The Rising of GET Style HTTP DDos Attacks and Why (article)
------------------------------------------------------------------------------------------------------
The Rising of GET Style HTTP DDos Attacks and Why
In the last year or so since there are less vulnerable home computers on the net due to Vista and new XP service packs, gathering and building large botnets has became harder for your average run of the mill bot kiddie. Most are now resorting to installing bots through vulnerable php and cgi applications. This usually makes for a harder hitting bot but it is simply too difficult to build up such a net and by the time they have somewhat of a decent net made the sysadmins of the hacked servers catch on to them usually from seeing super high loads caused by these processes running constantly. I have yet to see one of these php bots not hog resources enough to raise a red flag to the most ignorant and lazy of admins.
So needless to say these “RFI-nets” as they are usually called are a full time job for the bot kiddy to keep going and even then he may only average around 200-300 bots if he is good and has plenty of unpublished exploits. The bot kids who do this with known published exploits have an even harder time and are lucky to get a net of 50 and even when they do most likely those same servers are also hacked and in use by other bot kids as well. Unless this is the bot kid’s full time job chances are he is not going to be able to build up such a huge botnet as was possible in years past. These type of bot kids here usually use their botnets to attack people on the net they are in e-wars with or perhaps sites that they are in competition with. Or if their attack proves to be very effective which in most cases it is they will extort the victim for large sums of money only to start again asking for more money – a never ending cycle in which a webmaster should never do in the first place.
The other kind of small botnets I have seen lately as well are usually ranges from third world countries who most likely use extremely outdated windows versions like 95, 98, me and 2000. I’m no windows expert so I will just say people using end of life windows or pirated windows that are still susceptible to remote exploits. Most smart bot kids are able to keep these zombie computers without others installing their malware on the machines using their installed malware to prevent such occurrences. These botted computers are usually on dial up or lower speed dsl with overall bad connectivity with the rest of the world. So the chance of a net of these zombies sending huge bandwidth attacks are very slim unless they have a great number of them.
So this brings us to why HTTP GET style attacks are becoming more prevalent. First off nearly all sites now are mysql/php dynamic sites and very few html sites. With static sites these type of attacks have no more effect then draining some bandwidth. With the dynamic sites these attacks can be devastating because it performs legit browser requests with legit user agents. The variety of user agents makes me belive that somehow the bot is using the zombie pcs browser in the background somehow if possible. If not then they randomize known and accepted user agents that do not look out of place.
Each bot will make the same request around 1-2 times per second or even less. Enough to where it causes resource exhaustion but not enough to where it will accumulate massive connections which is another method usually used to ban attacking bots. The syn/ack patterns of the bots are also legit and throttled enough to where it again evades most common protections related to that. So overall this attack gets right by nearly all network and server level protection as it just seems like the site is under super busy load. Each bot will usually only sustain 1-5 connections to the server at all times and all packets seem legit.
I had not seen many attacks like this until the last 2 years as bot makers had most likely caught on to the most common protection methods which include blocking ips for massive connections, bad packets, aggressive syn, etc. Even using litespeed and all the server level protections I have the only sure fire way to stop these attacks was using a click to enter page on router level that our network offers on the more expensive advanced secureport protection. The network owner assured me many times before that their protection blocks on repetitive gets but I have yet to see it. I am sure someone out there has a system that can detect and block these.
For now after 2 years of soliciting developers, paying for non working scripts and finding no solution I finally got someone at WHT to code for me the basis for BARF. Although this is a great script and does the job you still have to specify the attacked domain and the request that is being repeated. Eventually with enough help from various perl developers and contributors we will be able to have something that will detect any repetitive get but the problem there lies in domain logs. Unless you are using one access log it would have to tail and parse all domain logs – something that would nearly require a selenate box under full load at all times to do.
Anyway no matter what if you are doing ddos protection via server level or network level you will still have to do some manual work. Maybe some day we will have some awesome automated script for this but for now we have BARF which just requires a screen and a few minutes of the admins time to initially tail the log to find the repeating GET and then put in script parameter. It is also possible bot herders will change this request fro time to time as they catch on but being vigilant and checking every our or so any admin should be able to work with it.
As far as being less bots and zombie pcs for bot herders to use, I am not saying this it in call cases but very much so for entry level and non-full time bot kids. Once everyone starts migrating to windows 7 I expect even less. But there will still be the third world countries with the prevalence of end of life and illegal windows copies which will carry bots. There are still of course millions of infected computers out there used for ddos purposes. But I just don’t think it is easy anymore as scanning ranges for vuln pcs and infecting them. Usually anymore it seems the user has to download and install the malware themselves somehow through browser exploits and other means.
And I guess that is all I can say about this. I think it is only gonna get more prevalent, these attack methods that evade common filtering because they are in fact legit connections and requests. When protection updates and more people start using it the bot herders and makers will adapt and try to stay ahead of us. Also why would a botmaster user 10k bots to take down a target when he only has to use around 1k or less to take it down via get attack and resource exhaustion? It is also working too, many sites are falling victim to this. I first seen this come from mostly Russian bot herders but now am seeing it from bot kids of all nations.
It is a war people, just like the war on spam which we are in no doubt losing that one. But we can win this one and make the bot kids lives harder by being vigilant, trying new scripts and ideas as well as rolling up your sleeves and getting in your box to fight them head on. If you can login your box, if they have not consumed your port, there is no reason you cannot find a way to stop them.
