DDoS Activity in the Context of Hong Kong’s Pro-democracy Movement

By: Kirk Soluk -

In early August, we examined data demonstrating a striking correlation between real-world and online conflict [1], which ASERT tracks on a continual basis [2-7]. Recent political unrest provides another situation in which strong correlative indicators emerge when conducting time-series analysis of DDoS attack data.

The latest round of pro-democracy protests in Hong Kong began on September 22nd when “. . . Students from 25 schools and universities go ahead with a week-long boycott to protest Beijing’s decision to proceed with indirect elections for Hong Kong’s Chief Executive position.” [8]. The protests ramped up on September 28th when a larger pro-democracy group, Occupy Central with Love and Peace, combined forces with the student demonstrators [8-9]. On October 1st, protesters vowed to increased the level of civil disobedience if Hong Kong’s Chief Executive, Leung Chun-Ying, did not step down [10].  Since that time, tensions have increased, with police crackdowns, tear gas, barricades, skirmishes, shutdowns of government buildings and infrastructure, and heavy use of social media to promote both pro-and anti-protest sentiment.  By examining Arbor ATLAS Internet-wide attack visibility data we have identified DDoS attack activity in the APAC region which correlates strongly with the ebb and flow of protest activity in Hong Kong.

Arbor’s ATLAS Initiative

The DDoS information provided in the remainder of this report is derived from Arbor’s ATLAS Initiative. Arbor ATLAS receives anonymized Internet traffic and DDoS event data from over 290 ISPs worldwide which have deployed Arbor’s DDoS Mitigation solutions.  While many observed events are symptomatic of attacks during this period, it is important to note that we cannot definitively identify the motivations behind any given event.

Hong Kong as a Target of DDoS Attacks (September-October)

Number of Observed DDoS Attacks

The following graph illustrates that the number of observed DDoS attacks targeting Hong Kong-related online properties more than doubled between September and October, from 1,688 discrete attacks in September to 3,565 attacks in October:

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Figure 1: Total Number of Attacks Targeting Hong Kong (September and October, 2014)

Although the sheer number of DDoS attacks increased significantly from September to October, there was not a significant difference with respect to other attack attributes such as size or duration.  For example, the following charts break out the percentage of DDoS attacks within a given size range for both September and October, along with the raw number of DDoS attacks in that size range:

Figure 2: Percentage of Attacks within a given Size Range

Figure 2: Percentage of Attacks within a given Size Range

Overall, the percentage of DDoS attacks within a given size range remain fairly consistent from September to October, with the biggest difference being a relative 4% decrease in the number of DDoS  attacks within the 2gb/sec-to-5gb/sec range.

In summary, the analysis of the number and size of Hong Kong-related DDoS attacks depicted by Figures 1 and 2 above can be summed up by stating that “October saw more of the same – a lot more!

Size of Attacks and Related News Events

Figure 3 illustrates the largest DDoS attacks per day, in terms of bandwidth, targeting Hong Kong-related online properties during the month of October:

Figure 3: Peak Attack Sizes per Day (Gbps)

Figure 3: Peak Attack Sizes per Day (Gbps)

Three large DDoS attacks on October 14th (45.4gb/sec), 17th (38.3gb/sec), and 19th (45.6gb/sec) stand out. The total number of observed DDoS attacks targeting Hong Kong-related online properties (289, 419, and 427 respectively) also peaked on these days.  Since the vast majority of DDoS events reported via ATLAS are anonymized, it cannot be definitively determined how these specific DDoS attacks were related to the ongoing protests.  However, it appears that these attacks coincide with reports on Twitter and  by the Wall Street Journal of anti-protest crowds attempting to physically prevent pro-democracy newspaper publisher Apple Daily from distributing its newspapers. Specifically, the Journal noted that Apple Daily “simultaneously faced a cyberattack that brought down its email system for hours” [11]. On October 14th, Computerworld Hong Kong quoted an employee from Next Media (Apple Daily’s parent company), as follows: “The network was a total failure, affecting not just Apple Daily, but all the publications under Next Media” [12].

What’s Next?

Based on in-region DDoS attack statistics for the first week of November, continued DDoS attacks on Hong Kong-related Internet properties appear to be taking place. The following graph illustrates peak DDoS attack sizes in the 30gb/sec-plus range on four consecutive days (November 3rd – 6th):

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November

Figure 4: Peak Attack Sizes per Day (Gbps) in the first week of November

Conclusion

While establishing definitive causal relationships and attribution are challenging  it is apparent that DDoS attacks have become the ‘new normal’ during periods of political unrest worldwide. In this case, we observed a 111% increase in the number of DDoS attacks targeting Hong Kong-related Internet properties when analyzing the months immediately before and after protester demands, on October 1st, for Hong Kong’s Chief Executive to step down. Additionally, large-scale DDoS attacks were observed targeting Hong Kong-related Internet properties that coincide with reports of debilitating disruptions of online media outlets sympathetic to the protest movement.

References

[1] http://www.arbornetworks.com/asert/2014/08/ddos-and-geopolitics-attack-analysis-in-the-context-of-the-israeli-hamas-conflict/

[2] http://www.arbornetworks.com/asert/2007/12/political-ddos-ukraine-kasparov/

[3] http://www.arbornetworks.com/asert/2013/05/estonia-six-years-later/

[4] ASERT Threat Intelligence Brief 2013-5: Observed Syrian Cyber Adversary Capabilities and Indicators. Available to Arbor customers upon request.

[5] ASERT Threat Intelligence Brief 2013-7: The Impact of Protest Activity on Internet Service in Thailand. Available to Arbor customers upon request.

[6] ASERT Threat Intelligence Brief 2013-4: Potential Targeted Attacks Against Various International Interests. TLP Amber. Available to Arbor customers upon request.

[7] ASERT Threat Intelligence Brief 2014-04: Counter Terrorism Expo and Bulgarian State Agency for National Security Cyber-Threat Alert. TLP Amber. Available to Arbor customers upon request.

[8] http://www.theepochtimes.com/n3/1015132-hong-kong-occupy-central-time-line-of-key-umbrella-movement-events/

[9] http://www.scmp.com/topics/occupy-central

[10] http://www.reuters.com/article/2014/10/01/hongkong-china-idUSL6N0RV5F920141001

[11] http://online.wsj.com/articles/hong-kongs-press-under-siege-1413330960

[12] http://cw.com.hk/news/next-media-under-cyberattack-and-operations-disruption

DDoS and Geopolitics – Attack analysis in the context of the Israeli-Hamas conflict

By: Kirk Soluk -

Since its inception, the ASERT team has been looking into politically motivated DDoS events [1] and continues to do so as the relationship between geopolitics and the threat landscape evolves [2]. In 2013, ASERT published three situational threat briefs related to unrest in Syria [3] and Thailand [4] and threat activity associated with the G20 summit [5].  Recently, other security research teams, security vendors and news agencies have posited connections between “cyber” and geopolitical conflicts in Iraq [6], Iran [7], and Ukraine [8] [9].

Given the increasing connections being made between security incidents and geopolitical events, I checked Arbor’s ATLAS data to look at DDoS activity in the context of the current conflict between Israel and Hamas. Arbor’s ATLAS initiative receives anonymized traffic and DDoS attack data from over 290 ISPs that have deployed Arbor’s Peakflow SP product around the globe. Currently monitoring a peak of about 90 Tbps of IPv4 traffic, ATLAS see’s a significant portion of Internet traffic, and we can use that to look at reported DDoS attacks sourced from or targeted at various countries.

Israel as a Target of DDoS Attacks

Frequency

Figure 1 depicts the number of reported DDoS attacks initiated against Israel per day over the period June 1st through August 3rd, 2014:

Figure1

Figure 1: Number of attacks launched per day where destination country = Israel

We observe that the number of attacks begins to rise the first week in July going from an average of 30 attacks initiated per day in June to an average of 150 attacks initiated per day in July peaking at 429 attacks on July 21st. Event wise, June 30th is when Israel attributed the deaths of three Israeli teenagers to Hamas [10] then, on July 7th launched Operation Protective Edge which “its military indicated could be a long-term offensive against the Hamas-ruled Gaza Strip” [11]. The conflict, as well as the number of DDoS attacks initiated per day both intensify until we notice a precipitous drop occurring on July 28th lasting through August 2nd. This drop in the number of attacks roughly correlates with the ultimately unsuccessful cease fire talks that began on July 27th:

On July 27th, Reuters reported [13] that the U.N. Security Council agreed on a statement, drafted by Jordan, urging Israel, Palestinians and Islamist Hamas militants to implement a humanitarian truce beyond the Muslim holiday of Eid al-Fitr and that “Gaza Strip residents and Reuters witnesses said Israeli shelling and Hamas missile launches slowly subsided on Sunday, suggesting a de facto truce might be taking shape.”

On July 29th, according to the Jewish Daily Forward [14], “the Palestinian Authority announced that it had brokered a 24-hour humanitarian cease-fire with all Palestinian factions with the possibility of extending it an additional 48 hours.”

On July 31st, diplomats from the United States and United Nations announced that Israel and Hamas agreed to a 72-hour unconditional cease-fire [15].

On August 1st, the 72-hour unconditional cease-fire lasted, depending on various reports, anywhere from 90 minutes to four hours [16].

On August 3rd, we notice that the number of attacks rises again sharply. From July 28th through August 2nd, there were a total of 192 attacks. On August 3rd there were 268.

Size

In addition to the number of DDoS attacks initiated per day, we also notice an increase in the peak size of those attacks. Figure 2 illustrates that in June, no attack exceeded 12 Gbps. In July, seven attacks exceeded 12 Gbps, the largest peaking at 22.56 Gbps on July 12th. On August 3rd, after the cease-fire talks fell apart, the largest attack was observed at 29 Gbps:

Figure 2: Peak attack sizes (Gbps) for attacks launched on a given day

Figure 2: Peak attack sizes (Gbps) for attacks launched on a given day


Duration

Not only have the number and size of attacks increased in accordance with the intensity of the conflict, so has the duration. In June, the average duration of attacks was 20 minutes with a peak duration of 24 hours. In July, the average duration was 1 hour and 39 minutes with the July 19th attack still being reported as unmitigated after approximately two weeks:

Figure 3: Peak Duration (in minutes) for attacks launched on a given day

Figure 3: Peak Duration (in minutes) for attacks launched on a given day

In summary, as the intensity of the Israeli-Hamas conflict has increased, so has the number, size and duration of the DDoS attacks targeting Israel. Additionally, it even appears as if the attackers have made an effort to adhere to the “real world” calls for a cease-fire, resuming their attacks when the cease fire fell through.

Attack Methodologies and Targets

We can also provide some additional detail and insight into the nature of the attacks described above that may be helpful for practitioners. No attempt is made to relate these details to any geopolitical events.

The vast majority (47%) of the 5346 attacks summarized above involved the use of IP Fragments suggesting the use of reflection/amplification techniques. In a reflection/amplification attack, improperly configured hosts on improperly configured networks are used to magnify attack traffic. The technique allows the attacker to disguise their presence and generate significant amounts of attack traffic by issuing small queries to any number of these intermediate hosts, each of which, returns larger (amplified) responses to the victim.

DNS and NTP were the most common protocols used to perform the reflection/amplification attacks targeting Israel over this time period. For a thorough treatment of NTP-based reflection amplification attacks, including mitigation strategies, readers are referred to ASERT Threat Intelligence Brief 2014-5: Comprehensive Insight and Mitigation Strategies for NTP Reflection/Amplification Attacks, which is available upon request.

Other observed attack methodologies include malformed DNS queries against web servers (not DNS servers), layer-7 HTTP and HTTP/S attacks against web-based authentication subsystems and scripts, and repeated page downloads and GETs/POSTs against non-existent URIs. This attack pattern bears a striking resemblance to the Brobot-based attacks used in the Operation Ababil campaign against the US Financial industry in 2013 [17]. On June 30th, Forbes reported that Brobot was back in an article entitled “Bank-Busting Jihadi Botnet Comes Back to Life. But Who is Controlling it this Time?” [18]. We don’t know who is controlling it, but Brobot is being used to attack Israeli civilian governmental agencies, military agencies, financial services and Israel’s cc TLD DNS infrastructure.

References

[1] http://www.arbornetworks.com/asert/2007/12/political-ddos-ukraine-kasparov/

[2] http://www.arbornetworks.com/asert/2013/05/estonia-six-years-later/

[3] ASERT Threat Intelligence Brief 2013-5: Observed Syrian Cyber Adversary Capabilities and Indicators. Available to Arbor customers upon request.

[4] ASERT Threat Intelligence Brief 2013-7: The Impact of Protest Activity on Internet Service in Thailand. Available to Arbor customers upon request.

[5] ASERT Threat Intelligence Brief 2013-4: Potential Targeted Attacks Against Various International Interests. TLP Amber. Available to Arbor customers upon request.

[6] http://www.renesys.com/2014/06/amid-raging-violence-iraq-orders-internet-shutdowns/

[7] http://intelcrawler.com/news-20

[8] http://www.fireeye.com/resources/pdfs/fireeye-operation-saffron-rose.pdf

[9] http://www.theregister.co.uk/2014/03/04/ukraine_cyber_conflict/

[10] http://www.fireeye.com/blog/technical/2014/05/strategic-analysis-as-russia-ukraine-conflict-continues-malware-activity-rises.html

[11] http://www.cnn.com/2014/06/30/world/meast/israel-missing-teenagers/index.html

[12] http://www.theguardian.com/world/2014/jul/08/operation-protective-edge-israel-bombs-gaza-in-retaliation-for-rockets

[13] http://www.huffingtonpost.com/2014/07/27/un-security-council-gaza-ceasefire_n_5625621.html

[14] http://forward.com/articles/203020/palestinian-authority-announces–hour-cease-fire/

[15] http://www.cbsnews.com/news/israel-and-hamas-agree-to-72-hour-humanitarian-ceasefire/

[16] http://www.nytimes.com/2014/08/02/world/middleeast/israel-gaza-conflict.html?_r=0

[17] ASERT Threat Intelligence Brief 2013-3: Ongoing Financial Industry Threats include #OpBankster, Operation Ababil, #OpUSA and #OpIsraelReborn. Available to Arbor customers upon request.

[18] http://www.forbes.com/sites/jasperhamill/2014/06/30/bank-busting-jihadi-botnet-comes-back-to-life-but-who-is-controlling-it-this-time/

 

Healthcare.gov ‘DoS’ Tool

By: Marc Eisenbarth -

The roll out of the Healthcare.gov site in the United States has been met with a significant amount of news coverage.  Reports have indicated that the site has been inaccessible to some people when they have attempted to visit it.  ASERT has no direct knowledge of any significant denial of service attacks directed towards the site.  However, ASERT has recently found one tool that is designed to overload the webpage.

The standalone tool is written in Delphi and performs layer seven requests to get the healthcare.gov webpage.  The tool alternates between requesting the following URLs:

https://www.healthcare.gov
https://www.healthcare.gov/contact-us

A screenshot of the tool follows:

ObamaCare_screenShot

As we see in the call-graph below, the request rate, the non-distributed attack architecture and many other limitations make this tool unlikely to succeed in affecting the availability of the healthcare.gov site.  It appears this application is available for download from a few a sources and has been mentioned on social media.

Obamacare_IDAScreenShot

ASERT has no information on the active use of this software.  ASERT has seen site specific denial of service tools in the past related to topics of social or political interest.  This application continues a trend ASERT is seeing with denial of service attacks being used as a means of retaliation against a policy, legal rulings or government actions.

Example MD5: eb0b51567b383ac26eaec23861ea5282

Syria taken offline

By: Darren Anstee -

ATLAS is Arbor Networks innovative, one-of-a-kind Internet monitoring system. ATLAS is a collaborative effort with 250+ ISPs globally who have agreed to share anonymous traffic data on an hourly basis (leveraging Arbor’s technology that sits on ISP networks), together with data from Arbor dark address monitoring probes, as well as third-party and other data feeds. In total, ATLAS is seeing 42Tbps of peak IPv4 traffic. With this unique vantage point, Arbor is ideally positioned to deliver intelligence about malware, exploits, phishing and botnets that threaten Internet infrastructure and services. The information is aggregated, analyzed and fed back to our customers via our product deployments.

You can clearly see the traffic we are tracking for Syria drop to virtually 0 at 2000 UTC on the graph.  This will be approximately 1 hour after the drop happened in the ‘real’ world given that ATLAS participants only report hourly.

 

We’ve seen entire countries in the Mideast taken offline before. Here is a look back to January-February 2011 and Egypt,

Egypt Returns

 

 

 

 

 

 

Lessons learned from the U.S. financial services DDoS attacks

By: Arbor Networks -

By Dan Holden and Curt Wilson of Arbor’s Security Engineering & Response Team (ASERT)

During the months of September and October we witnessed targeted and very serious DDoS attacks against U.S. based financial institutions. They were very much premeditated, focused, advertised before the fact, and executed to the letter.

In the case of the September 2012 DDoS attack series, many compromised PHP Web applications were used as bots in the attacks. Additionally, many WordPress sites, often using the out-of-date TimThumb plugin, were being compromised around the same time. Joomla and other PHP-based applications were also compromised. Unmaintained sites running out-of-date extensions are easy targets and the attackers took full advantage of this to upload various PHP webshells which were then used to further deploy attack tools. Attackers connect to the compromised webservers hosting the tools directly or through intermediate servers/proxies/scripts and issue attack commands. In the September 2012 attacks there were several PHP based tools used, the most prominent of which was “Brobot” along with two other tools, KamiKaze and AMOS which were used a bit less often.  Brobot has also been referred to as “itsoknoproblembro”.

The attack tactics observered were a mix of application layer attacks on HTTP, HTTPS and DNS with volumetric attack traffic on a variety of TCP, UDP, ICMP and other IP protocols. The other obvious and uncommon factor at play was the launch of simultaneous attacks, at high bandwidth, to multiple companies in the same vertical.

On December 10, 2012 the group claiming responsibility for the prior attacks, the Izz ad-Din al-Qassam Cyber Fighters announced “Phase 2 Operation Ababil”.  A new wave of attacks were announced on their Pastebin page:  which described their targets as follows:

“Continually, the goals under attacks of this week are including: U.S. Bancorp, JPMorgan Chase&co, Bank of America, PNC Financial Services Group, SunTrust Banks, Inc.”

On December 11, 2012, attacks on several of these victims were observed. Some attacks looked similar in construction to Brobot v1, however there is a newly crafted DNS packet attack and a few other attack changes in Brobot v2.

These attacks have shown why DDoS continues to be such a popular and effective attack vector. Yes, DDoS can take the form of very large attacks. In fact, some of this week’s attacks have been as large as 60Gbps. What makes these attacks so significant is not their size, but the fact that the attacks are quite focused, part of an ongoing campaign, and like most DDoS attacks quite public. These attacks utilize multiple targets, from network infrastructure to Web applications.

Lessons Learned

While there has been much speculation about who is behind these attacks, our focus is less on the who or why, but how we can successfully defend. There are multiple lessons to be learned from these attacks, by everyone involved – the targeted enterprises, their managed security providers, Website and Web application administrators, and the vendor community.

For enterprises, it is clear that typical perimeter defenses such as firewalls and IPS are not effective when dealing with DDoS attacks, as each technology inline to the target is actually a potential bottleneck. These devices can be an important part of a layered defense strategy but they were built for problems far different than today’s complex DDoS threat. Given the complexity of today’s threat landscape, and the nature of application layer attacks, it is increasingly clear that enterprises need better visibility and control over their networks which require a purpose built, on-premise DDoS mitigation solution. This could sound self-serving, however, visibility into a DDoS attack needs to be far better than the first report of your Website or critical business asset going down. Without real-time knowledge of the attack, defense and recovery becomes increasingly difficult.

For providers of managed security services, they have begun to evaluate their deployments and mitigation capacity. These attacks were unique in that they targeted multiple organizations within the same vertical, putting a strain on the capacity of provider’s cloud-based mitigation services.

What these attacks have continued to demonstrate is that DDoS will continue to be a popular and increasingly complex attack vector. DDoS is no longer simply a network issue, but is increasingly a feature or additional aspect of other threats. The motivation of modern attackers can be singular, but the threat landscape continues to become more complex and mixes various threats to increase the likelihood of success. There have certainly been cases where the MSSP was successful at mitigating against an attack but the target Website still went down due to  corruption of the underlying application and data. In order to defend networks today, enterprises need to deploy DDoS security in multiple layers, from the perimeter of their network to the provider cloud, and ensure that on-premise equipment can work in harmony with provider networks for effective and robust attack mitigation.

 

Snapshot: Syria’s Internet drops, returns

By: Darren Anstee -

The Arbor ATLAS system leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the Arbor ATLAS system, and are sharing data on an hourly basis. The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world.

As you can see traffic dropped sharply at around 1730 in the graph below.  The low level could either indicate a reduction in traffic to / from Syria or an outage for less than an hour (as the data is at one hour granularity). The actual traffic interruption is likely to have occurred at around 1630, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

Syria goes dark

By: Darren Anstee -

UPDATE: Syria’s back online

 

ORIGINAL POST

The ATLAS infrastructure leverages Arbor Networks’ world-wide service provider customer base to gather data about Internet traffic patterns and threats.  Currently 246 of Arbor’s customers are actively participating in the ATLAS program, and are sharing data on an hourly basis.

The data shared includes information on the traffic crossing the boundaries of participating networks, and the kinds of DDoS attacks they are seeing. The graph below shows the cumulative ‘total’ traffic ( to / from) Syria across all of these participating networks. This does not show the total traffic into and out of Syria, this is simply a snapshot taken from the vantage point of 246 network operators around the world. As you can see traffic drops to virtually nothing earlier on today.  The actual traffic interruption is likely to have occurred between 1000 and 1100 today, the graphs show traffic interruption an hour later than this due to the variable, hourly reporting from ATLAS participants to our servers.

(UPDATED: as of 5:50am ET on 12/1/12)

 

As a reminder, this is not the first time we have seen a complete cut off of Internet access in the Middle East. You may recall back in January 2011, something similar occurred in Egypt,

 

DDoS Attacks in Russia Added to Protests

By: Jose -

2011, and now 2012, appear to be years of major populist protests regarding political processes around the world. Russia is no different. News reports of protests in the streets of Moscow have been increasing, with protesters demanding election reforms and fairness. It is in this backdrop that we’re seeing DDoS attacks against some websites.

A recent BBC News story on Russian protests about upcoming elections caused me to go looking in our database for domestic DDoS attacks within Russia on sympathetic sites calling for election changes. We’ve seen this sort of thing in the past, specifically in the 2009 run-up to the elections where opponents to Putin and Medvedev were attacked, so it seems natural to expect it this time.

Inspection of our botnet tracking logs from Project Bladerunner show multiple sites under attack recently that appear to be politically motivated. Four are news sites (three belong to journalufa). The other is a candidates site, and all attacks are ongoing. The botnets here are Dirt Jumper and Black Energy. Despite press that the radio station Echo Moscow is getting political pressure for it’s pro-change reporting, we haven’t yet seen their properties struck by attacks as we have in the past.

First seen

Last seen

Target Host

2012-02-14 22:57:53 2012-02-15 10:58:01 www.muhamediarov.ru
2012-02-14 06:58:24 2012-02-14 06:58:25 journalufa.livejournal.com
2012-02-14 06:58:22 2012-02-14 06:58:24 journalufa.wordpress.com
2012-02-10 06:58:50 2012-02-15 10:57:59 cik-ufa.ru
2011-09-29 12:28:32 2012-02-15 10:58:01 journalufa.com

As you can see from the following screenshots taken today, two of the sites are accessible, but one of them notes that it’s under attack.

CIK-UFA under attack

Journal UFA under attack

The botnets behind these attacks have been actively involved in many DDoS attacks in recent weeks, some of which are on commercial properties, and some of which are on news sites. These appear to be their most overtly political targets. In short, these do not appear to be purpose built for political attacks.

We’re keeping an eye on this situation, expecting it to continue or get worse as the elections approach on March 4.

Attack of the Shuriken: Many Hands, Many Weapons

By: cwilson -

A visual sample of Distributed Denial of Service (DDoS or DoS) attack tools & services compiled by Curt Wilson – Research Analyst, Arbor Networks ASERT

There are a variety of popular Denial of Service attack tools that have received a fair amount of attention by the security research community, but there are many other attack tools in existence that have been developed in the last few years. A visual review of some of the popular and less popular attack tools will be provided here.

We will cover both simple and complex contemporary and historical threats – showing a sample ranging from single user flooding tools, small host booters, shell booters, Remote Access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots and some commercial DDoS services. Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative.

The DDoS threat to enterprises and network providers is obviously more severe from professionally coded bots with a variety of stealthy attributes and their corresponding commercial flooding services, while the small projects coded by amateurs pose less of a threat. However even many of the small-time “host booters” profiled here – typically designed to flood a single gaming user’s IP address and knock them out of the game- often have Remote Access Trojan functionality to perform actions such as password theft, download and execute other malware, sniff keystrokes and perform other malicious activities. In addition to the threats to confidentiality, the author has seen these simple flooding tools (such as a host booter) take down enterprise-class firewalls from either side of the firewall due to state table exhaustion. At the other end of the spectrum, the commercial DDoS services are running full-steam, with a variety of service offerings easily available. While there are numerous motives for DDoS such as revenge, extortion, competitive advantage and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor. More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot. Within this diverse landscape, we are aware of many ongoing attacks from large widely distributed DDoS botnets.

We will start with the simpler threats, move through intermediate threats to the more complex and advanced bots and botnets, and finally wrap up with some indicators of various commercial DDoS service offerings.

Fg Power DDOSER

This tool is primarily a “hostbooter” and is aimed at giving unscrupulous gamers an advantage by flooding opponents with traffic. HTTP flooding capabilities may be effective at bringing down unprotected websites as well. A Firefox password stealer is also included, which can be very deadly as people re-use passwords all the time.

Fg Power DDOSERFg Power DDOSER

GB DDoSeR v3

This tool is advertised as a booter and delivers a TCP or UDP stream of characters of the attacker’s choice towards a victim IP/host and port. This simple bot is written in Visual Basic.

GB DDOSER

Silent-DDoSer

This Visual Basic tool offers attack types “UDP”, “SYN” and “HTTP”. All appear to send a basic user-specified flood string. Silent-DDoSer utilizes triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions.

Silent-DDoSer

Silent-DDoSer

Drop-Dead DDoS

This tool is one example of a Runescaper booter. While I am not a gamer, the opportunity to make real-world money through the virtual economies of gaming worlds may have help make such tools popular.

Drop-Dead DDoS

D.NET DDoSeR

This tool is again aimed at the Runescape audience, but also features SYN and HTTP flooding. The floods in this case are just poorly formed garbage characters randomly generated. This particular screenshot only has one connected bot.

D.NET DDoSeR

Positve’s xDDoSeR

Like anything flooding port 3074, this is an Xbox booter application, designed to boot users off to generate an unfair advantage. This particular screenshot shows no connected bots.

Positve’s xDDoSeR

Sniff DDoSer

This one was announced on a forum and appears to be written in .NET. The default operation appears targeted towards Xbox flooding. We can also see some of the typical anti-detection mechanisms at play in the builder screen.

Positve’s xDDoSeR

SniFF DDoS

Darth DDoSeR v2

Another tool aimed at Xbox booting, at least in this screenshot. The flood in this case looks like a “SSYN” type, which is slightly different than many other host booters that appear to use UDP by default.

Darth DDoSeR

Net-Weave

Net-Weave is one of the many bots that appeared in our malware collection in mid-2011. It is a booter/bot and backdoor written in .NET and features the typical array of malware functionality including download and execute, USB spreading capabilities, TCP connection exhaustion flood, UDP flood, and a crude port 80 flood instantiated with a .NET Socket call.

Net-Weave

Malevolent DDoSeR

The source code for a version of this leaked some time back. The server is written in C++ and the client is written in Visual Basic. It appears to offer only download and execute and UDP flooding attacks. We show a server screenshot, and a developer’s viewpoint screenshot, obtained from various forums.

Malevolent DDoSeR

Malevolent DDoSeR

HypoCrite

HypoCrite is a Visual Basic host booter apparently on version 4 and offers the ability to steal MSN passwords in addition to providing basic flooding capabilities.

HypoCrite

Host Booter v5.7

This booter features several flooding attacks including the popular Slowloris attack style. The features are listed as:

UDP (UDP flood), Port (Blocks connections on that port), HTTP (For websites), Slowloris (For websites),

Bandwidth Drain (Put a direct link for a .exe or any other file), Send Command To All / Send Stop To All (Execute or End your command), Ports: 25 / 80 / 445 / 3074 / 27015 (Ports you can choose from, you can use your own), Sockets: [1-250] (How many sockets you will use), Seconds: [1-60] (How many seconds you wish your attack to be enabled for), Minutes: [1-59] (How many minutes you wish your attack to be enabled for), Size (KB) Packet size for UDP, Delay (MS) Time between sending a packet

Connect (MS) Reconnect sockets, Timeout (MS) Connection timeout

Host Booter

AlbaDDoS

It appears that the author of this DDoS tool is also involved in defacing websites.

AlbaDDoS

Manta d0s v1.0

The author of this tool, Puridee, has also written multiple other tools including the “Good-Bye” DoS tool.

Manta d0s

Good Bye v3.0

The Good-Bye tools appear to be simple HTTP flooding tools that have no DDoS or botnet capability.

Good Bye DoS

Good Bye v5.0

Good Bye

Black Peace Group DDoser

Little additional information was found about this particular tool.

Black Peace Group

Now we’ll look at a couple of “shell booters” that utilize hijacked web applications to perform flooding attacks. While these have been well documented in the past, shell booters typically leverage a number of compromised web applications where an attacker has typically installed a PHP webshell. Sometimes, these webshells may exist on high bandwidth networks, which can amplify the force of the attack significantly. Private webshells are worth more, and lists of webshells can be purchased. Some generic webshells are x32, greenshell, PsYChOTiiC, shell, mouss, Supershell, venom, atomic, and many others. There are other shells specifically created for ddos, such as ddos.php. A webshell can of course be named anything, but these names are common.

PHPDoS

PHPDoS

TWBOOTER

This screenshot shows 235 shells online.  An update from about a year ago says “Releasing twBooter Web Version today! Might have slowloris and http tonight, but I’ll be releasing without.” Incidentally, someone using the nick “twbooter” was seen selling flooding services via chat.

TWBooter

Gray Pigeon RAT

This is a screenshot from the Gray Pigeon Remote Access Trojan (RAT). In this screenshot, the attacker appears to have three bots online but has filtered the list to show only bots from Beijing, China. Gray Pigeon is well known for its RAT capabilities but it also has DDoS features as well. There are many DDoS bots using Chinese language sets and operating from within the Chinese IP address space. Some of these have been profiled by Jeff Edwards of Arbor Networks ASERT in the past. A great deal of code sharing takes place among the Chinese DDoS bot families that we have analyzed.

Gray Pigeon RAT

DarkComet RAT aka Fynloski

DarkComet is freeware and easily available to anyone. While it features a variety of flooding types, these are an afterthought compared to its main Remote Access Trojan functions which are significant. The binaries for this threat are often called Fynloski.

DarkComet RAT aka Fynloski

MP-DDoser v 1.3

MP-DDoser is a relatively new threat, coming to our attention in December 2011. It supports UDP, TCP connection flood, and HTTP attacks. Marketing materials and the GUI for this bot claim that it supports a slowloris style attack.  Despite these claims, ASERT analysis indicates that the slowloris attack does not function.

MP-DDoser

DarkShell

Darkshell is popular among the Chinese DDoS bot families and features a variety of attack types. Included are three distinct HTTP attacks, two types of TCP flooding attacks, two UDP floods, ICMP flood, SYN flood, TCP connection exhaustion and TCP idle attack types. For extensive details on the Darkshell bot, please see the excellent analysis by ASERT’s Jeff Edwards at /asert/2011/01/darkshell-a-ddos-bot-targetting-vendors-of-industrial-food-processing-equipment/

DarkShell

Warbot

This is the warbot web based control panel. Commands are ddos.http (seen here), ddos.tcp and ddos.udp.

Warbot

Janidos

Without a license key, Janidos runs as a “weak edition”. This version offers to the opportunity to toggle through a variety of User-Agent values during an HTTP DDoS attack. Janidos appears to be of Turkish origin.

Janidos

Aldi Bot

This is an inexpensive bot that showed up late in 2011. It was interesting to see InfinityBot downloaded and executed from one Aldi Bot node that I was analyzing. Some forums suggest that Aldi Bot is not very good quality. For more information about Aldi Bot, please see an analysis and writeup at /asert/2011/10/ddos-aldi-bot/

Aldi Bot

Aldi Bot

Infinity Bot

Infinity Bot was seen being downloaded in the wild by an Aldi Bot instance in September 2011. A demonstration video posted October 4 2011 on YouTube shows Infinity-Bot being used to DDoS the Pentagon website and shows approximately 15,000 bots on the botnet with the highest concentration of bots being in Germany, Netherlands, Austria and Switzerland.

Infinity Bot

Infinity Bot

N0PE

The n0pe bot is written in .NET. Here is a screenshot of the control panel that demonstrates its attack types. N0pe appears to be Russian in origin.

N0PE

Darkness (prior to Darkness X)

This is a banner used to advertise the Russian Darkness bot. Darkness connects to a back-end called Optima. Darkness appears to be popular and used in commercial DDoS services.

Darkness

Darkness X

Darkness X is the 10th version (10a being the latest) of the Darkness bot. The following advertising graphic was used in various forums. Prices have been seen ranging from $499 to $999, depending upon what features are requested. Darkness X includes newly developed plugin architecture.

N0PEDarkness X

Optima – DarknessX control panel

The Optima control panel for DarknessX (aka “Destination Darkness Outcast System & Optima control panel”) has been explored in other forums and looks something like this, as of October 2011.

Optima – DarknessX control panel

Dedal

Dedal has been mentioned in Russian underground forums describing commercial DDoS services. Dedal has been seen to utilize three types of attack – TCP, UDP and HTTP GET. The HTTP GET attack looks very similar to another bot, implying code-sharing or swiping.

Dedal

Russkill

Russkill is another Russian bot that has undergone some evolution and is commonly mentioned in commercial botnet service advertisements. Russkill appears to have evolved into the Dirt Jumper.

Russkill

DirtJumper

Dirt Jumper continues its popularity in the underground DDoS service economy. Dirt Jumper attacks have been widespread. See /asert/2011/08/dirt-jumper-caught/ for a full write-up of this version of Dirt Jumper, and also see the excellent blog entry by DeepEnd Research for a writeup of Dirt Jumper version 3, aka “September” at http://www.deependresearch.org/2011/10/dirt-jumper-ddos-bot-new-versions-new.html

DirtJumper

Dirt Jumper v3, aka “September”

Thanks to DeepEnd research for this screenshot

DirtJumper

G-Bot aka Piranha

G-Bot has been mentioned many times in various forums in 2011 and seems to be a popular Russian bot. There are indicators that it is used in the commercial DDoS market. It appears that version 2.0 is probably the newest. Around July of 2011, G-Bot source code and customer lists were apparently sold by “westside” to “night”. Development stats currently is unknown. Various versions of the web panel and other artifacts are displayed here. G-Bot is also known as DroopTroop.

G-Bot aka Piranha

G-Bot aka Piranha

G-Bot Builder

G-Bot bot list screenshot

First an older version, then a newer.

G-Bot

The second screenshot appears to be from somewhere around January of 2011 and shows the (obscured) IP addresses of infected hosts, country, and version of G-Bot installed on the host, mostly version 1.4.

G-Bot

G-Bot advertisement for version 2.0

G-Bot Advertisment

A leaked version of G-Bot v1.7 comes with a small .exe encoder and a builder.

Armageddon

The Russian Armageddon bot increased in popularity in mid to late 2011. It has been positioned as a competitor to Dirt Jumper, G-Bot, Darkness/Optima and DeDal. Recent versions of Armageddon allow greater control of attack traffic from within the web panel Command & Control, and also claim to have an “Anti-DDoS” attack style that is said to bypass various Anti-DDoS defenses. Additionally, DoS attacks against specific Apache vulnerabilities have been discussed. Armageddon has been observed performing many attacks including politically motivated attacks in Russia, attacks towards online betting sites, attacks towards forums advertising competing DDoS bot products and more. While Armageddon is heavily involved in HTTP attacks, it has also been seen targeting other services such as Remote Desktop, FTP and SSH.
Armageddon

Commercial DDoS Services

Unique DDoS Service

Unique DDoS Service

WildDDOS

WildDDOS

Death ddos service

Death DDoS Service

FireDDoS

FireDDoS

DDoS-SeRVIS

DDoS-SeRVIS

Beer DDoS

Beer DDoS

Totoro

Totoro

500 Internal DDoS Service

500 Internal DDoS Service

OXIA DDoS Service

OXIA DDoS Service

504 Gateway DDoS Tools

DDoS4Fun

DDoS4Fun

NoName

NoName

Wotter DDoS Service

IceDDoS

IceDDoS

While we have only reviewed a portion of the threat landscape, it is plain to see that DoS/DDoS tools and services are readily available and will continue to evolve in their complexity and effectiveness.

I would like to thank the Arbor ASERT Team and Deepend Research for assistance in developing this blog post.

Middle East Internet Scorecard (February 12 – 20)

By: Craig Labovitz -

The success of the Tunisian and Egyptian protest movements inspired demonstrations throughout the Middle East last week, including large-scale social media coordinated protests in Libya, Iran, Bahrain, Algeria, Jordan and Yemen. In several of countries, governments responded to the calls for reform with arrests and violent suppression of public demonstrations. Increasingly, several Middle Eastern governments also may be disrupting phone and Internet communication to contain the spread of unrest.

These new Internet filtering efforts come a week after Egypt returned to the Internet following an abortive effort to block protests demanding the then president, Hosni Mubarak, resign. While other countries, including Iran and Myanmar, disrupted telecommunication following social unrest in the past, the Egyptian outage represents a new Internet milestone – the first highly connected, telecommunication dependent society to intentionally disconnect from the Internet [1,2].

This analysis uses real-time data from the 110 Internet providers around the world to identify possible ongoing Internet traffic manipulation in Middle East countries with active protest movements. More details on our data collection infrastructure and methodology are available in our recent academic paper [3].

Overall, our data shows pronounced changes in Internet traffic levels in two Middle East countries last week: Bahrain and Libya. While network failures and other exogenous events may play a role in decreased traffic volumes, we observe the changes in Bahrain and Libya are temporally coincident with the onset of recent protests. Several Bahrain telecommunication companies blamed the slowdown on “overloaded circuits” and extremely high usage [4].

We note that many countries in the region maintain some level of permanent Internet limits, including blocks on dissident web sites, social media and adult content [5]. The traffic volumes graphed on the following page represent possible traffic manipulation beyond normal filtering practices.

In the below chart, we show the “normal” traffic in and out of each country averaged over the proceeding three weeks in green. The dotted red line in each graph shows the traffic over the last seven days. Orange shaded areas indicated periods of statistically abnormal traffic either last week or the week of February 14. Abnormal traffic volumes may network failures or periods of intentional traffic manipulation. Due to the near complete block of all Internet traffic (January 27 – February2), the Egyptian graph shows orange for most of last week as traffic levels climbed to normal. Yemen Internet traffic also exhibited brief, though unusual dips, during the prior week (February 7-11) and also includes an orange period.

While the Internet has proven a powerful tool for rallying social and political change, so too have governments recognized their regulatory and technical capability to disrupt communications. The next few weeks will likely prove a major contest between the continued evolution of the Internet as a vehicle for political change and authoritarian governments’ continued assertion of control.

A PDF version of this analysis is also available.

End Notes

[1] Craig Labovitz, “Egypt Loses the Internet”. Arbor Networks blog post. Available at /asert/2011/01/egypt-loses-the-internet. January 28, 2011.

[2] James Cowie, “Egypt Leaves the Internet”. Renesys blog post. Available at http://www.renesys.com/blog/2011/01/egypt-leaves-the-internet.shtml. January 27, 2011.

[3] Craig Labovitz, Scott Iekel-Johnson, Danny McPherson, Jon Oberheide, and Farnam Jahanian, “Internet Inter-Domain Traffic”. Proceedings of ACM SIGCOMM 2010, New Delhi. August, 2010.

[4] Christopher Rhoads, “Technology Poses Big Test for Regimes”. Wall Street Journal. February 12, 2011.

[5] OpenNet Initiative. Web site at http://opennet.net.

 
 

Go Back In Time →