Quantcast
Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

IoT Home Router Botnet Leveraged in Large DDoS Attack

$
0
0

We have been monitoring a large-scale Layer 7 HTTPS flood attack (i.e., application level DDoS) against a customer over the past few weeks. It is being distributed across 47,000 IP addresses and has been pushing over 120,000 HTTPS requests per second (RPS) to the website.

Unlike volumetric attacks that target the network link (measured in bits per second), application-based attacks are designed to target the application and web server resources (measured in requests per second).


IoT Home Router Botnet Leveraged in Large DDoS Attack
Beginning of large-scale Layer-7 DDoS

This customer came to us after trying to mitigate the DDoS attack using Amazon (AWS), Google (GCE), and other cloud-based auto-scaling solutions. At this scale, most load balancers and VPS cloud instances cannot sustain this level of traffic.

For this website owner, the attack was big enough to disable multiple web servers and quickly exhaust their available bandwidth. This was further exasperated through the use of HTTPS requests , which is more CPU intensive because of the TLS/SSL handshake.

DDoS Botnets

An application-level DDoS attack is not the most interesting aspect of this story.

We recently shared a post on aCCTV-based botnet used to initiate large-scale application-level DDoS attacks against websites. We also shared insights into how unsuspecting WordPress sites can form a malicious botnet to perform DDoS attacks via the XMLRPC feature . In both cases, attackers gain enough computing and networking power to send more requests than victim sites can handle. This forces the victim to add more computing and networking power to fight off attacks, which is highly unrealistic for most website owners.

This website owner tried several options to combat the DDoS attack. They tried the AWS auto-scaling service but reached a point where the cost was too great. They were paying large sums of money as the attack grew. For the attacker, using a botnet means they pay nothing to succeed. The victim has to pay for additional servers and bandwidth, while attackers get it for free using their malicious botnets.

That resource and cost imbalance makes DDoS mitigation tricky for most website owners.

Analyzing the 120K Layer 7 DDoS Attack

If you recall our CCTV-based botnet, the attackers had compromised 25,000 different IoT CCTV devices for their DDoS campaign. They were also generating an excess of 35,000 HTTP RPS against the site. In contrast, the attack we are analyzing today is four times (x4) the size of the CCTV-based attack. How did they achieve this?

In this case, attackers were making use of multiple botnets. They either rent or trade with other attackers distributed across 47,071 + IP addresses. By fingerprinting the IPs, we were able to profile 3 different botnets:

IoT CCTV Botnet ( same as previously disclosed ) IoT Home Routers Botnet (new) Compromised web servers coming from data centers (very common)

This new distribution allowed the attacker to generate a massive number of requests per second without affecting the operation of the infected devices. Under this configuration, the devices would only need to generate a few requests per second well within their means.

IoT Home Router Botnet

Perhaps the most interesting bit of data for us (being that we’re very familiar with CCTV and compromised web server botnets) was the introduction of the home router botnet. While we have seen routers being used maliciously in the past, we have never seen them used at this scale.

In this case, home routers made up 25% of the IP addresses, resulting in about 11,767 compromised routers . We were able to fingerprint the makeup of the home routers and it came down to eight major router brands being used in the campaign.

Routers being targeted by attackers is nothing new. Over the years there has been a lot of discussion in the community over the inherent risks they introduce to networks, along with other “plug-and-forget” devices (ex. WAPs, modems). Most notably, routers have been used for things like DNS hijacking , distribution of malware, and even vigilante malware (e.g., linux.Wifatch ).

While it has always been a possibility, seeing a DDoS rolled into one large-scale home router botnet was new to us.

Huawei Routers

The largest number of routers being exploited came from Huawei-based routers . They varied between versions: HG8245H, HG658d, HG531, etc.

We identified at least 6,015 compromised devices (51%). It’s difficult to know exactly how they were exploited, but a good place to start is with the brand’s security advisory page .


IoT Home Router Botnet Leveraged in Large DDoS Attack
HG531 router RouterOS login page
IoT Home Router Botnet Leveraged in Large DDoS Attack
HG658d router RouterOS login page
IoT Home Router Botnet Leveraged in Large DDoS Attack
HG8245H router RouterOS login page RouterOS Devices

Mikro RouterOS was the second most popular router behind this attack with 2,119 devices (18%).


IoT Home Router Botnet Leveraged in Large DDoS Attack
RouterOS login page AirOS Routers

Third place goes to AirOS, a Ubiquiti Networks device with 245 home routers.


IoT Home Router Botnet Leveraged in Large DDoS Attack
RouterOS login page Others

These were not the only routers being used. The rest were distributed across a number of different providers including NuCom 11N Wireless Routers, Dell SonicWalls , VodaFone, Netgear , and Cisco-IOS routers.


IoT Home Router Botnet Leveraged in Large DDoS Attack
Dell SonicWALL router login page IoT Home Router Botnet Diversity A

Viewing all articles
Browse latest Browse all 12749

Trending Articles