Shellshock and more: Case studies on DDoS attacks and mitigation strategies in Asia Pacific & Japan (APJ)
Ashvini Singhal, Security Practice Manager
Clark Shishido, Security Researcher (CSIRT)
©2014 AKAMAI | FASTER FORWARDTM
Agenda
• Global Threat Landscape and Insights• Security incidents in Q3• ShellShock• Iptables• Large scale DDOS
• Case Studies• APJ DDoS Trends Late 2014• Q&A
©2014 AKAMAI | FASTER FORWARDTM
Global View: Nature of DDOS Attacks
Types of DDoS attacks and their relative distribution.Infrastructure layer: 89.29% (SYN 25.73%, UDP Fragment 13.41%, UDP Floods 11.24%, DNS 8.11%, NTP 7.35%)
Source: PLXsert (Q2-2014)
©2014 AKAMAI | FASTER FORWARDTM
Protocols Targeted
Source: Akamai State of the Internet Report (Q2-2014)
Top 5: WWW (HTTP), Microsoft DNS, Telnet, SSL (HTTPS), Microsoft SQL Server
Protocols Targeted
©2014 AKAMAI | FASTER FORWARDTM
DDOS Attacks by Geography and Sectors
Source: Akamai State of the Internet Report (Q2 2014)
By region: Americas 57%, Asia Pacific & Japan 25%, EMEA 18%
By industry: Enterprise 30%, Commerce 29%, High Tech 15%, Media & Entertainment 15%, Public sector 11%
©2014 AKAMAI | FASTER FORWARDTM
1. China2. Indonesia3. United States4. Taiwan5. India6. Russia7. Brazil8. South Korea9. Turkey10. Romania
Attack Sources
Source: Akamai State of the Internet Report (Q2 2014)
©2014 AKAMAI | FASTER FORWARDTM
Incidents observed in Q3
• ShellShock
• Iptables
• Large scale DDOS.
• Numerous application layer attacks on a daily basis (XSS, RFI, SQL Injection etc.)
©2014 AKAMAI | FASTER FORWARDTM
ShellShock
• ShellShockCollection of Vulnerabilities in Bash (The Bourne again Shell)Shellshock exists in a feature of bash called "function importing”.
• Started with one (CVE-2014-6271), grown to six in a week.• Attack Payload:-
() {
() { :; }; /bin/ping
() { :;} ; echo shellshock" `which bash`
() { :;}; /bin/bash -c "cat /etc/shadow"NULL NULL
() { :;}; /usr/bin/wget
• Attack tools became famous overnighthttps://shellshock.detectify.com http://shellshock.brandonpotter.com
©2014 AKAMAI | FASTER FORWARDTM
ShellShock
• Mitigations WAFs can block '() {‘ – effective against import of function. Staying up-to-date on patches. Switch to an alternate shell
For SSH servers: Removing non-administrative users until the systems are patched.For Web Applications: CGI functionality which makes calls to a shell can be disabled entirely (short term
measure)
• Akamai customer Mitigations Custom WAF rule. Customer using KRS are protected against some attacks with Command Injection Risk group. Siteshield – direct to origin attacks. Akamai Platform protects some attack using HTTP normalization be default.
©2014 AKAMAI | FASTER FORWARDTM
IptabLes/IptabLex
• A new botnet surfaced with command and control in Asia. Linked to two hardcoded IP addresses in China.
• Causes volumetric DDOS attacks by executing DNS and SYN flood attacks.
• Spread by compromising Linux based Web servers, using exploits of Apache Struts, Tomcat, Elasticsearch vulnerabilities.
• Indicators:• Slow network.• presence of Linux ELF Binary file which create a copy of itself and name it, .IptabLes or .IptabLex.• /boot/.IptabLes and /boot/.IptabLex
• Infecting popular Linux distributions such as Debian, Ubuntu, CentOS and RedHat.
• Mitigation – Server hardening, Anti-virus, rate control.
• Akamai Mitigation – Akamai PLXsert has created a YARA rule to detect and Bash command to clean the infection.
©2014 AKAMAI | FASTER FORWARDTM
Large Scale DDOS
• APJ is becoming the biggest target for largest scale DDOS attacks.
• Volume• 2012 – 25 Gbps attack not very common.• 2014 – 350 Gbps attack common and absolutely fatal to any
organization.
• Attacks heavily distributed in nature, difficult to block specific source.
• More than 40 percent of all Q2 2014 DDoS attacks were initiated from Asia-Pacific countries
• Cloud platform such as Akamai, are effective to block such large scale attacks.
©2014 AKAMAI | FASTER FORWARDTM
Large Scale DDOS (Case Study 1- Major Stock Exchange in APJ)
• Attack continued for 4 full days in August, 2014.• The stock exchange main domain targeted with 21 Billion requests and
cumulative bandwidth of ~19 TB.• Distributed with attack traffic originating from over 50 countries.
©2014 AKAMAI | FASTER FORWARDTM
Large Scale DDOS (Case Study 1 - Major Stock Exchange in APJ)
• Distributed with attack traffic originating from over 50 countries.
• Full attack blocked by Rate controlsBot rule group blocking Curl/Wget requests.
©2014 AKAMAI | FASTER FORWARDTM
Case Study 1 – Technical Details
Multiple Attack Vectors• SYN flood against 80 & 443• Cachebusting• www.$CUST.com/$staticstring/search.jsp?q=a
• User-Agents• User-Agent: Wget/1.12 (linux-gnu)• User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3
libidn/1.18 libssh2/1.4.2
©2014 AKAMAI | FASTER FORWARDTM
Case Study 1 – Security Monitor
©2014 AKAMAI | FASTER FORWARDTM
Case Study 1 – Geographic Distribution
Attack Origins
USAGermanyFranceItalyNetherlandsUnited KingdomCanadaChinaPolandRomania
SpainBrazilJapanSwedenTurkeyFinlandBelgiumCzech RepublicHungaryPortugal
Costa RicaRussian FederationGreeceIndiaLithuaniaSloveniaNicaraguaAustriaAzerbaijanThailand
AustraliaGhanaHong KongSwitzerlandLatviaNorwaySerbiaBulgariaCroatiaDenmark
IranUkraineKyrgyzstanArgentinaKenyaTrinidad and TobagoAlgeriaIrelandSingapore
©2014 AKAMAI | FASTER FORWARDTM
Case Study 1 – Attack Profile
Profile• Attacking spanning for 4 days:- Between 18th – 22nd August, 2014• The domain targeted with ~21 Billion requests• Edge Bandwidth Utilization during these 4 days reached ~17.5 TB• This attack was highly distributed with requests origination from over
50 countries• Blocked by Rate controls and an application layer rule to detect
wget/curl requests
©2014 AKAMAI | FASTER FORWARDTM
Large Scale DDOS (Case Study 2 – Gaming customer in APJ)
• Attack targeted one of the China’s gaming website.
• Attackers persisted for over 2 weeks and tried DDOS every 2nd day.
• Over 19 Billion Hits, with cumulative Bandwidth utilization of ~20 TB.
©2014 AKAMAI | FASTER FORWARDTM
Large Scale DDOS (Case Study 2 – Gaming customer in APJ)
• 99% of attack traffic originated from
ASIA.• Attack Patterns
Specific User-agent (bots, older browser)Attacking base pages with randomizing
query string parameters.
• MitigationRate controls.IP Blocks.Custom rules for specific signaturesWAF application layer rules.
China89%
Vietnam3%
Taiwan2%
South Korea2% Hong Kong
1% Malaysia1%
Morocco<1%
©2014 AKAMAI | FASTER FORWARDTM
Case Study 2 – Gaming Microtransactions
Multiple Attack Vectors• Flood of empty DNS requests• SYN attacks to port 80/443• Cache Busting
•GET method for / and /images/bg.gif?=<query>
• Spoofing User-Agents•User-Agent: Mozilla/5.0 (compatible; Baiduspider/2.0;
http://www.baidu.com/search/spider.html) •User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1) •User-Agent: Mozilla/4.0
©2014 AKAMAI | FASTER FORWARDTM
Case Study 2 – DNS Traffic Spike
©2014 AKAMAI | FASTER FORWARDTM
Case Study 2 – PCAP sample
14:42:24.220078 IP xx.xx.xx.xx.63266 > xxx.xxx.xx.xx.80: Flags [S], seq 1874991005:1874992216, win 61045, length 1211
0x0000: 0065 0800 4500 04e3 9d17 4000 f606 c5a6 .e..E.....@.....
0x0010: 175c 4b5d 728d 4810 f722 0050 6fc2 179d .\K]r.H..".Po...
0x0020: 0000 0000 5002 ee75 2089 0000 0000 0000 ....P..u........
0x0030: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0040: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0050: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0060: 0000 0000 0000 0000 0000 0000 0000 0000 ................
0x0070: 0000 0000 0000 0000 0000 0000 0000 0000 ................
©2014 AKAMAI | FASTER FORWARDTM
Case Study 3 - DDoS in APJ
Attack Profile• Deny access to political website with DNS flood• Brute force• No Spoofing• Waves of attacks
©2014 AKAMAI | FASTER FORWARDTM
Case Study 3 – Geographic Distribution
CN BEIJING
US ASHBURN
US CHICAGO
DE FRANKFURT
CN LHASA
CN GUANGZHOU
CN BEIJING
CN SHANGHAI
HK HONGKONG
CN HANGZHOU
CN GUANGZHOU
NL AMSTERDAM
CN GUANGZHOU
NL AMSTERDAM
FR TOULOUSE
NL AMSTERDAM
US SCOTTSDALE
RU MOSCOW
GB LONDON
CN SHANGHAI
CN SHANGHAI
US ASHBURN
DE FRANKFURT
US SANJOSE
US DALLAS
JP OSAKA
US MIAMI
DE FRANKFURT
©2014 AKAMAI | FASTER FORWARDTM
Case Study 3 – PCAP Sample
15:46:43.702607 IP 67.xxx.xxx.xx8 > 184.yy.yyy.yy: ip-proto-255 1052
0x0000: 4500 0430 056d 0000 7aff 89f2 43c6 b812 E..0.m..z...C...
0x0010: b855 f841 4500 041c 0000 0000 8011 0000 .U.AE...........
0x0020: 386b 2335 b855 f841 1fab 0050 0408 0000 8k#5.U.A...P....
0x0030: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0040: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
0x0050: 4141 4141 4141 4141 4141 4141 4141 4141 AAAAAAAAAAAAAAAA
... (more of the same. 1052 bytes of IP payload)
©2014 AKAMAI | FASTER FORWARDTM
APJ DDoS Trends Late 2014
2014Q1-Q2 to 2014Q2-Q3• Brute Force attacks (more in APJ)• Less spoofing• Multiple attack vectors• Managed botnet• Multiple Waves• Changing Tactics