Attack of the Shuriken 2015: Many Hands, Many Weapons
The expected evolution of DDoS attacks continues. Attack sizes increase over time, tools become easier to use, more threat actors are launching attacks, older attack techniques have become commoditized and new attack techniques are added to the mix on a regular basis. Attacks are cheap, easy, and extremely common. The criminal underground continues to provide services and continues to obtain funding for providing those services, which provides further incentive for additional attackers to join the game.
This 2015 version of our “Attack of the Shuriken” series profiles some attack tools and tactics that have not received much or any coverage, or have appeared or become more popular within the last year.
Recently, UDP-based reflection/amplification attacks, despite having been profiled for some time, continue to wreak havoc on systems and networks that remain unprepared for the onslaught. Easy-to-use inexpensive web-based stresser services and booter services provide anyone access to attack infrastructure, and they continue to proliferate, with new services appearing frequently.
These stresser services often pack quite a punch even if the full impact of attacks is often overstated in underground forums for the sake of financial interests. Truth is a rare commodity on such forums, however there is still enough of a toxic seed of truth present to bring many networks to their knees if they are not prepared. Miscreants are actively looking for methods to bypass site defenses, with specific techniques being discussed even on “script kiddie” forums. Although “script kiddies” have minimal skill, they can still cause substantial damage in terms of site outages and collateral impact on unrelated properties that share infrastructure. In some cases, even the most unskilled attackers complete their DDoS mission when target sites are null-routed by network and hosting providers in order to protect other customers. This is an unfortunate situation that occurs far too often.
In addition to the material that will be discussed here that profiles both the front-end and back-end resources involved in the underground market of Server Stress Testing (SST), readers should be well aware that older commodity Windows-based DDoS botnets are still highly active, with attacks taking place very frequently and services being sold in the underground. Sites protected with Arbor equipment deployed and used by skilled operators are going to be impervious to all of the attacks profiled here.
The VDos service appears to be or has been operated by “P1st.” (aka “P1st0”) and “Apple J4ck”, with “Red Sox” and “jeremyfgt” apparently joining the team at a later date. As an admin running the service, P1st has performed 1570 boots as of June 23, 2015. While there is an alleged VIP service available that claims to offer higher volume traffic floods for a higher price, the general service has apparently been online for several years and claims to currently only offer layer 4 flooding techniques, although layer 7 techniques have been available at various points. Various graphs and other content supposedly relating to the power of this service are included in a long-running thread on a popular underground forum. Apparently, the source code to this stresser has leaked to the underground on at least two occasions, meaning that the code is likely used by a variety of other services both public and private. On one of those occasions, the source code was downloaded approximately 460 times, based on response to the forum thread where the source was shared.
While this information cannot always be confirmed, graphs show attacks as high as 216 Gbps as of October 1, 2014. At that time, this number was advertised as being their “total network capacity”. Over time, the service reported capabilities of anywhere between 20 Gbps and 282.9 Gbps, with a rough average being around 10-50 Gbps of traffic per attack. Most of the time, this figure was associated with SSDP attacks, although there was an instance of a graph being posted for an NTP amplification attack that showed a peak of 236.7 Gbps/66.7 Mpps (this figure has not been confirmed). The service appears to be operating with anywhere from 5-10 attack servers at any given time.
Attack types come and go, however in June 2015 someone posted a screenshot of the attack options available.
This stresser advertises 10-50 Gbps per boot using SSDP. The bandwidth available for attack is going to depend upon the number of users launching concurrent attacks, the bandwidth of the reflection servers, and how many reflection servers are involved in the attack. Such services often oversell their capability in the interests of making money.
They also advertise and take advantage of the challenges of using spoofed attack sources that complicate traceback and attribution.
An advertisement for the available attack types on an underground forum reveals the following:
One screenshot posted in September 2014 showing a dstat graph claims that seventeen bots were able to launch a 35 Gbps traffic flood which is just a bit more than 2 Gbps per attacking server on average, assuming the bot count is accurate (posted list of attack servers never showed this many; the highest count was ten distinct attack servers). Soon after a reported upgrade to the SSDP server list, another dstat graph was posted showing 40 Gbps of attack traffic, and then another post showing 90.87 Gbps of attack traffic. As always, such numbers are designed to sell the services, and may be accurate, but could also be setup under ideal conditions, exaggerated, or faked.
In this case however, Arbor’s ATLAS DDoS telemetry shows an attack that may very well be correlated with this particular graph – it is a 91.69 Gbps/25.17 Mpps NTP amplification/reflection attack aimed at UDP/80 on a destination site in a broadband providers network. Considering the very closely matching timestamp with the peak in the dstat graph, the tendency for booter/stresser services to attack broadband gamers, and the very closely matching attack volume, it is likely that the person who generated this graph was not being deceptive; indicators suggest that this attack was real and packs a substantial punch for any unprepared network.
The attackers are bold or foolish enough to post screenshots of actual attacks in progress on underground forums. Here is an example of such an attack, posted by “P1st.” on a forum, and using the logged in name “hax” on the service, and an open browser tab accessing mail for the account office@vdos-s[.]com. ATLAS telemetry confirms several SSDP attacks hitting the destination server that correlate with this screenshot. The IP address hosted a variety of prominent major name websites.
Another example, posted in December of 2014, shows all the attacks taking place concurrently, and the wide geographic properties of the targets. The poster has obscured the usernames requesting the attacks.
Stresser services typically have many users, especially if they are public. In this case, there is/was a user named “Msnight1”, we see in this screenshot the site admin scolding that user for apparent account sharing through a VPN service to access the account used for stressing. The helpful screenshot shows all of the login IP addresses and attacks for a certain period of time associated with this user. SSDP attacks make up the bulk of what is displayed herein, with HOME being the only other attack type being used two times. VPN services have long been used to hide miscreant activity; the underground forums are filled with ads for VPN services that claim to do no logging and operate in countries that won’t readily cooperate with law enforcement.
Another user on the underground forum posts a message referring to a protected tweet [https://twitter.com/akaInfection/status/547869152795303937?s=09 ] that claims “Apple J4ck” helped the Lizard Squad miscreant group perform a DDoS attack on XBL, which probably refers to Xbox Live. This information was not confirmed.
An amusing comment from one user known to be heavily involved in the booter/stresser community was observed in late May, 2015.
Other than the fact that Arbor does not make firewalls, it is clear that prominent actors on this forum recognize the protective capabilities of Arbor equipment.
This stresser service is growing as members of the team posted a thread that they were seeking to hire members for support roles in early June, 2015. New admins would receive a free lifetime account and perhaps receive other benefits. It is interesting to note that one of the preferred traits for the position is the ability to understand Chinese languages such as Cantonese and Mandarin. This indicates the intent to cater to the large number of people who use the Chinese language.
This stresser service is just one example of many. While most users have some metered attack capability, some admins do not and private booters may have no such restrictions in place.
Alpha Stress Tool
This is a stresser service advertised on a prominent underground forum. They claim to offer 150 Gbps total attack capacity. Often, this number is exaggerated and since the services want to make money, they may let many users run attacks concurrently, which decreases the output and eventually results in unhappy customers who speak negative about the service on various underground forums, leading to a loss of business. Finding the right balance seems to be a key to providing underground customers the capability to launch effective attacks against unprepared targets and to allow enough paying customers to make the service worthwhile for the operators. In this case, there are appear to be at least two operators of this service.
Operators of stresser services seem to be fond of re-packaging attack scripts and giving them a flashy new name. In some cases, these are adaptations of existing attacks, or some type of meaningful modification. In other cases, it’s just a simple re-naming trick designed to drum up more business.
The person running this service claims to have updated the list of amplification servers several times during the advertising phase for this service, and also claims to have added server attacking servers and a feature to scan for fresh SSDP servers that can then be used in attacks.
This stresser offers a variety of options:
- NTP reflection/amplification
- SSYN (often defined as “Spoofed SYN” but is often just a TCP connection exhaustion attack)
- SSDP reflection/amplification
- SOURCE ENGINE
- Source engine is a 3D gaming engine originally released in 2004 that is associated with a variety of UDP ports (most notably UDP/27015, but also 27020, 27005, 51840 and perhaps others). Exploits in the past have been written to crash source engine based games, and DDoS attacks using gaming engine UDP ports as amplification/reflection sources have been common as well. Many game servers are vulnerable; in this case one researcher found at least 55,460 source protocol servers in 2013 that could be leveraged in a DDoS attack with a trivial scan [http://www.slideshare.net/z0mbiehunt3r/ddos-amplification-attacks-with-game-servers]
- Team Speak 3
- This attack type is apparently designed to take down TeamSpeak 3 game servers via UDP reflection/amplification attacks. This most likely just leverages other reflection/amplification attacks targeting TeamSpeak 3 severs and ports.
- This is likely an attack on Ventrilo servers, most likely implemented in a similar manner to the aforementioned TeamSpeak 3 attack.
- HTTP GET, POST, HEAD
- Typically array of HTTP-based attacks using the GET, POST, and HEAD verbs.
- Most likely refers to WordPress-based XMLRPC “pingback” attacks where WordPress servers are used as reflectors.
- Typical ICMP flood.
- Insufficient information is currently available about this attack type.
- Host likely designed to drop a home connection. Typically, these are just UDP floods.
- Not listed on the screenshot, but made available (according to advertising) in mid-May 2015
- Not listed, but typically a method using Joomla servers to reflect and amplify HTTP traffic towards a target. These are often application-specific attacks best mitigated at layer 7, although if volumetric floods get high enough a mitigation can take place upstream.
- Often stands for Enhanced Spoofed SYN. This could refer to a variety of attack tactics including TCP connection exhaustion, actual spoofed SYN activity, and spoofed SYN activity with randomized sequence numbers designed to increase the processing load at the target.
- DOMINATE is a newer (since January 2015) layer four flooding technique that has been advertised as a method to attack protected services by sending traffic to the actual IP addresses of those protected servers. Analysis of this attack method in the underground suggests that it is a modified version of a spoofed SYN flooding script (ESSYN) that adds the capability to use different TCP flags. There are indications that this script does not function as advertised, and additional research reveals that a variety of SYN flooding scripts emerge because someone has modified existing source code to change subtle elements in TCP header flags. The attack code is then hyped, and in some cases sold until people realize that the modifications were minor and likely ineffective (against any target that is prepared).
- DNS reflection/amplification attack tactic (not visible in screenshot, but listed in advertising)
- DNS amplification attack
There is a fairly long history of this tool family, with indicators of the early twbooter service being available in 2010. We are aware that Twbooter3 and other versions may also be available, however this analysis focuses on twbooter2. This code leaked to the underground a few years ago, and is still receiving substantial interest, with forum comments on the leaks appearing within the last several weeks as well as active downloads as of June 2015. Numerous instances of booter/stresser code are widely available in the underground, with some source code being private and other source code having been made public, or leaked to the public. Indicators suggest that due to these circumstances, there is a lot of code sharing and overlap taking place that results in many of the same types of attacks being offered by different services.
While screenshots of the back-end aren’t quite as visually interesting as other DDoS bots, make no mistake – this code has been behind many attacks over the last several years and the attack code has been re-used in a variety of forms. These include outright copying of the source code, as well as modification of the source code to change some aspects of the attack behavior.
ASERT researchers built an instance of twbooter2 in an isolated lab environment some time back in order to profile the attack activity generating from the use of this code. Since the code has leaked, it has been widely used. We can see the ease of automation in these screenshots; a variety of attack types are triggered in the lab.
The amp code implements a chargen reflection/amplification attack. It uses a reflection file that contains a list of servers running chargen, and allows the number of threads to be specified, the packets per second to be limited, and an attack timer to be set.
“Usage: %s <target IP> <reflection file> <threads> <pps limiter, -1 for no limit> <time>
There are a variety of similar scripts freely available that implement an attack like this.
The attack source to reflector/amplifier leg traffic from this tool generates 43 byte UDP packets from UDP/0 towards UDP/19 (chargen). The chargen payload is one byte consisting of 0x01. 188.8.131.52 is the final victim, and 184.108.40.206 is the reflector IP address.
The destinations of the first leg of the attack will then reflect/amplify the attack “back” to the spoofed target.
Chargen attacks aren’t new or flashy but they can be quite damaging if a network is unprepared. Since May 1 of 2015, Arbor’s ATLAS has logged 1559 chargen-based attacks. The largest volume chargen attack observed during this time was 9.72 Gbps/1.06 Mpps from many different sources destined to a singular destination in Canada.
Underground stresser services feature chargen as a typical attack. One typical advertisement for a stresser service shows the chargen method being selected in a demonstration photo.
As discussed elsewhere, there are a variety of ESSYN attack implementations available. Some are simple TCP connection exhaustion, some send spoofed TCP traffic, some randomize different elements of the attack to more rapidly fill up firewall state tables and to generate more rapid target downtime. In this particular case, the code launches an attack towards the IP address and port specified by the attacker and instantiates a number of threads, also provided on the command line. The source IP address and port of the attack traffic are randomized in this case. A packet capture screenshot provides an example of ESSYN traffic flow, with the IP address 220.127.116.11 as the final target and 18.104.22.168 as the reflector IP address. In addition to the flood towards the target, the victim machine may generate a substantial amount of SYN/ACK “backscatter” traffic back to the spoofed sources, thus generating more traffic load.
GHP provides flooding using HTTP GET, HEAD or POST requests (specified on the command line) with the same proxy capabilities as the slow and RUDY attack code later. A packet capture of a SOCKS4 GET attack is included herein for reference purposes.
The GHP attack types generated between 31.64 Kbps / 219.77 pps and 196 Kbps / 319 pps of attack traffic, depending upon which options were used.
The lag attack is the same as the UDP flood generated by the amp code, except that it generates traffic at a lower rate. The lower rate is achieved by sleeping for 5 seconds for every 1000 send requests. Because of the delays, attack volume will be somewhat less than what is generated from the amp code.
RUDY is a slow HTTP POST attack targeting minecraft servers (TCP/25565) or HTTP servers (TCP/80). Attack packets are sent via a list of proxy IPs to the target server. A number of proxy methods are supported (SOCKS4, SOCKS5, TUNNEL, CONNECT). If the proxy method specified is SOCKS4 or SOCKS5, then a minecraft server port is targeted. Otherwise, an HTTP port is targeted. Secondly, if SOCKS4 or SOCKS5 is specified, then a POST request method is directly used in the attack. If the TUNNEL or CONNECT proxy method is specified, the HTTP CONNECT request method is used to create a tunnel between the attacker and victim, which is followed by a POST request.
There is also a command-line option to specify to follow 302-redirects from target HTTP servers.
Most of the headers in POST request are hard-coded. User-Agent value is randomly selected from a list of values (hard-coded again).
The RUDY attack is a slow, application layer attack and therefore PPS/BPS measurements are not meaningful and won’t be included herein.
A packet capture from a RUDY attack using the SOCKS4 option with a scraper feature enabled is displayed below. The scraper feature describes the capability for the attack code to crawl a website until an HTTP form is discovered. In the screenshot, 22.214.171.124 is the attacker, 126.96.36.199 is the proxy, and 188.8.131.52 is the victim IP address.
Scloud uses code similar to the other UDP based attacks herein to target a Skype user.
Scloud takes Skype username (victim) on the command line and sends this username to a server called speedresolve[.]com in a GET request. speedresolve[.]com resolves the Skype username to an IP address and sends the IP back to the attacker over HTTP. The received IP address is used as the source IP to send 1-byte UDP request to Chargen servers. The response from Chargen servers is sent to the user/IP running Skype. As of June 18, 2015, speedresolve.com has been used 5,446,109 times, indicating that this is a popular service.
One instance of this attack code generated 35 Mbps / 150 Kpps of traffic.
In this case, slow is a typical Slowloris attack. Similar to a RUDY attack, packets are sent via a list of proxy IPs. The four proxy methods supported in the RUDY attack are supported here as well. Depending on the proxy method, an HTTP request type is selected during the attack. If SOCKS4 or SOCKS5 is specified, the HTTP GET request method is used. If TUNNEL or CONNECT is specified, the HTTP CONNECT request method is used to create a tunnel between the attacker and server, followed by the ‘slow’ GET request.
An example of the network traffic generated by a slow attack using SOCKS4 is displayed herein.
Note that while twbooter2 is older, attackers are still interested in it, and there are many other stresser source code bundles available that implement similar types of attacks. These screenshots are representative of the types of functionality that are present elsewhere, and demonstrate just how easy it is to automate attack functionality behind a web front-end. Note the design that incorporates the use of various types of proxies, and reflection/amplification servers. Such infrastructure further obfuscates the original source addresses of the booter/stresser service itself, although services and proxies that find themselves abused via the TCP protocol may be able to trace attacks back to the original attacking servers.
It is important to remember that there is still underground interest in this leaked source code, and it is likely that multiple booter/stresser services that run this code are still operational. The original booter.tw and twbooter.com sites no longer resolve, but one of the domains associated with the original twbooter – absoboot.com [http://krebsonsecurity.com/2012/08/booter-shells-turn-web-sites-into-weapons/] does resolve, and redirects users towards a site called Prevail.PW which is another stresser service. Prevail.pw does not appear to be heavily used, and may be the result of opportunists obtaining the absoboot.com domain that is not related to the original attackers profiled by Brian Krebs. No Google results for the site were found, except for links to the site itself. The terms of service on the Pravail.pw site are active as of April 7, 2015, indicating relatively recent activity. The domain itself was registered on April 10, 2015. The terms of service page shows only 406 total attacks, 232 users, and six attack servers. As booter/stresser services go, this is a smaller offering yet attack capabilities are currently unprofiled.
This version of our “Attack of the Shuriken” blog focuses on a small number of booter/stresser services that are representative of the DDoS offerings that are available commercially. While Windows DDoS bots are still active and are still harmful, the explosion of stresser services combined with their extreme ease of use makes large-scale damaging DDoS attacks very accessible. A variety of stresser engines exist and, with code leaking, are being reused (with and without modifications) by a variety of underground actors typically interested in financial gain. VDos is just one of a great many services that are active and issuing attacks on a near-constant basis, and Alpha Stresser is another. Most booter/stresser services typically leverage a front-end web server designed to register users, handle payment, and order and coordinate attacks. A series of back-end servers contain code, such as the twbooter source code, that receives the requests from the web front-end and performs the necessary steps to trigger attack traffic. For such a service to be successful, it must be maintained by the threat actors who will continue to scan and attempt to innovate attack techniques in order to generate an edge over the competition. In the next few years, all indicators suggest that even more booter/stresser services will arise, making DDoS even easier for anyone to launch an attack at any time.
ASERT Threat Intelligence would like to thank Keshav Prabhakar for insight and information related to the twbooter2 attack code analyzed herein.