Professional Documents
Culture Documents
Attacker sets a
handler system
Handler
Compromised PCs (Zombies)
Attacker
Targeted
Server
Handler
Compromised PCs (Zombies)
The latest run of attacks began on 18 March with a 10Gbps packet flood that
saturated Spamhaus' connection to the rest of the Internet and knocked its site
offline.
Trojan
Command
and Control
Center
Crimeware
Toolkit
Database
Attackers
1
9
Criminal
3
7
4
5
6
Victims
Malicious
Affiliation Network
Legitimate
Compromised Websites
A massive 300Gbps was thrown against Spamhaus' website but the anti-spam
organisation was able to recover from the attack and get its core services back
up and running.
Trojan
Command
and Control
Center
Crimeware
Toolkit
Database
Attackers
1
9
Criminal
6
Victims
Malicious
Affiliation Network
Legitimate
Compromised Websites
Bots attack
a target server
Target Server
Zombies
Sets a bot
C&C handler
Bot looks for other vulnerable
systems and infects them to
create Botnet
Attacker infects
a machine
Attacker
Victim (Bot)
The high attack bandwidth is made possible because attackers are using
misconfigured domain-name service (DNS) serversknown as open
recursive resolvers or open recursorsto amplify a much smaller attack
into a larger data flood. Known as DNS reflection, the technique uses
requests for a relatively large zone file that appear to be sent from the
intended victim's network.
Sends a
request to the server
Victim
Server
Attacker
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.
According to CloudFlare, the majority of the attack was traffic sent using
a technique called DNS (domain name system) reflection. Under normal
circumstances, DNS resolvers wait for a user request, such as a lookup for
the IP address for a domain name, then respond accordingly.
Victim
Server
Attacker
The largest source of attack traffic against Spamhaus came from DNS
reflection, launched through Open DNS resolvers rather than directly
via compromised networks.
Attacker
Bots generates
fake customer
clicks
Attacker sends
commands to the
bots through C&C
http://adworld.com
Ads Webpage
Attacker infects
a machine
Zombies
Victim (Bot)
Ad Service Provider
In the Spamhaus case, the attacker was sending requests for the DNS
zone file for ripe.net to open DNS resolvers.The attacker spoofed the
CloudFlare IPs we'd issued for Spamhaus as the source in their DNS
requests.The open resolvers responded with DNS zone file, generating
collectively approximately 75Gbps of attack traffic.The requests were
likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X
+edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address
of an open DNS resolver) and the response was approximately 3,000
bytes, translating to a 100x amplification factor.
Spamhaus's blocklists are distributed via DNS and widely mirrored in order to
ensure that it is resilient to attacks.The website, however, was unreachable and
the blacklists weren't getting updated.
Bots attack
a target server
Target Server
Zombies
Sets a bot
C&C handler
Attacker
Victim (Bot)
Bots attack
a target server
Target Server
Zombies
Sets a bot
C&C handler
Attacker
Victim (Bot)
Handler
Compromised PCs (Zombies)
Attacker
Targeted
Server
Handler
Compromised PCs (Zombies)
Botnet Ecosystem
Malicious Site
Scan &
Intrusion
Botnet
Market
Zero-Day
Market
Botnet
Licenses
MP3, DivX
Financial
Diversion
Owner
Crimeware Toolkit
Database
C&C
Trojan Command
and Control Center
Phishing
Data
Theft
Emails
Client-Side
Vulnerability
Redirect
Spam
Mass Mailing
DDoS
Malware Market
Extortion
Stock Fraud
Scams
Adverts
http://theplugbot.com
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.