Time line-of-ddos-campaigns-against-mit-threat-advisory

1
Case Study: Time-line of DDoS campaigns against MIT
Authored by Wilber Mejia, Akamai SIRT
1.0 / OVERVIEW / THIS publication details a series of DDoS attack campaigns against the
Massachusetts Institute of Technology (MIT) network. So far in 2016, MIT has received more than 35
DDoS campaigns against several different targets which have been mitigated by at least one of our
cloud solutions.
Further investigation by Akamai SIRT revealed that close to 43% of attack vectors leveraged during these
campaigns included DDoS reflection and amplification attack vectors. The full vector list consisted of
ACK , CHARGEN, DNS, GET, ICMP, NTP, NETBIOS, RESERVE protocol, SNMP, SSDP, SYN, TCP anomaly,
UDP, and UDP FRAGMENT floods. Attackers targeted multiple destination IPs within the MIT network
during the campaigns. Attacks originated from a combination of devices vulnerable to reflection abuse
and spoofed IP sources. The full vector distribution breakdown for all attacks is listed in Figure 4.
The analysis is based on fingerprinted signatures collected from attack reports as well as the source IPs
from our mitigation devices. The largest attack campaign peaked at 295 Gbps consisting of only a UDP
flood attack vector. Prior to that, the largest attack peaked at 89.35 using a combination of UDP flood,
DNS flood, and UDP fragment attack vectors. During this campaign attackers targeted a total of three
destination IP addresses. These attack types have commonly been included in sites offering so called
booter or stresser services.
UDP and DNS reflections attack vectors generated the majority of attack traffic from the investigated
campaigns. However, on May 6th of 2015, MIT experienced a very large DDoS campaign which included
a specific padded SYN flood. Additional information surrounding this campaign is described in more
detail within the Q3 2015 State of the Internet - Security Report.
2.0 / HIGHLIGHTED ATTACK CAMPAIGN ATTRIBUTES / Although Xor DDoS BOTNET attacks were
persistent, they did not produce the largest amount of malicious traffic against MIT. As mentioned
previously, the largest attack peaked at 295 Gbps | 58.6 Mpps while the second largest attack peaked at
89.35 Gbps | 8.37 Mpps. The latter attack was launched using attacks and tools commonly offered in
booter/stresser suites. The 295 Gbps attack was comprised of a specific UDP flood signature which is
believed to be part of a malware variant known as STD/Kaiten. An ongoing investigation is being
conducted by Akamai SIRT regarding this malware. Listed below are some campaign highlights:
TLP: WHITE
Issue Date: 7.22.2016

2
LARGEST ATTACK CAMPAIGN
● Event Time Start: Jun 7, 2016 22:48:55 UTC
● Event Time End: Jun 8, 2016 17:04:04 UTC
● Peak bandwidth: 295 Gigabits per second
● Peak packets per second: 58.6 Million Packets per second
● Attack Vector: UDP Flood, UDP Fragment, DNS Flood
● Source port: randomized
● Destination port: 80
UDP Flood:
22:48:55.057813 IP x.x.x.x.48679 > x.x.x.x.80: UDP, length 600
22:48:55.057848 IP 181.136.97.12.34161 > x.x.x.x.80: UDP, length 600
Figure 1: Largest documented UDP Flood campaign against MIT
SECOND LARGEST ATTACK CAMPAIGN
● Event Time Start: Apr 2, 2016 04:17:00 UTC
● Event Time End: Apr 2, 2016 14:45:11 UTC
● Peak bandwidth: 89.35 Gigabits per second
● Attack Vector: UDP Flood, UDP Fragment, DNS Flood
● Source port: 53, randomized
● Destination port: randomized
Unlike Xor, these kinds of attacks are more accessible to a much larger population of malicious actors.
The fact is almost anyone with motivation and enough knowledge to determine the IP of their target can
launch these attacks at low cost. A recent look at a pricing of popular sites offering DDoS “stresser”
services show this can be performed for as little as 19.99/month.

3
Figure 2: Example booter site pricing plans
Figure 3 contains all the attack signatures used in the specified DDoS attack. In particular the signature
reveals the domains abused for amplificaiton of attack reponses included cpsc.gov and isc.org. In
addition, these domains make use of DNSSEC. A recent Akamai SIRT advisory details the increases in use
of DNSSEC powered reflection attacks. These DNS attacks have been widespread across multiple
industries including gaming and financial services. The domain owners themselves are not at fault and
don't feel the effects of these attacks. Attackers abuse open resolvers by sending a barrage of spoofed
DNS queries where the IP source is set to be the MIT target IP. Most of these servers will cache the
initial response so multiple queries are not made to the authoritative name servers.
DNS reflection flood
04:17:11.736254 IP x.x.x.x.53 > x.x.x.x6007: 45488| 22/0/0 DNSKEY, AAAA 2600:803:240::2, A 63.74.109.2, TXT "v=spf1
ip4:63.74.109.6 ip4:x.x.x.x ip4:x.x.x.x mx a: REDACTED
04:17:11.736257 IP x.x.x.x.53 > x.x.x.x.30267: 4354 2/2/0 NS REDACTED. (105)
04:17:11.736276 IP x.x.x.x.53 > x.x.x.x7519: 45488| 22/0/0 Type51, RRSIG, DNSKEY, DNSKEY, DNSKEY, DNSKEY[|domain]
04:17:11.736287 IP x.x.x.x.53 > x.x.x.x.44609: 4354| 22/0/0 RRSIG, A 63.74.109.2, TXT "v=spf1
04:20:08.919421 IP x.x.x.x.53 > x.x.x.x.51286: 52156 13/4/2 SPF, DNSKEY, DNSKEY, NAPTR, TXT "v=spf1 a mx ip4:x.x.x.x/21
ip4:x.x.x.x/16 ip6:2001:04F8::0/32 ip6:xxx:xxx:xx::xx/128 ~all", REDACTED
04:20:08.920044 IP x.x.x.x.53 > x.x.x.x.15097: 64812 13/4/2 MX) REDACTED
UDP fragment flood
04:17:11.736255 IP x.x.x.x > x.x.x.x: udp
04:17:11.736279 IP x.x.x.x > x.x.x.x: udp
04:32:25.135792 IP x.x.x.x > x.x.x.x: udp
04:32:25.135794 IP x.x.x.x > x.x.x.x: udp
Figure 3: Second Largest documented DNS reflection campaign against MIT
All three identified signatures are related to the use of DNS reflection and amplification. The largest
response size of domains used in the attack are larger than 4,000 bytes. This causes fragmented UDP
responses due to surpassing the MTU size limit. In addition, the open resolvers at some point responded

4
on random source ports creating what appeared to be a UDP flood. This flood contained parts of the
DNS responses as well.
3.0 / SAMPLE SIGNATURES FROM ALL ATTACK CAMPAIGNS / In Figure 4 we have included attack
signatures from other DDoS attack campaigns launched against MIT. Some of these are attributed to
specific attack tools or malware as noted within the associated heading. All of the reflection attacks
included typically have known attack scripts named after the protocol being abused for reflection.
Akamai SIRT has identified several based on active reflected DDoS campaigns mitigated throughout the
years.
tcp anomaly (no flag flood)
06:16:47.376148 IP x.x.x.x.14009 > x.x.x.x.63774: Flags [], win 16384, length 0
06:16:47.376167 IP x.x.x.x.42368 > x.x.x.x.14547: Flags [], win 16384, length 0
udp flood
udp flood - Valve Source Engine server attack
.e..E(.5......7F.,1...4Z*..P.!......TSource Engine Query.
.e..E(.5/.............4Z...P.!......TSource Engine Query.
udp flood - Kaiten IRC bot
....E..NkI@.=...mW....4d.I.P.:..std.PRIVMSG %s :[STD]Done hitting %s!
..PRIVMSG %s
....E..N..@.:.&.[..k..4d...P.:.gstd.PRIVMSG %s :[STD]Done hitting %s!
..PRIVMSG %s
reserved protocol flood
09:05:17.104369 IP x.x.x.x > x.x.x.x: ip-proto-255 40
09:05:17.104391 IP x.x.x.x > x.x.x.x: ip-proto-255 40
icmp flood
05:56:30.132249 IP x.x.x.x > x.x.x.x: ICMP echo request, id 0, seq 0, length 1052
ack flood
21:26:26.747124 IP x.x.x.x.1313 > x.x.x.x.64: . ack 1599122023 win 65535
21:26:26.747126 IP x.x.x.x.1299 > x.x.x.x.54: . ack 2431016982 win 65535
syn flood
19:41:27.945435 IP x.x.x.x.30739 > x.x.x.x.80: Flags [S], seq 3212705792, win 0, length 0

5
syn flood - dominate attack script
22:46:18.939811 IP x.x.x.x.50991 > x.x.x.x.80: Flags [SEW], seq 2223243264, win 65535, length 0
22:46:18.939817 IP x.x.x.x.5076 > x.x.x.x.80: Flags [SEW], seq 3714842624, win 65535, length 0
Reflection based attacks (not including DNS)
ntp flood
03:10:07.762377 IP x.x.x.x.123 > x.x.x.x.59007: NTPv2, Reserved, length 440
03:10:07.762520 IP x.x.x.x.123 > x.x.x.x.3955: NTPv2, Reserved, length 440
ssdp flood
snmp flood
00:37:05.109903 IP x.x.x.x.161 > x.x.x.x.80: [len1468 x.x.x.x.80: [len1468.U.....P ...0. ......public..
...S.........0. .0-..+........!EdgeOS v1.7.0.4783374.150622.15340...+........
..+.......C..0........C.SD.h0...+........."snmp@domain.com"0...+.........router-sflanxxxx...+........
chargen flood
16:11:12.127001 IP x.x.x.x > x.x.x.x: udp
....E....9..v.P@..L...4_STUVWX
pqrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXY
qrstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ
rstuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[
stuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[
tuvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]
uvwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^
vwxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_
wxyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`
xyz{|} !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`a
netbios flood
15:41:44.528687 IP x.x.x.x.137 > x.x.x.x.80: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE;
UNICAST
15:41:44.528706 IP x.x.x.x.137 > x.x.x.x.80: NBT UDP PACKET(137): QUERY; POSITIVE; RESPONSE;
UNICAST
Figure 4: Attack signature samples for campaigns launched against MIT
Between the time frame of August 2013 - April 2016 , MIT has received a total of 74 DDoS campaigns
with a combination of 121 attack vectors. In Figure 5 we see the breakdown of all the vectors
leveraged.

6
Figure 5: Attack vector percentage breakdown
A good portion of these attacks used reflection based attack vectors. These reflectors are not necessarily
owned or acquired by the malicious actors rather they are abused for use in these attacks. For attacks
against MIT, the reflector population was mostly concentrated in China. In Figure 6 the distribution
shown is based on 18,825 unique sources of reflectors observed during MIT attacks and their country of
origin. China alone had the highest number of reflectors per a single country in relation to all other
countries where reflectors were sourcing from.
Figure 6: Distribution of reflectors which totaled 18,825 unique sources

7
4.0 / ATTACK CAMPAIGNS IN 2015 / In 2015, 30 DDoS campaigns were detected and mitigated over our
distributed scrubbing centers. One of the largest DDoS attack campaigns occurred on May 5th 2015
consisting of an Xor botnet SYN Flood.
● Event Time Start: May 5, 2015 00:00:00 UTC
● Event Time End: May 6, 2015 01:16:48 UTC
● Peak bandwidth: 41.5 Gigabits per second
● Attack Vector: SYN Flood
● Source port: Random
● Destination port: 80
This vector is confirmed to be produced by the Xor DDoS malware. This was the last of a series of 4
attacks from this botnet. A later attack followed in December. In particular the malware is of Chinese
origin. Attacks matching this payload have mostly targeted organizations in Asia. The few cases of
attacks out of Asia indicate the botnet was under control by malicious actors operating out of China.
This botnet was believed to have been taken down following reports of arrests made in China regarding
the use of the botnet in attacks.
Although attacks did stop shortly after those reports, some attacks using this malware are starting to
occur again this year, although at a much lower bandwidth peaks. Figure 7 provides bandwidth and
timeline of xor specific attacks. The botnet attacks consisted of SYN flood traffic.
Fig 7 - xor attack timeline with peak Gbps and Mpps
5.0 / ATTACK TOOLS - XOR DDOS AND OTHERS / Akamai SIRT was able to obtain and analyze a
sample of the Xor DDoS malware sample used in the SYN flood attack campaign against MIT. A full
copy of the Xor DDoS threat advisory can be found here.

8
The following represents a packet sample as seen in the wireshark protocol analysis tool.
The characteristics observed matched exactly with the Xor payload attacks.
Figure 8: Xor packet sample with 3 flags set.
XOR SYN Flood
07:43:00.790843 IP x.x.x.x.29868 > x.x.x.x.80: Flags [S], seq 1957463376:1957464272, win 65535, length 896
07:43:00.847579 IP x.x.x.x.36150 > x.x.x.x.80: Flags [SE], seq 2369138793:2369139689, win 65535, length 896
07:43:00.847581 IP x.x.x.x.18694 > x.x.x.x.80: Flags [SE], seq 1225191529:1225192425, win 65535, length 896
07:43:00.847581 IP x.x.x.x.45937 > x.x.x.x.80: Flags [SW], seq 3010528554:3010529450, win 65535, length 896
07:43:00.847582 IP x.x.x.x.20853 > x.x.x.x.80: Flags [SEW], seq 1366671372:1366672268, win 65535, length 896
07:43:00.847582 IP x.x.x.x.7638 > x.x.x.x.80: Flags [SEW], seq 500597574:500598470, win 65535, length 896
Fig 9 - Attack payload traffic samples - Xor SYN flood
The intention of the malware creator was to create a padded SYN flood. In some cases various other
flags are applied to the TCP header. The extra flags that occur are due to errors in the construction of
the TCP header. The TCP header options are always static but are sometimes placed in the wrong
locations due to header size calculation errors.
Aside from the Xor malware, most of the attack scripts available are written in the C programming
language. The various SYN flood attack scripts seem to be based on or share the same code. These are
the types of attacks typically available on booter/stresser sites. Common SYN flood scripts include ESYN,
XSYN, and DOMINATE. One obvious example of shared or reused code is observed in a comment within
the DOMINATE script. Figure 10 contains the comment found in one of the scripts indicating how similar
these are.

9
/* "DOMINATE" Attack Script, this script was so difficult to make, it required taking the very public ESSYN
attack script, and replacing "tcph->res2 = 1;" to "tcph->res2 = 3;" in the "setup_tcp_header" function.
Anybody who purchased this script for $300 BTC, yup, it's literally changing a 1 to a 3.
Leaked / Made by Andy Quez, A real mexian hero.
*/
Figure 10: DOMINATE attack script comment indicating code re-use.
In addition all scripts randomly generate spoofed source addresses and in most cases randomize source
ports.
For UDP based reflection attacks. The various attack script code also borrows from other reflection
attack scripts. For example, in the next figure the most common change is the request payload and
destination port.
SSDP attack script query:
udph->dest = htons(1900);
udph->check = 0;
strcpy((void *)udph + sizeof(struct udphdr), "M-SEARCH *
HTTP/1.1rnHost:239.255.255.250:1900rnST:ssdp:allrnMan:"ssdp:discover"rnMX:3rnrn");
Netbios attack script query:
udph->dest = htons(137);
udph->check = 0;
memcpy((void *)udph + sizeof(struct udphdr),
"xe5xd8x00x00x00x01x00x00x00x00x00x00x20x43x4bx41x41x41x41x41x41x41x41x41x4
1x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x41x00x00x21x00x
01", 50);
Figure 11: SSDP and Netbios reflection script payload sections.
6.0 / CONCLUSION / While analyzing attacks, it is usually very difficult to obtain attribution. In the case
of Xor it's possible that this botnet was under the control of a group in China as per the arrests in this
report. No attacks from Xor were observed during a period of time following this news. Other attack
methods, mostly available in booter sites, add a larger pool of potential actors. As more data is collected
from attacks, it may be possible to narrow it down further by booter site. Akamai SIRT will provide
updates as available.
Customers who believe they are at risk and need additional direction can contact Akamai directly
through CCare at 1- 877-4-AKATEC (US And Canada) or 617-444-4699 (International), they're
Engagement Manager, or their account team.
To access other white papers, threat advisories and security research publications, please visit our
Security Research and Intelligence section on Akamai Community.

10
About Akamai Security Intelligence Response Team (SIRT) Focuses on mitigating malicious global cyber threats and vulnerabilities, the Akamai Security Intelligence
Response Team (SIRT) conducts and shares digital forensics and post-event analysis with the security community to proactively protect against threats and attacks.
As part of its mission, the Akamai SIRT maintains close contact with peer organizations around the world and trains Akamai’s Professional Services and Customer
Care tram to both recognize and counter attacks from a wide range of adversies. The research performed by the Akamai SIRTis intended to help ensure Akamai’s
cloud security products are best of breed and can protect against any of the latest threats impacting the industry.
About Akamai
As the global leader in Content Delivery Network (CDN) services, Akamai makes the Internet fast, reliable and secure for its customers. The company's advanced
web performance, mobile performance, cloud security and media delivery solutions are revolutionizing how businesses optimize consumer, enterprise and
entertainment experiences for any device, anywhere. To learn how Akamai solutions and its team of Internet experts are helping businesses move faster forward,
please visit www.akamai.com or blogs.akamai.com, and follow @Akamai on Twitter.
Akamai is headquarted in Cambridge, Massachusetts in the United Stats with operations in more than 40 offices around the world. Our services and renowened
customer care enable businesses to provide an unparalleled Internet experience for their customers worldwide. Addresses, phone numbers and contact information
for all locations are listed on www.akamai.com/locations
©2016 Akamai Technologies, Inc. All Rights Reserved. Reproduction in whole or in part in any form or medium without express written permission is prohibited.
Akamai and the Akamai wave logo are registered trademarks. Other trademarks contained herein are the property of their respective owners. Akamai believes that
the information in this publication is accurate of it’s publication date; such information is subject to change without notice. Published 07/16

Time line-of-ddos-campaigns-against-mit-threat-advisory

Recommended

Recommended

More Related Content

What's hot

What's hot (17)

Similar to Time line-of-ddos-campaigns-against-mit-threat-advisory

Similar to Time line-of-ddos-campaigns-against-mit-threat-advisory (20)

More from Andrey Apuhtin

More from Andrey Apuhtin (20)

Recently uploaded

Recently uploaded (20)

Time line-of-ddos-campaigns-against-mit-threat-advisory