Recently, there was a GET Flooding Attacktype DDoS attack case on a web services company for about 20 hours. Various attack traffic was detected on the login page, which caused a serious load on the server and ultimately paralyzed the entire login function. The CIP Team was provided with data from the attack with the cooperation of the company and analyzed the attack data with Criminal IP. (The company will remain nameless, but all data is real.)

Some of the received data from a web services company

Some of the received data from a web services company

More than Half of IP Addresses Identified as Malicious

Following a thorough analysis of the DDoS attack case, our findings indicate that out of the 6,972 IP addresses used, a staggering 63% (4,402) were categorized as Dangerous or Critical.For reference, Criminal IP (https://www.criminalip.io) defines any inbound IP addresses detected as Dangerous or Critical to be blocked.

ScoreCount
Safe1,060
Low621
Moderate889
Dangerous303
Critical4,099
Criminal IP Score result of 6,972 IP addresses used in the DDoS attack

Criminal IP Score result of 6,972 IP addresses used in the DDoS attack

SMB Worm Infected IP Addresses Used in the Attack

What we first noticed from this DDoS attack case is that the vast majority of the IP addresses were classified as Scanner. As shown in the image, SMB negotiation was requested from this IP address on June 21, 2022 at 3:35 pm and again on July 8, 2022 at 8:52 pm. These requests indicate that the IP address was infected with an SMB worm and was periodically performing SMB scanning. SMB is a file/printer sharing protocol, which allows computers with assigned network names and IP addresses to communicate via NetBIOS running over NBT protocol. Once hackers identify that SMB ports are open and successfully negotiate with the target system, they may attempt to use brute force attacks to obtain personal information from the PC and access the server IP. That’s why hackers are frequently scanning open SMB ports worldwide.

Because these IP addresses are infected by malicious codes, they can initiate other cyber attacks under the command of other than SMB Worm like C2 servers. The corresponding IP address’ various malicious traces were found as it was categorized into KISA’s DDoS IP, Fail2ban’s Brute force IP, and even spam mail in the IP Address Category section.

Search result of an IP address categorized as "Scanner" among those used in DDoS attacks.

Search result of an IP address categorized as “Scanner” among those used in DDoS attacks.

IP Address Category that displays the malicious history of an IP address from the DDoS attack case.

IP Address Category that displays the malicious history of an IP address from the DDoS attack case.

Conducting DDoS Attack Through Remote Control IP Address

IP addresses that were classified as Remote on Criminal IP (https://www.criminalip.io) are those with open ports 22 (SSH) and 3389 (RDP). Once a hacker infects a server, the hacker controls the server’s IP address with commands to run C2 malicious codes or remote control protocols. For example, the IP address 180.xxx.xxx.194 is running an OpenSSH protocol on port 22, but it has known security vulnerabilities, including CVE-2021-41617 and CVE-2021-36368. In fact, a total of 12 vulnerabilities have been mapped to this version of OpenSSH.The hacker might have installed OpenSSH after infecting the IP address, as well. Alternatively, the hacker might have exploited OpenSSH vulnerabilities already exposed to the attack surface to penetrate and dominate the server. With various methods available to the attackers, they can control this IP address by issuing different commands through OpenSSH. In addition, myriads of IP addresses with exposed ports 23 (telnet) and 3389 (RDP) were also identified.

An IP address with open port 22 (SSH) and 3389 (RDP), classified as a remote host

An IP address with open port 22 (SSH) and 3389 (RDP), classified as a remote host

OpenSSH protocol vulnerability found on IP addresses used for DDoS attacks. Mapped to 12 vulnerabilities including CVE-2021-41617 and CVE-2021-36368.

OpenSSH protocol vulnerability found on IP addresses used for DDoS attacks. Mapped to 12 vulnerabilities including CVE-2021-41617 and CVE-2021-36368.

Automated Password Attack with Bypassed (VPN, Tor, Proxy) and Server’s IP Address

Many of the IP addresses from the DDoS attack case were associated with Hosting, VPN, Tor, and Proxy. It can be assumed that the attacker utilized technology to hide and bypass the actual IP address. In recent days, especially, there have been numerous patterns in which attackers use VPN to hide IP addresses in an attempt for login attacks or Fraud. It wouldn’t be surprising to see them using Proxy or Tor IP for bypassing purposes as well.

It is worth taking closer eyes on IP addresses used for hosting as well. Normally, the IP address used to log in is either a mobile, home, or office IP address. If login or sign up was done through hosting servers like AWS, Azure, or Tencent Cloud, it can be considered as a part of an automated attack. Therefore, it is necessary to examine whether the incoming IP is a hosting address when analyzing Brute Force Attack or Get Flooding Attack.

The following is a statistic that categorizes the IP addresses used in this DDoS attack by whether they are Remote, VPN, Proxy, Tor, and Hosting IP addresses, on Criminal IP. Despite the remote IP address taking up the most, we can see that VPN, Proxy, Tor and Hosting IP addresses account considerably as well.

* Dirty Count = Number of IPs scored more than or equal to Dangerous / De-Duplication for the Total number

IP CategoryCountDirty Count
Hosting518169
VPN2,0191,485
Tor518517
Proxy2,1201,338
Remote6,9664,398
Total-4,402
A pie chart of Remote, VPN, Proxy, Tor, and Hosting IP addresses from the DDoS attack case.

A pie chart of Remote, VPN, Proxy, Tor, and Hosting IP addresses from the DDoS attack case.

Details on Nation and Hosting Server

Looking at where these IP addresses came from, most came from Indonesia, with a total of 773 IP addresses, followed by the United States, China, and Russia.  According to the ISP’s statistics by country, the majority of the companies listed in the Top 10 are Chinese companies. For the United States, the ISP ranking was lower compared to the number of IP addresses they have as the ISP is dispersed to various companies. A key finding from this analysis is that hosting servers provided by Hangzhou Alibaba, which is ranked 4th in the list, are infamous for being used as malicious servers in China. 

Top 10 Country

No.CountyCount
1ID773
2US655
3CN520
4RU412
5DE190
6TH185
7AR153
8PL91
9IR87
10MX81

Top 10 ISP

No.ISPCountCountry
1PT Telkom Indonesia192Indonesia
2China Telecom166China
3Tencent cloud computing157China
4Hangzhou Alibaba Advertising Co.,Ltd.124China
5TOT88Thailand
6China Unicom49China
7Chunghwa Telecom18Taiwan
8LG DACOM Corporation16South Korea
9Hipernet Indodata14Indonesia
10Cyberindo Aditama8Indonesia

Detecting 99% of DDoS Attack Cases with IP Intelligence

Simply looking at the scoring on detected IP addresses on Criminal IP, 4,402 IP addresses, which amounts to 63.1% of the used addresses, were identified as Critical and Dangerous. Even if the address was diagnosed as Low or Moderate, 36.6% of them were VPN, Proxy, or Tor IP addresses that are likely to bypass, or hosting server IP addresses expected to be automated attacks. In other words, if IP addresses are filtered out by Critical, Dangerous, VPN, Proxy, Tor and Hosting, 99.7% of them are determined to be risky addresses in terms of IP Intelligence.

Malicious diagnostic statistics on IP addresses used in DDoS Attack, classified through IP intelligence

Malicious diagnostic statistics on IP addresses used in DDoS Attack, classified through IP intelligence

We can’t conclude that any IP addresses categorized into the likes of VPN and Proxy are 100% malice. However, there are many signs of vulnerability or usage in attacks among IP addresses in the category. Therefore, it is necessary to check the behavior of the bypass IP addresses as well. For more effective detection of all kinds of brute force attack, we suggest examining which type of IP addresses are logging in or signing up (whether they use VPN, Tor, or Proxy, or are from a hosting server) rather than merely responding to IP addresses with malicious history.

We have previously published a report on analyzing attack patterns and IP addresses with Log4j attack traffic data from Criminal IP Honeypot when the Log4j zero-day vulnerability was released, so make sure to check it out.

Source : Criminal IP (https://www.criminalip.io)

Related Article :