This time, however, we would like to describe the DDoS ecosystem from a different vantage point, using the tools of social network analysis (SNA). Our goal is to provide an exploratory overview of the relationships between botnet devices, using real world data collected from attack attempts against our clients.
Exploring these ties is helpful for conceptualizing the activity of bad actors and the resources they employ in different attack scenarios. This information is valuable for network operations and security teams looking to better understand the DDoS threats they might be facing today. It also highlights the importance of IP reputation for DDoS mitigation strategies.
Painting the Image
To map the relationships between botnet devices, we used a sample of 57,034 IPs involved in DDoS attacks against 580 of our clients over a 60 day period, from January 1 to March 1, 2016.
This sample was exported into Gephi, a great open source visualization software commonly employed for centrality analysis. Centrality analysis is used, for example, to identify the most influential person(s) in a social group or to evaluate relationships between network nodes.
In our case, we looked for connections between IP targets and IPs involved in DDoS attack scenarios. After pouring our data into Gephi, we got the following image:.
This alien looking “nebula” is actually a snapshot of attacks against our clients. While intriguing from afar, it is much more interesting up close. We urge you to explore its secrets in high resolution.
To help you find your way around, here is what you need to know:
- The red dots are target IPs.
- The blue dots are attacker IPs.
- The purple lines are attack traffic flows.
Additionally, it is important to be aware of the distance between objects, which signifies the similarities in their behavior. Offending IPs with comparable attack patterns are positioned in close proximity, while the most similar ones are grouped together in large tight-knit clusters.
To demonstrate how this works, let’s zoom in on one of the attack instances:
What you see here are three clusters of compromised devices—A, B and C—converging on a single target. The devices in each are bound by a shared attack history, which means that they are part of the same botnet and answer to the same botnet operator(s).
Note that these three clusters are likely to be just two different botnets, as the proximity of A and B indicates that they display similar behavioral patterns. This showcases the way perpetrators use their botnet resources to “multi-task”—launching several attacks at once, knowing that they rarely need to utilize all of the resources at their disposal to bring down a single target.
This time, however, the bad actors have met their match and are throwing in everything but the kitchen sink, albeit to no avail. Even with the extra muscle of the larger C botnet, the target remains online, secured by our mitigation services.
Nearby you can also spot the miniature C2 cluster. These devices are behaving the same as the neighboring C cluster, but aren’t participating in this specific attack.
Why? Likely because the malware they were hijacked with was removed, either by the device owners or other bad actors who got rid of all previously-existing malware after they installed their own backdoors.
This is the kind of story a close-up of a single attack can tell. And once again, our suggestion is to take some time to explore the image in detail to uncover the stories of the thousands of DDoS attacks inscribed in its pixels.
While you do, we are going to zoom out to observe three distinctly unique types of attack scenarios, each related to a different bad actor archetype.
1. Botnets-for-hire Swarm in a Hacker’s Cloud
Even at a glance, you can immediately tell that the botnet landscape is extremely chaotic. Zooming in on one of the major hubs of activity reveals a seemingly unorganized environment— much different from the coherent clusters we saw in the example above.
In fact, this pentagrammic eyesore is a visual representation of a massive cluster of compromised devices used by a number of individuals to attack unrelated targets.
The loose grouping of these devices signifies partial dissimilarities in their behavior—something that is also seen when closely observing the overlapping flows of attack traffic. This indicates that several operators are directing the attacks from behind the scenes.
They could either be botnets-for-hire, used by various “subscribers”, or devices hijacked by multiple bad actors, as was the case with all of those compromised CCTV cameras. Most likely, though, it’s a combination of both.
This is what the majority of DDoS landscapes look like: a multi-tenant botnet—a giant hackers’ cloud, comprised of hacked devices that are being exploited by multiple bad actors, while also being resold under the guise of stresser services.
If you look back at the original image, you`ll see that these multi-tenant botnets are the backbone of all DDoS activity.
In our latest DDoS Threat Landscape report, we mentioned that over 80 percent of attacks against our clients originate from botnet-for-hire platforms. This image puts these numbers—and the threat they represent—in perspective.
2. DDoS “Pros” Mounting Organized Offensives
But what about the large hubs of activity that exist outside of these hackers’ clouds? Some may also be botnets-for-hire that were only used in a single attack over the sample period. Others, however, are proprietary botnet resources used by professional offenders—attackers who are capable enough to create and sustain their own botnets, which are not shared with anyone else.
See the teardrop shapes above? What you are looking at are very organized botnets, used by similarly organized cyber criminals. Here, the homogeneous behavior patterns of these devices are represented by their closeness, which points to a single hand directing the attack flow.
These are people that DDoS for a living. And when we talk about a living, we don’t mean all of those $250 ransom notes. These are, most likely, the criminals that get hired to take down a competitor in a business feud attack. The attacks they launch are complex, multi-factor APDoS campaigns that can go on for days or weeks at a time and their targets are some of the largest websites using our service.
3. Script Kiddies that Make it Personal
If you travel to the edges of the original image, you will find that its outskirts are littered with small attack incidents. These incidents often involve a single attacking device going toe-to-toe against its target.
These are, as you may have guessed, individual attackers using DoS attack tools. Most are script kiddies, attacking websites just for kicks. Others are attacks fueled by personal grudges and political agendas.
Often, they are attacks against news media sites, political blogs, human rights organizations and websites belonging to religious institutions.
Whatever the case may be, many of these paired dots hide a lot of drama. It is fascinating how two pixels can represent the catharsis of a heated argument—so heated that one of the parties resolved to using an illegal cyber-attack tool just to silence the other’s rhetoric.
As you can tell by looking at the image, these attacks are very common. So common, that Google recently expanded Project Shield, an initiative meant to protect specifically against these types of attacks—attacks on free speech, and not only attacks on servers.
More than a Pretty Picture
With this analysis, our goal was to illustrate some of the complexities of the DDoS landscape. However, in our daily jobs, observing the relationships between different attacking devices is anything but aesthetic.
Looking at the image, you can clearly see that the bulk of attack activity originated from a limited number of offending IPs—hijacked devices that are being used, time and time again, for malicious activity. Tracking these offending IPs allows us to create adaptive mitigation strategies, with lower levels of tolerance for repeat offenders.
Amongst other things, such rules are used for early identification of developing DDoS events based on a buildup of traffic from suspicious sources. They are also useful for their ability to identify zero-day threats by closely monitoring the activity of botnet devices.
Today, we track hundreds of thousands of malicious IPs at all times and our database keeps growing with each mitigated attack.