Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Botnet "attacking" our site but I can't figure out why. - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Botnet "attacking" our site but I can't figure out why.
We have a botnet sending periodic requests to our site, but it's not frequent enough to be a DOS attack.

Requests are coming from a wide variety of IP addresses from consumer ISPs (Comcast, Sky, Verizon, AT&T U-verse, etc.) from a wide range of locations.

Requests are for the front page of our site and all of the resources (images, scripts, CSS, etc) linked to in that front page. Sometimes, a GET parameter is included (about 1/3rd of requests identified as from the attacker(s)), and is always one of a few that are constantly re-used, such as "/?siteID=AjPJcvMU9To-kY.4QwPWg3SHQHX.52GHeA". (Quotes are mine, everything within quotes is a typical (and in this case, second most common) GET request). They do seem to be executing Javascript, since edge-side-includes to give our dynamic content a chance to get past our static caches are being requested...

The one thing that makes these requests unusual is that all of the requests use different user agents. See the bits and pieces of our varnish logs for an example (These requests are from the same host, as evidenced by the IP address in the ReqStart lines):

24 ReqStart c 64.254.188.159 60364 102628328
24 RxURL c /media/wysiwyg/nfl.jpg
24 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
24 RxHeader c User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; WOW64; Trident/5.0; FunWebProducts)
14 ReqStart c 64.254.188.159 60361 102628329
14 RxURL c /media/wysiwyg/nhl.jpg
14 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
14 RxHeader c User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
24 Interrupted c ReqStart
24 ReqStart c 64.254.188.159 60364 102628330
24 RxURL c /media/wysiwyg/infortis/ultimo/icons/icon_phone.png
24 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
24 RxHeader c User-Agent: Mozilla/5.0 (iPad; CPU OS 5_1_1 like Mac OS X) AppleWebKit/534.46 (KHTML, like Gecko) Version/5.1 Mobile/9B206 Safari/7534.48.3
14 Interrupted c ReqStart
14 ReqStart c 64.254.188.159 60361 102628331
14 RxURL c /media/wysiwyg/infortis/ultimo/icons/icon_mail.png
14 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
14 RxHeader c User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.0; Trident/5.0; BOIE9;ENUS)
24 ReqStart c 64.254.188.159 60364 102628332
24 RxURL c /media/wysiwyg/infortis/ultimo/icons/social_twitter.png
24 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
24 RxHeader c User-Agent: Mozilla/5.0 (Windows NT 5.1) AppleWebKit/535.19 (KHTML, like Gecko) Chrome/18.0.1025.168 Safari/535.19
14 ReqStart c 64.254.188.159 60361 102628333
14 RxURL c /media/wysiwyg/infortis/ultimo/icons/social_pinterest.png
14 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
14 RxHeader c User-Agent: Mozilla/5.0 (Windows NT 6.0; rv:12.0) Gecko/20100101 Firefox/12.0
24 ReqStart c 64.254.188.159 60364 102628334
24 RxURL c /media/wysiwyg/MasterCard.png
24 RxHeader c Referer: http://www.bedding.com/?siteID=h4XjTP3rQz0-Lp1cISdhmneE0U9uyrcyZw
24 RxHeader c User-Agent: Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C)


They only access our front page, and always have different user agents... They aren't coming fast enough to impact our site's performance (the slowness is our own fault, still, I'm sad to report), usually between 20 seconds to 2 minutes, but they are very constant.

I am at a complete loss for their motives. They don't seem to be exploiting any vulnerabilities on our site, or really even probing... They aren't exploiting any PPC ads... They're not scraping the site's content... They're not even DOSing for the lulz.

Sorry that I'm not including an Apache log -- since we're using Varnish, Apache logs wouldn't be very useful anyways (they show the IP addresses as all 127.0.0.1).

I'm more than happy to include any relevant additional info.
adama

1 Posts
I have seen this type of attack before. It seems they rotating user agent aspect may be to try to fool filters. Most of the attacks we have seen are in the blink script based attacks that just repeat over and over, and consume bandwidth and performance, and there lies the point. We see the same thing with UDP where the packets do nothing more than consume bandwidth. Keep in mind there are people in this world today who hate the west, and impacting our commerce by driving up costs and the like is just another way to go after the west.

We deal with this very easily with Microtik routers, most of the these attacks are proceeded with probes for vulnerabilties, and the like. We found that when we filtered out these probes and blacklisted the IP addresses that the probes came (microtik filters allow you to do that) so all the attacker got back from probing was a TCP reset the attacks never got stated. Once they start they are hard to get rid of because in most cases they are being executed in a script that just sends the same request over and over.

Hence we have a set of rules in our filters that simply look for the get strings that are used for most of these probes. We also found that when we blocked access using something as simple as DSHIELDS top100 blacklist (microtik routers allows you to do that too), that it made a huge difference as many of the probe traffic is from high volume offenders on dshields blacklist.
MAEDATA

4 Posts
That's it thanks. Anonymous

-

Sign Up for Free or Log In to start participating in the conversation!