Imagine the following scenario: You’re a hosting company and you receive a call from one of the largest banks in the United States informing you that they are currently experiencing a cyber attack. Why are they calling you? The attack is coming from your servers.
During the recent wave of cyber attacks on US financial institutions, dubbed, “Operation Ababil” by the perpetrators, the above scenario was no hypothetical. It was happening in real time. In fact, during the second wave of bank attacks, a large hosting company that received complaints that several of its web servers in its facility were participating in an attack contacted Radware’s Emergency Response Team (ERT) for assistance.
From Operation Ababil’s inception, the ERT has closely followed the attack campaign’s evolution. For the most part, our efforts were mainly concentrated on assisting targeted banks, and indeed, as we reported in the past, some of our customer’s environments had seen massive multi-vector attacks, amounting up to 65 Gbps.
But our examination doesn’t end with an assessment of attack vectors or traffic. While analyzing these attacks, we noticed that most of the attack volume was originating from just few dozen hosts. These were web servers, compromised and controlled by hackers, herded to assemble powerful botnets. This was the case of the hosting company that called upon the ERT a few weeks back – their servers were generating attack traffic towards one of the banks. Indeed, hosting companies’ servers are sometimes the forgotten victims of these attacks, consuming large percentage of the server farm’s outbound bandwidth and computing power.
The Strengths of ‘Server Botnets’
It’s no secret that acquiring a large, home-PC based botnet is an easy task these days. These are available for rent starting from just a few hundred dollars. But generating DDoS attacks using a PC Botnet has major drawbacks in bandwidth and availability. This is precisely where a botnet composed of servers has its strengths:
- Bandwidth – While the average US home computer has 600 Kbps upload speed, hosted servers can reach up to 100 Mbps. This means that a couple of attacking servers will generate the same amount of attack traffic as dozens of home PCs.
- Availability – While home users tend to shutdown their computers, hosting companies must be available 24×7, enabling hackers to launch an attack using servers that are available all the time.
In order to create a server botnet and benefit from its advantages the hacker needs to hack and infect the servers. While it is possible to hack vast amounts of home computers using Spam, drive-by download or any other Bittorrent/P2P file download, taking over servers requires exploitation of server-side vulnerabilities and therefore higher technical skills. Hosting companies apply various security appliances such as Firewalls and IPS in their data centers, and the bandwidth and computing resources of servers are traced for billing purposes.
However, despite these security measures hackers often mange to overcome these challenges. In the latest attacks they utilized PHP based vulnerabilities in order to inject their malicious codes into the target server. This code was then used to upload and execute DDoS attacking scripts on the compromised server.
ERT Best Practice
Hosting companies should ensure their servers are complying with basic security guidelines. Having endpoint protection is your first line of defense. But this approach will fail if attackers use obfuscation techniques. The ERT recommends that network administrators at hosting farms closely monitor outbound traffic and look for the following abnormal activities:
- Sudden, long lasting increase of outbound traffic. Hosting environments see daily increases in outbound bandwidth, but these are gradual and follow times of high demand.
- High number of outbound TCP connections, especially on ports 80 and 443 (HTTP and HTTPS respectively). This is abnormal for hosting environments that usually see the vast majority of connection requests inbound. In addition, a high velocity of UDP traffic in non-characteristic outbound ports, mainly 80.
Once an anomaly has been detected, try to identify it by taking a capture file for example, and analyze its nature.
For a deeper dive into server-based botnets and other new attack tools, check out the ERT’s Annual Global Application and Network Security Report.