This paper is included in the Proceedings of the 26th usenix security Symposium August 16–18, 2017 • Vancouver, bc, Canada
Yüklə 382,3 Kb. Pdf görüntüsü
|
Figure 8: C2 Cluster Lookup Volume — The DNS lookup volume of C2 DNS clusters in a large U.S. ISP establishes the relative size of the botnet behind each cluster and chronicles its rise and fall. Note, for example, cluster 1 which represents the original botnet in use for the early high profile attacks on Krebs and OVH and the emergence of a myriad of clusters after the public source release. neering efforts. Between November 2, 2016 and February 28, 2017, we observed 48 new sets of usernames and passwords, as well as changes to the IP blacklist. We note that while many actors modified the set of credentials, they often did so in different ways (Figure 9). This is true for other features as well. In one example, a variant evolved to remove U.S. Department of Defense blocks from the initial scanning blacklist. The malware further evolved to use new infection mechanisms. Most notably, in late November 2016, Mirai variants began to scan for TCP/7547 and TCP/5555, two ports commonly associated with CWMP [15, 93]. Additionally, one malware strain began to using domain generation algorithms (DGA) in the place of a hardcoded C2 domain, though this feature was short lived. By November 2016, packed binaries had emerged. Techniques to improve virulence and to aide in relia- bility were not simply limited to the client binaries. We found evidence of operators using DNS to avoid or at- tempt to evade detection as well. Recent work by Lever et al. demonstrated how attackers abuse the residual trust inherited by domains to perform many, seemingly un- connected types of abuse [55]. Mirai was no different from other types of malware — we found evidence that at least 17% of Mirai domains abused residual trust. Specif- ically, these domains expired and were subsequently re- registered before they were used to facilitate connections between bots and C2 servers. This serves as a reminder that although Mirai is unique in many ways, it still shares much in common with the many threats that came before it.
By combining the malware we observed with our DNS data, we can also measure the evolution of the C2 clusters in Table 8. We note that cluster 2 — the third largest by lookup volume — evolved to support many new features, such as scanning new ports TCP/7547 and TCP/5555, adding DGA, and modifying the source code blacklist to exclude Department of Defense (DoD) blocks. This is not to say, however, that evolution guaranteed success. Figure 9: Password Evolution — The lineage of unique pass- word dictionaries, labeled with their associated clusters, depicts many malware strains modifying the default credential list to target additional devices. The node marked (*) indicates the released source code password dictionary and serves as the foundation for the all divergent password variants Cluster 23, which can be seen clearly in Figure 9, evolved very rapidly, adding several new passwords over its active time. Despite this evolution, this cluster was 19th out of 33 clusters in terms of lookup volume over time and was unable to capture much of the vulnerable population. We also note that not all successful clusters evolved either; for example, cluster 6, which showed no evolutionary trend from its binaries, received the highest lookup volume of all the clusters. 6 Mirai’s DDoS Attacks The Mirai botnet and its variants conducted tens of thou- sands of DDoS attacks during our monitoring period. We explore the strategies behind these attacks, characterize their targets, and highlight case studies on high-profile targets Krebs on Security, Dyn, and Liberia’s Lonestar Cell. We find that Mirai bore a resemblance to booter ser- USENIX Association 26th USENIX Security Symposium 1103 Attack Type Attacks
Targets Class
HTTP flood 2,736
1,035 A UDP-PLAIN flood 2,542 1,278
V UDP flood
2,440 1,479
V ACK flood
2,173 875
S SYN flood
1,935 764
S GRE-IP flood 994 587
A ACK-STOMP flood 830 359
S VSE flood
809 550
A DNS flood
417 173
A GRE-ETH flood 318 210
A Table 9: C2 Attack Commands — Mirai launched 15,194 at- tacks between September 27, 2016–February 28, 2017. These include [A]pplication-layer attacks, [V]olumetric attacks, and TCP [S]tate exhaustion, all of which are equally prevalent. vices (which enable customers to pay for DDoS attacks against desired targets), with some Mirai operators target- ing popular gaming platforms such as Steam, Minecraft, and Runescape. 6.1
Types of Attacks Over the course of our five month botnet infiltration, we observed Mirai operators issuing 15,194 DDoS at- tack commands, excluding duplicate attacks (discussed in Section 3). These attacks employed a range of dif- ferent resource exhaustion strategies: 32.8% were vol- umetric, 39.8% were TCP state exhaustion, and 34.5% were application-layer attacks (Table 9). This breakdown differs substantially from the current landscape of DDoS attacks observed by Arbor Networks [7], where 65% of attacks are volumetric, 18% attempt TCP state exhaus- tion, and 18% are higher-level application attacks. While amplification attacks [79] make up 74% of attacks issued by DDoS-for-hire booter services [40], only 2.8% of Mi- rai attack commands relied on bandwidth amplification, despite built-in support in Mirai’s source code. This ab- sence highlights Mirai’s substantial capabilities despite the resource constraints of the devices involved. 6.2 Attack Targets Studying the victims targeted by Mirai sheds light on its operators. We analyzed the attack commands issued by Mirai C2 servers (as detailed in Section 3) to examine who Mirai targeted. In total, we observed 15,194 attacks issued by 484 C2 IPs that overlapped with 24 DNS clusters (Sec- tion 5). The attacks targeted 5,046 victims, comprised of 4,730 (93.7%) individual IPs, 196 (3.9%) subnets, and 120 (2.4%) domain names. These victims ranged from game servers, telecoms, and anti-DDoS providers, to political websites and relatively obscure Russian sites (Table 10). The Mirai source code supports targeting of IPv4 sub- nets, which spreads the botnet’s DDoS firepower across an entire network range. Mirai issued 654 attacks (4.3%) that targeted one or more subnets, with the three most frequently targeted being Psychz Networks (102 attacks, 0.7%), a data center offering dedicated servers and DDoS mitigation services, and two subnets belonging to Lones- tar Cell (65 combined attacks, 0.4%), a Liberian telecom. We also saw evidence of attacks that indiscriminately tar- geted large swathes of the IPv4 address space, including 5 distinct /8 subnets and one attack on /0 subnet — the entire IPv4 space. Each of the /8 and /0 subnets, (with the exception of the local 10.0.0.0/8) contain a large number of distributed network operators and total IP ad- dresses, which drastically exceed the number of Mirai bots. As such, the Mirai attacks against these subnets likely had modest impact. If we exclude targeted subnet (due to their unfocused blanket dispersion across many networks), we find that Mirai victims were distributed across 906 ASes and 85 countries. The targets were heavily concentrated in the U.S. (50.3%), France (6.6%), the U.K. (6.1%), and a long tail of other countries. Network distribution was more evenly spread. The top 3 ASes — OVH (7.8%), Cloud- flare (6.6%) and Comcast (3.6%) — only accounted for 18.0% of victims. The three most frequently targeted victims were Liberia’s Lonestar Cell (4.1%), Sky Network (2.1%), and 1.1.1.1 (1.6%). We examine Lonestar Cell in depth in Section 6.3. Sky Network is a Brazilian company that operates servers for Minecraft (a popular game), which is hosted by Psychz Networks. The attacks against Psychz began on November 15, 2016 and occurred sporadically until January 26, 2017. 1.1.1.1 was likely used for test- ing [95]. Additional game targets in the top 14 victims in- cluded a former game commerce site longqikeji.com, and Runescape, another popular online game. The prevalence of game-related targets along with the broad range of other otherwise unrelated victims shares many characteristics with previously studied DDoS booter services [39]. For volumetric and TCP state exhaustion attacks, Mi- rai optionally specified a target port, which implied the type of service targeted. We find a similar prevalence of game targets — of the 5,450 attacks with a speci- fied port, the most commonly attacked were 80 (HTTP, 37.5%), 53 (DNS, 11.5%), 25565 (commonly Minecraft servers [31,65], 9.2%), 443 (HTTPS, 6.4%), 20000 (often DNP3, 3.4%), and 23594 (Runescape game server, 3.4%). Interestingly, the 7th most common attack target was an IP address hosted by Voxility that was associated with one of the Mirai C2 servers, and we note that 47 of 484 Mirai C2 IPs were themselves the target of a Mirai DDoS attack. By clustering these 484 C2 IPs by attack command, we identified 93 unique clusters, of which 26 (28%) were 1104 26th USENIX Security Symposium USENIX Association Yüklə 382,3 Kb. Dostları ilə paylaş:
|