Technique requires limited resources, has notable impact

Mar 31, 2015 13:00 GMT  ·  By
IPs observed by Incapsula to be used for Shotgun DDoS during the study period
   IPs observed by Incapsula to be used for Shotgun DDoS during the study period

Services providing anonymity online are abused by cybercriminals in distributed denial-of-service (DDoS) attacks that require limited resources but have a significant impact on the target.

The technique involving anonymous proxies has been dubbed “Shotgun DDoS” because, at a lower level, it involves a machine that delivers the fake requests to the target through multiple online anonymization services.

As such, what starts as a regular DoS attack quickly turns into a distributed activity involving a larger number of IP addresses sending out the requests to the target.

Layer 7 DDoS spawns from anonymization services

Achieving this requires few resources from the attacker since the services used are free and the requests are managed through a DoS toolkit, which is neither expensive, nor difficult to come by.

During a one-month study between January 6 and February 7, 2015, DDoS mitigation experts from Incapsula observed that 20% of all application layer (Layer 7) DDoS incidents were carried out via anonymous proxies.

In contrast to network layer denial of service, which aims at exhausting the bandwidth of the target, Layer 7 attacks focus on the computing resources of the server, making it falter under heavy processing requests.

Shotgun DDoS attacks bypass several mitigation tactics

By relying on anonymization services, the perpetrators keep the origin of the attack private and also avoid defenses based on access control lists (ACL) that can mitigate a single-source DoS incident.

Geo-blacklisting, a tactic used by many organizations to block unwanted traffic directed to their systems, is also inefficient because requests originate from multiple regions of the globe.

“With anonymous proxies, the attack cannot only spread across multiple IPs, but also across multiple geo-locations, thereby rendering geo-blacklisting ineffective,” Incapsula said in a blog post on Tuesday.

Since multiple attack sources are used, the threat actor can distribute a smaller number of payloads to each source, thus circumventing rate-limiting security mechanisms.

Plenty of attack IPs hide behind TOR

The largest number of IP addresses employed in a Shotgun DDoS attack observed by Incapsula in the 31-day period of the research was 4,387, while the average was calculated at 1,800.

As far as the number of requests is concerned, the experts saw more than 5 million in an attack.

Almost half (45%) of the DDoS incidents originated from addresses in the Tor anonymity network and most of them (60%) used Tor’s Hammer DoS tool that carries out low-and-slow POST attacks, which are smaller in spread and volume.

A solution against this type of attacks relies on detection of abnormal traffic patterns and tracing the devices that may have been compromised, Incapsula says. This, combined with effective heuristics and reputation-based services, should help deflect the malicious requests.