A New Trend of DDoS Attacks: Mobile Devices Are a New Generation of Botnets

DZone 's Guide to

A New Trend of DDoS Attacks: Mobile Devices Are a New Generation of Botnets

Malicious apps turning mobile devices into botnets.

· Security Zone ·
Free Resource

A few months back, the Alibaba Cloud security team observed a new trend of DDoS attack where common, everyday mobile apps became DDoS attack tools. The traditional mitigation policies proved not to be effective for the attacks launched by these mobile botnets.

This article further analyzes characteristic features of the DDoS attack mitigated by the intelligent protection engine of Alibaba Cloud Anti-DDoS Service.

The tracing analysis shows that these DDoS attacks were caused because a large number of users installed malicious apps that were disguised as normal applications on their mobile phones. These malicious apps initiated attacks to target websites dynamically. More than 500,000 mobile devices were seen using these DDoS attack tools in the past few months, giving a single attack the same severity as a PC botnet DDoS attack. This pattern indicates that hackers are upgrading their techniques to deliver higher levels of damage during attacks.

What Are the Features of This Mobile Botnet DDoS Attack

1. Evenly distributed mobile device operating system affected: About 40 percent of the devices run on iOS and 60 percent are Android.

2. Huge attack with a large number of mobile devices: In a single attack, the peak number of requests per second (QPS) can reach millions, which are initiated through more than 500,000 mobile devices, with very few source IP addresses repetition in each attack instance.

3. Geographically distributed attack source IP addresses: Attack source IP addresses came from nearly 40 different ISPs in more than 160 countries around the world.

1Distribution of attack source IP addresses

Distribution of attack source IP addresses

4. Cellular base stations contributing most attack source IP addresses: Nearly half of the attack source IP addresses originated from large cellular-base-station-gateway IP addresses, meaning that the same source IP address carries both attack traffic and a large amount of normal user traffic.

5. Irregular attack scheduling

Due to the way mobile phones constantly change their connection to networks and how apps start and stop, we have observed an unusually high number of attack source IP addresses. More than half of the attack source IP addresses were not attacked initiations; the attack duration of each source IP address varies and the request frequency of a single attack source IP address was not high.

Attack duration and number of ip addresses and requests

Attack duration and number of IP addresses and requests

Traditional Mitigation Policies Are no Longer Effective

The combination of rate-limiting and blacklisting was an effective mitigation policy in the era of PC botnets. However, mobile devices are far more ubiquitous than PCs, resulting in a large number of attacks initiated by malicious apps disguising as normal applications. Even if the request frequency of a single device is low, the aggregated number of requests from all devices can overwhelm the target site, making it easy for a hacker to attack the target site without triggering any rate-limiting policies.

The majority of the attack sources are large cellular base station gateway IP addresses rendering traditional defense policies, such as blacklisting useless, as blacklisting a cellular base station will result in a large number of normal users unable to access the cellular services. New mobile devices of the botnet were constantly added in the attack process, so a blacklist mechanism may not be enough to effectively block the attack. The once-effective mitigation policies are now ineffective in the face of new attacks.

How Do Hackers Initiate Attacks With Malicious Apps

1. Hackers embed WebView into an app, which will request the central control link after starting. The page that the link directs to is embedded and loaded with three JS files, which dynamically obtain the JSON instructions in Asynchronous JavaScript and XML (AJAX) mode.

2. When no attack is involved, the content of the received JSON instruction is as follows: {"message": "no data", "code": 404}. In such cases, the JS files enter into a continuous loop after being loaded and periodically rereads the JSON instruction.

Continuous loop

Continuous loop

3. After a hacker issues an attack-type JSON instruction, JS files exit the loop and messages are delivered back to WebView after the JSON instruction is parsed. The JSON instruction specifies the packet content that is required for an attack, such as target URL, request method, and header and specifies the scheduling parameters, such as attack frequency, conditions for starting an attack, and attack end time, making the attack more complex and flexible.

4. WebView retrieves the device information through the UserAgent to determine whether the device uses the iOS or Android system. It calls different functions for different device systems to trigger the loading of Java code in a malicious app and makes the device initiate an attack based on the JSON instruction.

With the methods and techniques employed above, we could consider users who installed this fraudulent app found in black markets as puppets to launch a DDoS attack successfully toward target businesses.

This also reveals a black-market industry. The owners of malicious applications attract users to install and use these apps through various channels with deceptive advertisements. The owners profit from the use of fraudulent apps and also seek to further profits by providing DDOS attack services using affected user devices as botnets.

Based on the attack flowchart, hackers can issue JSON instructions to make mobile devices attack a specific target in a specific way for any given purpose.

Attack flowchart

Attack flowchart

In addition to maliciously controlling mobile devices to initiate attacks, fraudulent apps can also implant malicious code to privately send paid SMS messages, steal user fees by using SMS payment channels of ISPs, and access user address books, geographical locations, identity cards, bank accounts, and other sensitive information. They can harass users with advertising and telecommunications fraud, or even cause greater losses such as identity theft.

How Can Users Cope With This Type DDoS Attacks

In the era of PC botnets, enterprise Anti-DDoS policies are relatively ineffective

  1. Detection: request frequency
  2. Action: speed limiting and blacklisting
  3. Defense logic: start source rate-limiting or blacklist IP addresses when the request frequency is too high

If mitigation was ineffective, manual intervention was required for packet capture and analysis. Protection rules were then configured according to the specific attack conditions. However, this method has a slow response speed and results in serious damage to the business.

When massive numbers of mobile devices become new attack sources, Attacks can easily bypass the preceding defense logic. Enterprises can no longer rely on rate-limiting and blacklisting, but must adopt more intelligent means of protection:

  1. Extend attack traffic identification dimensions and parse each request into a multi-dimensional detection in real time.
  2. Match protection policies with multi-dimensional identification, implement a fine, flexible, and rich access control unit, and organically combine various dimensions to filter out attack traffic layer by layer.
  3. Replace artificial troubleshooting with machine intelligence to improve the response speed and reduce the business interruption time.

Although hackers had only upgraded their attack sources, enterprises are facing heavy security defense workloads and must take actions as early as possible to be well prepared. Alternatively, enterprises can purchase Alibaba Cloud Security Anti-DDoS products to effectively defend against volumetric DDoS attacks and application DDoS attacks for professional and intelligent protection.

If you are an individual user, to ensure device security and data privacy, the Alibaba Cloud security team recommends that you install approved apps from authorized channels to avoid turning your mobile phone into a DDoS attack tool. When installing an app, always carefully inspect the permissions it requests. If you find that the app requests high-risk permissions that do not match its functions, such as accessing your address book and sending SMS messages, exercise caution because it may put you at risk.

alibaba cloud ,botnet ,cloud security ,ddos ,ddos attack ,mobile security ,security

Published at DZone with permission of Leona Zhang . See the original article here.

Opinions expressed by DZone contributors are their own.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}