« Reading List: One Perfect Day | Main | Weather: Down-to-Earth Rainbow »

Monday, September 3, 2007

Fourmilab: A Botnet Comes Knocking

Here in the Internet slum, you never know who or what's going to be knocking on your door. Starting on September 1st, 2007, a multi-thousand site “botnet” (collection of Microsoft Windows machines infected with software which allows them to be remote-controlled and used to send junk mail or mount distributed denial of service [DDoS] attacks against sites) has sporadically been attacking Fourmilab, to what end I haven't the slightest clue. Each attack begins suddenly, with thousands of IP addresses, distributed around the world, pumping in rapid-fire requests for the site's home page (which is just a Frameset container for the front page). They never request any other page, and the HTTP User-Agent and Referer fields in the Apache Web server log both show up as just “-”. Each individual attack lasts for about fifteen minutes, and ends as abruptly as it began, with a few straggling packets arriving up to a minute later. There have been a total of six of these attacks so far:

Date   Start time     End time  
2007-09-01 12:21:09 12:37:59
2007-09-02 00:13:10 00:27:00
12:38:12 12:53:34
14:45:11 15:01:36
2007-09-03 00:13:12 00:26:12
06:18:12 06:22:25

All times in this table are UTC (Greenwich Mean Time). The last attack was shorter in duration and less intense than those which preceded it; I hope that's a sign that whoever's responsible has found something else to amuse their nihilist inner child.

Domain   Sites     Hits  
pl 1425 33576
net 608 14399
com 221 4922
de 126 2825
ru 110 2633
tr 100 2323
br 49 1081
au 37 848
fr 35 870
nl 34 1077
Taking the attack which began at 12:38 UTC on 2007-09-02 as an example, in that 15 minute period a total of 92,001 requests for the home page were received from a total of 3,910 distinct IP addresses. Attack packets were arriving at a rate in excess of 100 per second—had the attack been sustained for an entire day, this would amount to 8.6 million Web requests, as opposed to the average of around 600,000. Of the addresses which were resolvable into fully qualified domain names, the ten top level domains from which packets originated were as given in the table at the right.

I was surprised by the apparently disproportionate representation of Poland, but apparently that country is a hotbed of botnet infection, along with Germany, Turkey, Brazil, and France, which also figure in the top ten. I was surprised not to have received a single packet from a site in Korea, as it is frequently mentioned as botnet heaven, with its ubiquitous broadband and overwhelmingly Windows market penetration, but note that IP addresses which did not resolve (a total of 651) were excluded from this analysis. Almost all resolved IP addresses were typical home user broadband accounts.

After the second attack on September 2nd, I added a signature to Fourmilab's Gardol attack mitigation tool, developed during the first great distributed denial of service attack in January–April 2004. This reduced the impact of the attack on the site's outbound bandwidth (the principal scarce resource) to negligible levels. Once an attacking host has been blocked, packets simply “bounce off” the server farm without ever being processed. Since Fourmilab has a 2 Mbit/sec symmetrical Internet connection on which more than 90% of the traffic is outbound, the inbound attack packets do not measurably degrade response time for legitimate requests.

Posted at September 3, 2007 20:29