Earlier today, I was “given” some toyz from China.
Some people look at network attackers and think that they’re just here to take, take, take… however, if you look at things from a different perspective (and you’ve got a convincing enough SSH honeypot) you may find that they’re actually very giving people.
For example, this morning some folks sourcing from Jiangsu, Nanjing China were nice enough to stop by one of my honeypots and download a “gift” for me. (謝謝 - Which Google Translate claims is “Thank you” in traditional Chinese).
First off, some background: The attackers hit the site and logged right in with the correct password for “root” - so obviously, they’ve knocked on the site’s SSH “door” with a brute force login attack sometime in the past (from a different IP). They kicked off an SSH channel session (I think that’s likely a method of weeding out honeypots… unfortunately - for them - my honeypot handles SSH channels quite nicely) and proceeded to:
So… what is this “s25” program? Well, it turns out to be a variant of the “Bill Gates DDoS tool” (described by the fine folks at Kaspersky here - tl;dr: It’s a combo backdoor/DDoS tool that’s increasingly been making the rounds of late). What’s interesting about this “tool” is that it has the built-in ability to perform DNS amplification attacks.
DNS amplification attacks?
Let’s say that you’re an enterprising young hacker/botnet herder who has managed to take over a stable of systems that can generate around 200 Mbps of traffic. While that might be enough bandwidth to knock your skeevy hacker buddiez off the ‘net for lulz, in the world of DDoS attacks, it isn’t really going to raise any eyebrows. While you could, potentially, wrangle more systems to increase your bandwidth, that takes… like, you know… work… and could seriously cut into your Call of Duty: Black Ops III time… What to do, what to do?
Back in the day (i.e., the early ‘90s), you used to be able to send an ICMP echo request from a spoofed address to the broadcast address of a netblock, confident that the router would happily forward it to every system in that block. Each of those devices would then respond to the spoofed address, and voila… you’ve suddenly created a metric crap-tonne of traffic directed at your target (i.e. the address you spoofed). For some unknown reason, this was called a SMURF attack, and it demonstrates the hallmarks of any good amplification attack:
SMURF attacks have, happily, gone the way of cargo pants and slap bracelets, but amplification attacks live on in a different form. DNS fits both of our “amplification criteria” very well: requests are sent over UDP, and you can get a pretty decent “amplification” from a simple request:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46
In this instance, the DNS query was 36 bytes, and the response was 743 bytes, an amplification factor of 20.64 times, which could be used to turn a paltry 200 Mbps trickle into a mighty 4 Gbps torrent. Spoofing the source IP address of your victim is easy, so all you need is a bunch o'compliant DNS servers willing to play along… (The more, the merrier… it spreads the love…)
I did a little digging in the innards of the “gift” I received and uncovered a listing of 197 different IP addresses that turned out to point to some very “compliant” DNS servers… Here’s a sample:
1 2 3 4 5 6 7 8 9 10 11 12 13
The problem is that people running DNS servers leave them open to the world, willing to resolve addresses for anyone who queries them - known as “running a recursive resolver.” Now, were I a betting man, I wouldn’t put a dime on the liklihood of getting the recursive resolvers on my list to clean up their acts, but that doesn’t mean that something can’t be done. If your organization is running a recursive resolver (and you can test if you are, right here), shut off recursion NOW, configuring it to respond only to those IPs in your own netblock. For BIND, the configuration options look like this:
Fun, fun, fun…