Numbers grow: attack at 620 Gbps registered

In September of this year, a large-scale and unusual nature DDOS attack was made on the KrebsOnSecurity.com website. The attack failed due to the work of the Akamai team, a company that provides protection for this site. According to Akamai, this attack was almost twice as large as the largest attack previously registered by the company.

The attack began on the morning of September 20, and was originally estimated at 665 Gbps, and later during the analysis it turned out that the attack volume was slightly less - 620 Gbps. Such a volume is many times more than is required in order to “lay” most of the sites on the Internet.
')
How did you manage to carry out such an attack: a botnet from IoT devices

According to Akamai, the largest attack previously recorded by the company was 363 Gbps. However, the global difference between these attacks lies in the source of the traffic. The previous record attack of 363 Gbps was generated by a rather small botnet using well-known amplification methods that allow you to increase the traffic coming to the “victim”, although the initial number of attacking devices is relatively small.

Such attacks use proven methods such as DNS reflection. Using uncontrolled DNS servers on the Internet, attackers create a lot of traffic.

Ideally, DNS servers process requests only from trusted machines. However, the DNS reflection technique relies on millions of “home” class routers, which are also DNS servers, often incorrectly configured and accept such requests from all over the Internet. The attackers “fake” DNS requests to these devices in such a way that the request seems to come from the “victim” of the attack. Thus, the response from the device will be sent to the address of the "victim".

There is also a well-known method of enhancing such an attack, which allows you to make a response sent to the "victim", much larger in scope than the originally sent request. In this case, the DNS protocol extension is used, allowing for large DNS messages. The initial request from the attacking system may be as little as 100 bytes, while the response from the device sent to the “victim” may be 60-70 times more.

Since attackers are turning to hundreds of similar devices around the world, the victim network is quickly overwhelmed by the sheer amount of DNS traffic.

In contrast to these amplification and reflection techniques, the September attack was launched from a very large botnet without using these techniques.

Outdated attack methods that require a legitimate connection between the attacking device and the victim, including such methods as SYN, GET and POST flood, were used in a large proportion.

However, there was one important innovation. Most of this traffic was rigged to look like General Routing Encapsulation (GRE) packets, a communication protocol designed to establish direct point-to-point connections between network nodes. GRE allows two nodes to share data among themselves that they cannot share via the public network.

Such an attack through GRE is very unusual. The point is that the source of GRE traffic cannot be faked as easily as attackers deal with DNS traffic. The same goes for the outdated attack methods mentioned above. This suggests that this record-breaking attack was launched from a very large number of hacked systems, in the hundreds of thousands.

In the world, obviously, a botnet of previously inconceivable scales has appeared, and judging by the geography of requests - distributed throughout the world.

Some evidence suggests that this attack involved a large number of hacked devices belonging to the “Internet of Things” - simple routers, IP cameras and digital recorders that have access to the Internet and are protected by weak or irremovable passwords.

As shown in the latest Flashpoint report , the threat from IoT botnets comes from a variety of malicious programs - Lizkebab, BASHLITE, Torlus, gagfyt. The source code of these malwares became known in 2015, and has since become the “parent” of many subvariants.

Botnets capture new devices by scanning devices to find the opportunity to install malicious code in them. There are two main models of such a scan. The first option is when bots scan the ports of telnet servers and try to find a login-password with brute force to gain access to the device.

The second option, which is becoming more common, involves the use of external scanning devices, in particular, scanning can be carried out from servers that manage the botnet. This model allows you to add more possible methods of infection, including brute-force SSH-servers and the use of known security weaknesses of various specific devices.

It is worth noting that, it seems, the site KrebsOnSecurity.com was chosen as the target of the attack due to the participation of the site owner in the pursuit of the DDOS to Order service vDOS, which led to the arrest of two people considered to be its founders. This conclusion is based on the fact that some of the POST requests for the attack contained the string “freeapplej4ck” - a reference to the nickname of one of the co-owners of vDOS.

All this suggests that over time, such attacks of a giant scale can become the norm.