2016 has been an eventful year when it comes to denial of service attacks. This year the industry as a whole has seen the largest attacks ever, and new attack vectors designed to test and challenge modern day defenses. Every year Radware’s ERT sees millions of attacks and our ERT Researchers throughout the year are constantly reviewing and analyzing these attacks to gain further insight into trends and changes in the attack vector landscape.
This year, two of the most common trends among attackers were burst attacks, aka “hit and run”, and advanced persistent denial of service (ApDoS) campaigns. Throughout the year we have observed a number of attackers using short bursts of high volume attacks in random intervals, and attacks that have lasted weeks, involving multiple vectors aimed at all network layers simultaneously. These types of attacks have a tendency to cause frequent disruptions in a network server’s SLA and can prevent legitimate users from accessing your services.
Hackers are also searching for new vectors and methods to carry out their network-crippling attacks. This year we saw an explosion in the use of Internet of Things (IoT) devices to create powerful botnets, along with a number of new attack vectors such as BlackNurse, an ICMP attack. Most notable was the release of the Mirai botnet source code by a user on HackForum. This botnet utilized 60+ factory default credentials found on BusyBox-based IoT devices and created the most powerful botnet seen to date. One of the more interesting factors behind Mirai was the Generic Routing Encapsulation (GRE) attack vector. This relatively new method encapsulates packets with a large amount of data in an attempt to exhaust resources as the receiving network de-encapsulates the payload.
Top 5 DDoS vectors from the ERT
This year Radware’s ERT has seen over 385,000 HTTP floods launched against our clients. An HTTP flood is an attack method used by hackers to attack web servers and applications. It consists of a seemingly legitimate session-based set of HTTP GET or POST requests sent to a target. Such requests are often sent en masse by means of a botnet to increase its overall attack power, but attacks have also been observed using variants of the DoS tool HULK and SlowLoris. HULK is a simple flood tool used to generate unique HTTP requests for every request sent. By doing so it allows the attack to avoid and bypass caching, hitting the server directly. During OpIcarus this year attackers were seen using a number of Layer 7 DoS tools like HULK, SlowLoris, TorsHammer and Slowhttp.
A DNS flood is an application-specific variant of a UDP flood. Since DNS servers use UDP traffic for name resolution, sending a massive number of DNS requests to a DNS server can consume its resources, resulting in service degradation and slower response time for legitimate requests. DNS amplification attacks are sophisticated denial of service attacks that take advantage of DNS server behavior in order to amplify the attack traffic. Attackers send a high rate of short DNS queries to multiple DNS servers that send the entire list of DNS records to the victim. The attacker achieves amplification because for each short DNS query it sends, the DNS server replays with a larger response directed at the victim. So far this year our ERT team has seen over 130,000 DNS floods targeting AAAA records including 48 attacks originating from the botnet Mirai.
TCP floods are one of the oldest yet still popular denial of service attacks. The most common form of a TCP flood involves sending numerous SYN packets to the victim’s server. The intention of this attack is to overwhelm the session table of the targeted server by abusing the 3-way handshake used for establishing connections. Servers need to open a state for each packet that arrives, and attackers attempt to fill these tables with attack traffic so the server cannot handle legitimate traffic. This year Radware’s ERT has seen a number of TCP attacks such as TCP-SYN, 25,081, FIN-ACK, 17,264 and SYN-ACK, 14,758. We have also seen a method known as TCP STOMP originating from Mirai. This is a classic ACK flood where Mirai starts with the ACK flood only after gaining a legitimate sequence number thus increasing its odds of bypassing security solutions. During OpOlympicHacking, Anonymous published a GUI tool that allowed members of the operation to launch TCP PSH+ACK flood through Tor to pre-defined targets associated with the games.
A UDP flood is a network flood and still one of the most common floods today. Attackers send UDP packets to a single destination or random ports. In most cases, the attacker spoofs the source IP since the UDP protocol is connectionless and does not have any type of handshake mechanism or session. The intention of a UDP flood is to saturate the internet pipe with high volume attacks. Simply, UDP floods abuse normal behavior at a high enough level to cause congestion and service degradation for targeted networks. This year Radware’s ERT has seen over a half million IPv4 floods, 93,538 UDP fragmented attacks and 816 IPv6 attacks. During OpIsrael we saw the release of a prepackaged toolkit from Anonymous that included a number of GUI, graphical user interface, tools capable of launching UDP flood such as BlackOut, Anonymous External Attack, DoSeR 2.0 and LOIC. In addition to this we have also seen 2,395 UDP flood coming from the Mirai botnet since its release two months ago.
This year we saw the raise of a new and powerful botnet that incorporated an attack vector utilizing Generic Routing Encapsulation (GRE). In a GRE flood, the attacker encapsulates packets with large amounts of data and routes them through to a destination network that de-encapsulates the packet’s payload. By sending GRE packets with large amounts of encapsulated data, the attacker is able to consume and exhausts the network resources working to de-encapsulate the payload. After the release of Mirai, one of our customers reported a GRE flood that fluctuated between 70-180Gbps. Radware’s DDoS protection was able to successfully mitigate this attack based on the attack pattern of encapsulated UDP packets which contained 512 bytes of random data.
Moving into 2017, Radware’s ERT expects to see the denial of service landscape continue to evolve at a rapid rate as 1tbps attacks become the new standard. As IoT devices become more accepted and widely deployed over the next year, we expect attackers to find more vulnerable devices due to their poor security and use them in combination with other botnets like Bashlite to achieve record breaking sizes.
Download Radware’s DDoS Handbook to get expert advice, actionable tools and tips to help detect and stop DDoS attacks.
Daniel Smith is an information security researcher for Radware’s Emergency Response Team. He focuses on security research and risk analysis for network and application based vulnerabilities. Daniel’s research focuses in on Denial-of-Service attacks and includes analysis of malware and botnets. As a white-hat hacker, his expertise in tools and techniques helps Radware develop signatures and mitigation attacks proactively for its customers.