.
This botnet was believed to have been taken down following reports of arrests made in China regarding
the use of the botnet in attacks.
Although attacks did stop shortly after those reports, some attacks using this malware are starting to
occur again this year, although at a much lower bandwidth peaks. Figure 7 provides bandwidth and
timeline of xor specific attacks. The botnet attacks consisted of SYN flood traffic.
Fig 7 - xor attack timeline with peak Gbps and Mpps
5.0 / ATTACK TOOLS - XOR DDOS AND OTHERS / Akamai SIRT was able to obtain and analyze a
sample of the Xor DDoS malware sample used in the SYN flood attack campaign against MIT. A full
copy of the Xor DDoS threat advisory can be found here.