Who Needs a Botnet when you have a 4 Gbps DDoS Cannon?
In recent months the DDoS world has shifted from complex small scale Botnet attacks to much larger network based DDoS attacks, perpetrated largely by hijacked web servers. How many of these hijacked servers are out there remains to be seen. However, we recently got a very good idea of just how large these DDoS cannons are getting.
Last Saturday we mitigated a rather small, 4Gbps DDoS attack, but this time it had a different pattern that attracted our attention.
At first sight the attack seemed rather simple, generating 8 million DNS queries per second, to many domains, from spoofed IP addresses (using real domain name servers’ IPs). But this time it included a hint about where it was coming from: all that traffic was coming from the same source. Probably on the same network, maybe even the same device
Tracing it to a single Source - TTL Giveaway
We were able to trace the attack to a single source because this time the attackers slipped-up and did not randomize the requests TTLs, making all the traffic arrive with the same IP TTL.
The TTL parameter is part of the Internet Protocol. It’s a field that designates how many routers a packet is allowed to pass before it expired. Every router along the way decrements the counter, until it expires (many diagnostic tools, like traceroute use this attribute). Of course, like many other fields, its value can be spoofed and randomized, but it is almost impossible to make millions of packets from many sources have the same TTL when they reach their destination. And this is exactly what we saw.
DDoS Traceroute - The TTL Giveaway
Are Authoritative Name Servers next on the exploit list?
Another interesting point we saw, is that the spoofed addresses belonged to DNS servers, but not all were open DNS resolvers. In fact, many of these IPs were of authoritative name servers.
The reason for the non-random selection of IPs was to avoid blacklisting mechanisms. But it means that hackers are also collecting information about authoritative name servers. Using these in reflection attacks is a bit more complicated (it means building a database of domains with large DNS responses), with much smaller amplification factor, but they are much more difficult to lock down than open DNS resolvers.
So... what does this mean?
This means that the stakes just got higher. Just for comparison, at the rate of this attack, if it had used DNS amplification, with an average amplification factor of 50 - it would have generated a 200+ Gbps DDoS attack, all from a single source/computer!
What do we know about this source?
It is either custom hardware, or a cluster of machines sharing the same network. It is (almost) impossible for a single machine to generate this kind of traffic.
It could utilize 4Gbps of upstream bandwidth, without anyone noticing.
These days it doesn't take a Botnet to launch massive DDoS attacks. It doesn't even take hundreds of servers, from multiple hosting providers. Today, that kind of massive firepower can be obtained from a single DDoS Cannon, from a single location and perhaps even one single server.
Google bans Facebook and other self updating Android apps
Google just released a new Play Store version 4.0.27 that, contains only very minor tweaks and Google has changed the rules of its Google Play Store to put an end to the practice of developers updating their apps through their own means rather than the official Google Play channel.
Shortly before the Facebook Home launch, some users noticed a new version of Facebook was available on their device, but it wasn't through the Play Store. Instead, the update came directly through the app, bypassing the Store altogether.
Under the "Dangerous Products" section of the Google Play developer policies, Google now states that "an app downloaded from Google Play may not modify, replace or update its own APK binary code using any method other than Google Play's update mechanism."
Essentially this means that once an app is downloaded by an Android user it cannot contact home base and auto-update its own operating code. Instead, it has to use the official Google approved channel.
Google says that its Play store is "trusted source for Android application downloads" and that it is "committed to providing a secure and consistent experience." Allowing apps to update themselves could possibly lead to some less-than-secure scenarios as the initial download from Google Play would be safe while the in-app updater installs malware.