<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-56W9VX" height="0" width="0" style="display:none;visibility:hidden">

Nexusguard Blog

Cybersecurity best practices and DDoS defence strategies

Latest Stories

Featured Stories

Blog Home
Nexusguard Research
By
June 23, 2017

New attack vector found in Hidden Cobra

  DDoS
A Joint Technical Alert (TA17-164A) entitled “HIDDEN COBRA – North Korea’s DDoS Botnet Infrastructure” was issued by US-Cert on 13 June 2017. This was the concertedly analytic efforts between the Department of Homeland Security (DHS) and Federal Bureau of Investigation (FBI) mentioning a list of IP addresses linked to systems infected with DeltaCharlie. DeltaCharlie is known as a malware variant used to manage North Korea’s distributed denial-of-service (DDoS) botnet infrastructure.

201706002img002-768x474.png

Figure 1. Contribution of Scanning Activities due to IP Addresses from TA17-164A

 

Scanning Activities from DeltaCharlie

In the period between 16 September and 14 October 2016, Nexusguard honeypot recorded scanning activities like NTP, CHARGEN, DNS and SSDP, partly covered by the US-Cert-mentioned IP addresses. In our own IP list obtained by our continuous scanning, SSDP was the predominant one occupying 36.4%. SSDP in this case was a new kind not mentioned by US-Cert.

 

201706002img003-768x530.png

Figure 2. Flow of Recording Data for DeltaCharlie by Honeypot

 

Nothing to be hidden by Honeypot

DNS, NTP, CHARGEN and SSDP attacks susceptible to a distributed reflected denial-of-service (DrDoS) involve sending requests to a large number of computers and devices that will reply the requests and amplify the attack size.

 

In general, recording the attack details and tracing the attack sources is a difficult task since rather than bots’ IPs, the one for amplifiers (vulnerable public access servers like DNS and NTP) were recorded.  Even though Bots generate the attacks, they will use   spoofed IPs except SSDP attacks.

 

In order to handle this task, honeypot is adopted in our case. Honeypots were disguised as the open and vulnerable servers providing the services for NTP, DNS, CHARGEN and SSDP. Attackers first scanned the opening services enabling to forward the amplified attacks. Thus, attackers commanded DeltaCharlie to send the attack queries to Honeypots. Honeypot recorded and dropped the attack queries.

 

Attacks are characterized that the source IPs are changed to target IPs. The maximum attack frequency our honeypot recorded was 245 times per second and the maximum attack duration was 1.5 days.

 

Attacks are characterized that the source IPs are changed to target IPs. The maximum attack frequency our honeypot recorded was 245 times per second and the maximum attack duration was 1.5 days.

 

DrDoS Activities Scanning IPs Attacking IPs
NTP 200,351 66,167
CHARGEN 57,505 32,368
DNS 2,280 13,730
SSDP 12,848 4,074

Table 1. IPs of DrDoS Activities Found

 

Conclusion

During the attack, the source IP were crafted to be the target one. So, the attacking IPs were also amplifiers’ and spoofed IPs. After our further study, we would identify whether  the IPs are spoofed or not.

 

During the scan, the source IPs were set to be that of the attack sources like bots, validation servers, C&C, etc. Attackers began to seek any available opening services. Thus, they checked the status of amplifiers for fear of a waste of the query traffic.

 

In order to Identify whether the recorded IPs were used by Hidden Cobra, further study will also be conducted to look into the data like scanning behaviours and attack patterns.

 

201706002img004-768x475.png

Figure 3. Scanning Activities in Three Consecutive Quarters

 

 

Detection and Mitigation

DNS, NTP, CHARGEN and SSDP attacks are susceptible to a distributed reflected denial-of-service (DRDoS) attack. The best way to handle DRDoS attack is the leveraging Anycast technology. Our solution performs load-balancing across our high-performance, global DDoS Mitigation Network. Nexusguard Protection secures all backend network elements, including the origin of applications, network infrastructure, and the backend IPs typically associated with proxy solutions. It is highly suitable for organizations that cannot afford any downtime of assets running their own network.

 

NTP and DNS attacks are launched with spoofed IP address. We thoroughly comprehend its attack pattern. Our bandwidth enables us to mitigate the attack, resulting from the total active mitigation capacity to protect from up to 1.44 Tbps attack traffic.

 

Nexusguard honeypot recorded scanning activities like NTP, CHARGEN, DNS and SSDP, partly covered by the US-Cert-mentioned IP addresses. In our own IP list obtained by our continuous scanning, SSDP was the predominant one occupying 36.4%. SSDP in this case was a new kind not mentioned by US-Cert.

Comments Form: