Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Anti-spam service Spamhaus has been hit with what several

security firms today described as the largest distributed denial
of service (DDoS) attacks ever seen.
Handler infects
a large number of
computers over
Internet

Attacker sets a
handler system

Zombie systems are instructed

to attack a target server

Handler
Compromised PCs (Zombies)

Attacker

Targeted
Server

Handler
Compromised PCs (Zombies)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The latest run of attacks began on 18 March with a 10Gbps packet flood that
saturated Spamhaus' connection to the rest of the Internet and knocked its site
offline.

Cybercrime Related IT Operations

(Servers, Software, and Services)

Trojan
Command
and Control
Center

Crimeware
Toolkit
Database

Attackers

1
9
Criminal

3
7

4
5

Trojan upload stolen

data and receives
commands from
command and control
center

6
Victims

Malicious
Affiliation Network

Legitimate
Compromised Websites

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

A massive 300Gbps was thrown against Spamhaus' website but the anti-spam
organisation was able to recover from the attack and get its core services back
up and running.

Cybercrime Related IT Operations

(Servers, Software, and Services)

Trojan
Command
and Control
Center

Crimeware
Toolkit
Database

Attackers

1
9
Criminal

Trojan upload stolen

data and receives
commands from
command and control
center

6
Victims

Malicious
Affiliation Network

Legitimate
Compromised Websites

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Spamhaus supplies lists of IP addresses for servers and computers

on the net linked to the distribution of spam

Bots connect to C&C

handler and wait for instructions

Bot Command &

Control Center

Bots attack
a target server

Attacker sends commands to

the bots through C&C

Target Server

Zombies
Sets a bot
C&C handler
Bot looks for other vulnerable
systems and infects them to
create Botnet
Attacker infects
a machine

Attacker

Victim (Bot)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The high attack bandwidth is made possible because attackers are using
misconfigured domain-name service (DNS) serversknown as open
recursive resolvers or open recursorsto amplify a much smaller attack
into a larger data flood. Known as DNS reflection, the technique uses
requests for a relatively large zone file that appear to be sent from the
intended victim's network.

Sends a
request to the server

Victim

Server

Attacker
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Because the DNS server is not configured

properly, it will respond to each request by
sending the zone file to the victim's address,

overwhelming the network.

By using DNS reflection, the attacker could
amplify their own bandwidth by about 100-fold,
turning modest resources into a large attacks,
Matthew Prince, CEO of CloudFlare, wrote in
an analysis of the attack. For the past week,
CloudFlare has worked with Spamhaus to
mitigate the latest attack.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

According to CloudFlare, the majority of the attack was traffic sent using
a technique called DNS (domain name system) reflection. Under normal
circumstances, DNS resolvers wait for a user request, such as a lookup for
the IP address for a domain name, then respond accordingly.

Victim

Server

Attacker

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The largest source of attack traffic against Spamhaus came from DNS
reflection, launched through Open DNS resolvers rather than directly
via compromised networks.

Sets a bot C&C

handler

Bot Command &

Control Center

Attacker

Bots connect to C&C

handler and wait
for instructions

Bots generates
fake customer
clicks

Attacker sends
commands to the
bots through C&C

http://adworld.com

Ads Webpage

Attacker infects
a machine

Zombies

Victim (Bot)

Bot infects other systems

and create Botnet

Ad Service Provider

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The basic technique of a DNS reflection

attack is to send a request for a large DNS
zone file with the source IP address spoofed
to be the intended victim to a large number

of open DNS resolvers.The resolvers then

respond to the request, sending the large
DNS zone answer to the intended victim.
The attackers' requests themselves are only
a fraction of the size of the responses,
meaning the attacker can effectively amplify
their attack to many times the size of the
bandwidth resources they themselves
control.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

In the Spamhaus case, the attacker was sending requests for the DNS
zone file for ripe.net to open DNS resolvers.The attacker spoofed the
CloudFlare IPs we'd issued for Spamhaus as the source in their DNS
requests.The open resolvers responded with DNS zone file, generating
collectively approximately 75Gbps of attack traffic.The requests were
likely approximately 36 bytes long (e.g. dig ANY ripe.net @X.X.X.X
+edns=0 +bufsize=4096, where X.X.X.X is replaced with the IP address
of an open DNS resolver) and the response was approximately 3,000
bytes, translating to a 100x amplification factor.

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Spamhaus's blocklists are distributed via DNS and widely mirrored in order to
ensure that it is resilient to attacks.The website, however, was unreachable and
the blacklists weren't getting updated.

Bots connect to C&C

handler and wait for instructions

Bot Command &

Control Center

Bots attack
a target server

Attacker sends commands to

the bots through C&C

Target Server

Zombies

Sets a bot
C&C handler

Bot looks for other vulnerable

systems and infects them to
create Botnet
Attacker infects
a machine

Attacker

Victim (Bot)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

The attacker used a DNS amplification, the attacker only needed to

control a botnet or cluster of servers to generate 750Mbps - which is
possible with a small sized botnet or a handful of AWS instances.

Bots connect to C&C

handler and wait for instructions

Bot Command &

Control Center

Bots attack
a target server

Attacker sends commands to

the bots through C&C

Target Server

Zombies

Sets a bot
C&C handler

Bot looks for other vulnerable

systems and infects them to
create Botnet
Attacker infects
a machine

Attacker

Victim (Bot)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

CloudFlare reckons 30,000 unique DNS resolvers have been

involved in the attack against Spamhaus
Handler infects
a large number of
computers over
Internet
Attacker sets a
handler system

Zombie systems are instructed

to attack a target server

Handler
Compromised PCs (Zombies)

Attacker

Targeted
Server

Handler
Compromised PCs (Zombies)

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Ecosystem
Malicious Site

Scan &
Intrusion
Botnet
Market

Zero-Day
Market

Botnet

Licenses
MP3, DivX
Financial
Diversion

Owner

Crimeware Toolkit
Database

C&C

Trojan Command
and Control Center

Phishing

Data
Theft

Emails

Client-Side
Vulnerability

Redirect

Spam
Mass Mailing

DDoS
Malware Market

Extortion

Stock Fraud

Scams

Adverts

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojan: Shark

Command Control Center

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Poison Ivy: Botnet Command Control

Center

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojan: PlugBot

PlugBot is a hardware botnet project
It is a covert penetration testing device (bot) designed for covert use during
physical penetration tests

http://theplugbot.com
Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

Botnet Trojans: Illusion Bot and NetBot

Attacker

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.

To know more about these

attacks and how to secure your
Information Systems come to CEH Class!

Copyright by EC-Council. All Rights Reserved. Reproduction is Strictly Prohibited.