Recently, there was a GET Flooding Attack–type DDoS attack case on a web services company for about 20 hours. Various attack traffics were detected on the login page which caused serious load on the server and ended up paralyzing the entire login function. The CIP team was provided with data at the time of the DDoS attack case with the cooperation of the company, and analyzed the attack data on Criminal IP. (though we disclosed the company as anonymity, we assure you all referred data are real.)
Some of the received data from a web services company
More than Half of IP Addresses Identified as Malicious
After in-depth analysis of this DDoS attack case, we found out that a total of 6,972 IP addresses were used and 4,402 of them, which amounts to 63%, were detected as Dangerous and Critical. For reference, Criminal IP (https://www.criminalip.io) defines any inbound IP addresses detected as Dangerous or Critical to be blocked.
| Score | Count |
|---|---|
| Safe | 1,060 |
| Low | 621 |
| Moderate | 889 |
| Dangerous | 303 |
| Critical | 4,099 |
Criminal IP Score result of 6,972 IP addresses used in the DDoS attack
SMB Worm Infected IP Addresses Used in the Attack
What we first noticed from this DDoS attack case is that the vast majority of the IP addresses were classified as Scanner. As the following image shows, SMB negotiation was requested from this IP address around June 21, 2022 at 3:35 pm and July 8, 2022 at 8:52 pm, meaning it was infected by SMB Worm and performed SMB scanning periodically. SMB is a file/printer sharing protocol, which allows computers with assigned network names and IP addresses to communicate via NetBIOS running over NBT protocol. Once hackers confirm that the SMB ports are open and successfully negotiate, they use brute force attack to obtain personal information from the PC and access the server IP. That’s why hackers are frequently scanning open SMB ports worldwide.
Because these IP addresses are infected by malicious codes, they can initiate other cyber attacks under the command of other than SMB Worm like C2 servers. The corresponding IP address’ various malicious traces were found as it was categorized into KISA’s DDoS IP, Fail2ban’s Brute force IP, and even spam mail in the IP Address Category section.
Search result of an IP address categorized as “Scanner” among those used in DDoS attacks.
IP Address Category that displays the malicious history of an IP address from the DDoS attack case.
Conducting DDoS Attack Through Remote Control IP Address
IP addresses that were classified as Remote on Criminal IP (https://www.criminalip.io) are those with open port 22 (SSH) and 3389 (RDP). Once a hacker infects a server, the hacker controls the server’s IP address with commands to run C2 malicious codes or remote control protocols. 180.xxx.xxx194 IP address, for example, is running an OpenSSH protocol on port 22, but this OpenSSH has security vulnerabilities, which are mapped to a total of 12 vulnerabilities which include CVE-2021-41617 and CVE-2021-36368.
The hacker might have installed OpenSSH after infecting the IP address, as well. Alternatively, the hacker might have exploited OpenSSH vulnerabilities already exposed to the attack surface to penetrate and dominate the server. With various methods available to the attackers, they can control this IP address by issuing different commands through OpenSSH. In addition, myriads of IP addresses with exposed port 23 (telnet) and 3389 (RDP) were also identified.
An IP address with open port 22 (SSH) and 3389 (RDP), classified as a remote host
OpenSSH protocol vulnerability found on IP addresses used for DDoS attacks. Mapped to 12 vulnerabilities including CVE-2021-41617 and CVE-2021-36368.
Automated Password Attack with Bypassed (VPN, Tor, Proxy) and Server’s IP Address
Many of the IP addresses from the DDoS attack case were associated with Hosting, VPN, Tor, and Proxy. It can be assumed that the attacker utilized technology to hide and bypass the actual IP address. In recent days, especially, there have been numerous patterns in which attackers use VPN to hide IP addresses in an attempt for login attacks or Fraud. It wouldn’t be surprising to see them using Proxy or Tor IP for bypassing purposes as well.
It is worth taking closer eyes on IP addresses used for hosting as well. Normally, the IP address used to log in is either a mobile, home, or office IP address. If login or sign up was done through hosting servers like AWS, Azure, or Tencent Cloud, it can be considered as a part of an automated attack. Therefore, it is necessary to examine whether the incoming IP is a hosting address when analyzing Brute Force Attack or Get Flooding Attack.
The following is a statistic that categorizes the IP addresses used in this DDoS attack by whether they are Remote, VPN, Proxy, Tor, and Hosting IP addresses, on Criminal IP. Despite the remote IP address taking up the most, we can see that VPN, Proxy, Tor and Hosting IP addresses account considerably as well.
* Dirty Count = Number of IPs scored more than or equal to Dangerous / De-Duplication for the Total number
| IP Category | Count | Dirty Count |
|---|---|---|
| Hosting | 518 | 169 |
| VPN | 2,019 | 1,485 |
| Tor | 518 | 517 |
| Proxy | 2,120 | 1,338 |
| Remote | 6,966 | 4,398 |
| Total | - | 4,402 |
A pie chart of Remote, VPN, Proxy, Tor, and Hosting IP addresses from the DDoS attack case.
Details on Nation and Hosting Server
Looking at where these IP addresses came from, the most came from Indonesia with a total of 773 IP addresses, followed by the United States, China, and Russia. According to the ISP’s statistics by country, the majority of the companies listed in the Top 10 are Chinese companies. For the United States, the ISP ranking was lower compared to the number of IP addresses they have as the ISP is dispersed to various companies. A key finding from this analysis is that hosting servers provided by Hangzhou Alibaba, which is ranked 4th in the list, are infamous for being used as malicious servers in China.
Top 10 Country
| No. | County | Count |
|---|---|---|
| 1 | ID | 773 |
| 2 | US | 655 |
| 3 | CN | 520 |
| 4 | RU | 412 |
| 5 | DE | 190 |
| 6 | TH | 185 |
| 7 | AR | 153 |
| 8 | PL | 91 |
| 9 | IR | 87 |
| 10 | MX | 81 |
Top 10 ISP
| No. | ISP | Count | Country |
|---|---|---|---|
| 1 | PT Telkom Indonesia | 192 | Indonesia |
| 2 | China Telecom | 166 | China |
| 3 | Tencent cloud computing | 157 | China |
| 4 | Hangzhou Alibaba Advertising Co.,Ltd. | 124 | China |
| 5 | TOT | 88 | Thailand |
| 6 | China Unicom | 49 | China |
| 7 | Chunghwa Telecom | 18 | Taiwan |
| 8 | LG DACOM Corporation | 16 | South Korea |
| 9 | Hipernet Indodata | 14 | Indonesia |
| 10 | Cyberindo Aditama | 8 | Indonesia |
Detecting 99% of DDoS Attack Cases with IP Intelligence
Simply looking at the scoring on detected IP addresses on Criminal IP, 4,402 IP addresses, which amounts to 63.1% of the used addresses, were identified as Critical and Dangerous. Even if the address was diagnosed as Low or Moderate, 36.6% of them were VPN, Proxy, or Tor IP addresses that are likely to bypass, or hosting server IP addresses expected to be automated attacks. In other words, if IP addresses are filtered out by Critical, Dangerous, VPN, Proxy, Tor and Hosting, 99.7% of them are determined to be risky addresses in terms of IP Intelligence.
Malicious diagnostic statistics on IP addresses used in DDoS Attack, classified through IP intelligence
We can’t conclude that any IP addresses categorized into the likes of VPN and Proxy are 100% malice. However, there are many signs of vulnerability or usage in attacks among IP addresses in the category. Therefore, it is necessary to check the behavior of the bypass IP addresses as well. For more effective detection of all kinds of brute force attack, we suggest examining which type of IP addresses are logging in or signing up (whether they use VPN, Tor, or Proxy, or are from a hosting server) rather than merely responding to IP addresses with malicious history.
We have previously published a report on analyzing attack patternsn and IP addresses with Log4j attack traffic data from Criminal IP Honeypot when the Log4j zero-day vulnerability was released, so make sure to check it out.
Source : Criminal IP (https://www.criminalip.io)
Related Article :
[…] to check for suspicious links and items, and for malicious domains as well. Refer to our DDOS attack case study to know more about responding to such […]