Search blog for

Did Shellshock Hit One Billion Servers?

It’s been nearly a week since the discovery of what has become known as Shellshock. Incapsula Labs has been tracking the vulnerability and its variants from almost the beginning.

The impact is big. The question I keep getting asked is, How big? There are two ways of looking at the magnitude of the attack: 1) the number of sites attacked, and 2) the damage it has caused to each site.

We’ll dig into both, as well as what we see as a potential aftershock caused by malware and exploits planted on vulnerable machines.

As of this blog post, Incapsula has stopped 310,928 exploit attempts. That’s an average of 1,860 attacks per hour.

We saw some spikes over the weekend (Sept. 27 – 28); we believe these to be a combination of organizations checking their vulnerabilities in the immediate period after disclosure as well as attackers moving quickly.

The exploit traffic then began to steadily increase on Monday, tapering off on Tuesday. The graph below shows traffic for the full week since the announcement. As I’ve alluded to above and will discuss below, the tapering off may just be a lull.

Shellshock attack attempts

What are the Attackers trying to do?

An analysis by the research staff at Incapsula reveals that only about 6% of the traffic seemed to be legitimate security scans looking to assess the state of their security for many organizations. The remainder — an overwhelming 94% — was some form of attack.

Specifically, these were scans by the bad guys, server highjack attempts, and DDoS malware seeding.

The highjack attempts were the most immediately troubling, comprising about 20% of the total. Scans and DDoS malware seeding made up the remaining 70% or so. To answer the question of how dangerous the vulnerability is, my experience leads me to believe that this may well be the calm before the storm. This appears as if a lot of criminals are setting the stage for future attacks.

Others are warning of this, too. From an article in ArsTechnica:

“On Monday, the SANS Technology Institute’s Internet Storm Center (ISC) elevated its INFOcon threat level — a measure of the danger level of current Internet “worms” and other threats based on Internet traffic — to Yellow.”

ArsTechnica

And from PC World:

“The number of Cisco products vulnerable to Shellshock and related bugs far exceeds the 38 confirmed not to be vulnerable. The company is reviewing an additional 168 products and hosted services, so the list of vulnerable products is likely to increase…

An additional 42 products use Bash in at least one of their versions and are likely to be vulnerable to Shellshock, Oracle has found. No patches are currently available for those products.

PC World

How big is Shellshock?

The numbers in this study were for a sample size of 100,000 sites on the Incapsula network websites. There are over 1 billion websites worldwide, according to Netcraft.

To be conservative, let’s just look at the potential during the peak period of Saturday, Sunday, and Monday.

By doing some quick math we can extrapolate the total impacted:

1,000,000,000+ websites worldwide.
100,000 websites in the Incapsula sample.

1,000,000,000/100,000 (Incapsula sample) = 1/10,000 ratio, so we’re seeing one out of every ten thousand sites.

If there were 1,860 attacks per hour, then the total potential exposure was 1,860*10,000*72 (hours) = 1,339,200,000 attacks in those three days.

Is this the actual number? I can’t say for certain.

Could it be? Yes.

Incapsula monitors websites ranging from a blog managed by one person to Fortune 50 brands. We don’t have concentrations by industry, but certainly have customers in regions that tend to be attacked most — the U.S. and Western Europe.

Why is this important?

The sheer volume of attacks and the types of planning Incapsula is seeing — scans, backdoor insertions, and DDoS groundwork — on such a large scale means that companies need to work now to fix their vulnerabilities.

Ducking for cover is the wrong metaphor. The real fallout may still be to come from all of the machines which may have been compromised.

Your company needs to stay on the alert, patch its systems, and not assume that the danger is over since the shelling has apparently stopped.