IP团伙行为分析（英文版）.pdf

Hongbo Yang, Xiaobing Sun, Richard Zhao NSFOCUS, Inc. December 2018 IP Chain-Gangs 2018 NSFOCUSAbout NSFOCUS NSFOCUS, Inc., a global network and cyber security leader, protects enterprises and carriers from advanced cyber attacks. The companys Intelligent Hybrid Security strategy utilizes both cloud and on-premises security platforms, built on a foundation of real-time global threat intelligence, to provide multi-layered, unified and dynamic protection against advanced cyber attacks. NSFOCUS works with Fortune Global 500 companies, including four of the worlds five largest financial institutions, organizations in insurance, retail, healthcare, critical infrastructure industries as well as government agencies. NSFOCUS has technology and channel partners in more than 60 countries, a member of the Microsoft Active Protections Program (MAPP), and the Cloud Security Alliance (CSA). A wholly owned subsidiary of NSFOCUS Information Technology Co. Ltd., the company has operations in the Americas, Europe, the Middle East and Asia Pacific. Special Statement All data for analysis is fully anonymized and no customer information is included and disclosed. For any potential concerns and issues, please feel free to contact the authors.Behavior Analysis of Hongbo Yang, Xiaobing Sun, Richard Zhao NSFOCUS, Inc. December 2018 IP Chain-GangsB Behavior Analysis of IP Chain-Gangs Contents 1 Introduction and Executive Summary 1 2 Identifying IP Chain-Gangs 2 3 Statistical Analysis of IP Chain-Gangs 3 3.1 IP Chain-Gang Size (Member Count) 3 3.2 Total Attack Volumes 4 3.3 Total Attack Count 5 3.4 Number of Gang Victims 5 3.5 Total Attacking Time 6 3.6 Comparing Gang Size, Attack Count and Attack Volume 6 3.7 Attack Types (Methods) 7 3.7.1 Attack Type vs. Attack Volume 7 3.7.2 Single-type Attacks vs. Mixed-type Attacks 7 3.7.3 Reflection Attack Volume vs. Events 9 3.8 The Peak Rate 9 3.8.1 All Gangs Peak Rate 9 3.8.2 Single Gang Attack Peak Rate 10 3.8.3 Top Ten Gangs 11 3.9 The Geo-Locations of Attackers and Victims (Excluding China) 12 3.9.1 Distribution of Attacking Countries 12 3.9.2 Distribution of Victim CountriesFig 13 4 IP Chain-Gang Profile Model 14 4.1 The Largest Gang 14 4.2 The Most Active Gang 15 4.3 The Gang with Largest Volume 16 5 The Future Work 17 6 References and Acknowledgements 17 6.1 References 17 6.2 Acknowledgements 171 1 1 Introduction and Executive Summary In the NSFOCUS 2018 H1 Cybersecurity Insights 1report, we observed that “Recidivists are responsible for 40% of the attacks, most of which are botnet activities and DDoS attacks“. Since botnet activities and DDoS attacks are usually launched from multiple sources in a collaborative way, its not surprising to see that many of these recidivists are working together as a group in these attacks. We call these groups “IP Chain-Gangs“. Throughout this report we try to identify “IP Chain-Gangs“ and then study their behaviors with the whole gang as the unit using DDoS attack data collected by NSFOCUS since 2017. The logic behind this approach is that each IP Chain-Gang is presumably controlled by a single threat actor, or a group of related threat actors, and should therefore exhibit similar behaviors among the various attacks conducted by the same gang. By studying the historical behaviors of the gang, we hope to build a gang-profile that can help better describe how the threat actor(s) behind it operate, what their preferred attack methodologies and characteristics are, and how to build better defense against future attacks launched by them. In this report, we introduce the IP Chain-Gang concept, and then focus on the statistical analysis of gang behaviors. From our analysis, we observed that: These gang members, though only a tiny fraction (2%) of all the attackers, are responsible for a much larger portion (20%) of all of the attacks. 20% of gangs are responsible for about 80% of all attacks launched by the gangs. Reflection attacks are the dominant attack methods favored by the gangs, specifically in high-volume attacks. Gangs typically do not operate at their full potential capacities. However, knowing their maximum attacking power is very important in planning the defense against them. This report is the first in a series of the IP Chain-Gang topic. In future reports, we plan to examine how gang members have evolved and connected and how to apply that knowledge to build a more effective defense against them. We believe that this is the first time that DDoS attacks are studied as coordinated gang-activities. As such, from this new view angle, we can gain a few unique insights on how DDoS attacks are conducted. In turn, this will help us better detect, mitigate, forensically analyze, and even predict DDoS attacks. 1 nsfocusglobal/2018-h1-cybersecurity-insights/ 2 Behavior Analysis of IP Chain-Gangs 2 Identifying IP Chain-Gangs To identify an IP Chain-Gang, we start by analyzing the DDoS attacks data collected by NSFOCUS since 2017 and undergo the following steps (for a more detailed discussion on this gang identification algorithm, please refer to the paper Detection of IP Gangs: Strategically Organized Bots 2): a. Identify the attackers who participated in one collaborated attack and place them into a group. Here we define a collaborated attack as those individual attacks that are against the same target at roughly the same time. Since these attackers are working together, it is plausible to believe that they are controlled by the same threat actor. b. If two groups from the previous step overlap or their behaviors are significantly alike, we merge them into one bigger group. Repeat this group-merging process until no more significantly overlapping groups exist. A sophisticated machine learning algorithm is used to determine the threshold of the “significance“. c. Extract the core members of each attack group by purging “occasional attackers“ (those attackers who participated in only a small percentage of attacks) from the group. These core members in an attacker-group become an IP Chain-Gang. Through this process, we have identified over 80 active IP Chain-Gangs. In this study, we chose rather restrictive parameters in our algorithms. Therefore, all members in these gangs are really serious recidivists. Each of them has performed multiple attacks over our studying period. Consequently, though the number of these gang members is only about 2% of all the attackers in our dataset, they are responsible for about 20% of all the attacks. It should be mentioned that the composition of any particular gang is very dynamic, as old members leave (presumably because the owner of the system removed the malware and patched the security hole used by the threat actor to gain access to the system originally) and new members join (new systems being infected by malware and become part of the botnet) over the time. In this report, we study the gang behaviors as if they are static entities over the study period. In future studies, we will take the dynamic nature into consideration. 2 researchgate/publication/326162077_Detection_of_IP_Gangs_Strategically_Organized_Bots3 3 Statistical Analysis of IP Chain-Gangs After the gangs are identified, we can study per-gang level behavior from several different perspectives. Unless otherwise stated, the numbers reported in this section are cumulative across all the members of the same gang. 3.1 IP Chain-Gang Size (Member Count) The chart below shows the size distribution of the IP Chain-Gangs. Most of the gangs have less than 1000 members, but we also see one gang with more than 26,000 members. Figure 1 IP Chain-Gang Size Distribution IP Chain-Gang Numbers 0-200 200-400 400-600 600-1000 1000-2000 2000 The chart below shows the distribution of gang size of all the IP Chain-Gangs we identified, sorted by the gang size. One dot in the chart represents one gang, for a total of 82 gangs. Figure 2 IP Chain-Gang Size (Per-gang Sorted) 0 5000 10000 15000 20000 25000 30000 10 0 20 30 40 50 60 70 80 90 IP Chain-Gang Number Distribution4 Behavior Analysis of IP Chain-Gangs 3.2 Total Attack Volumes The chart below shows the distribution of the total attacking traffic volumes generated by the gangs, accumulated over all the attacks from the member of the same gang. While the attacking volume seems to vary drastically among different gangs, the majority of them generated more than 50TB total traffic over our study period. Figure 3 Total Attack Volume Distribution Total Attack Volume 0-50TB 50-500TB 500-800TB 800-1000TB Figure 4 Total Attack Volume (Per-gang Sorted) 0 200000 400000 600000 800000 1000000 0 20 40 60 80 90 Total Attack Volume (GB)5 3.3 Total Attack Count The chart below shows the number of DDoS attack events each gang launched, sorted by the event count. Unsurprised, roughly 20% of the gangs are responsible for 80% of the attacks. Figure 5 Total Attacks Count (Per-gang Sorted) 0 5000 10000 15000 20000 25000 30000 35000 40000 45000 50000 55000 60000 10 0 20 30 40 50 60 70 80 90 Attack Event Count 3.4 Number of Gang Victims The chart below shows the number of victims each gang attacked, sorted by the victim count. We see 80% of gangs have less than 1000 victims, while one gang is responsible for attacking about 15% of the victims. Figure 6 Number of Victims Count (Per-gang Sorted) 0 1000 2000 3000 4000 5000 6000 7000 8000 9000 10000 11000 12000 13000 14000 15000 16000 17000 18000 10 0 20 30 40 50 60 70 80 90 Number of Victims6 Behavior Analysis of IP Chain-Gangs 3.5 Total Attacking Time The chart below illustrates the distribution of total accumulated attacking time from all the members of the same gang. While some gangs recorded total attack time of more than 5000 days, the majority of them recorded less than 1000 days. Figure 7 Total Attacking Time Length Gang Attacking Time 0-200d 200-400d 400-600d 600-1000d 1000-5000d 5000d 3.6 Comparing Gang Size, Attack Count and Attack Volume While it is natural to assume that a bigger gang would launch more attacks with higher volume, that is actually not the case. As shown in the next chart, an IP Chain-Gang with less members may end up doing more attacks and sending more attacking traffic than that of a gang with more members. Taking the top 10 gangs with the highest traffic volume, the chart below shows the IP Chain-Gang size on X-axes (log scale), the attack count on the Y-axes, and attack volume as the size of the orange bubble. Figure 8 Gang Size vs. Attack Count vs. Attack Volume 0 10K 20K 30K 40K 50K 60K 128 256 512 1024 2048 4096 8192 Attack Traffic Volume Top IP Gang Attack Event Number - Attacker Number - Attacker Volume Attack Event Attacker Number (log)7 As shown in the chart, the bigger the bubble size does not correspond to more attacker number or attack count. From the chart, we can see a gang with 274 members attacking at an extremely high frequency ( 50K) which exceeds all others, while the biggest bubble (i.e. the biggest attack volume) has less members (256) and less attack count ( 10K). This suggests that the attackers in this particular gang probably have bigger pipes at their disposal. 3.7 Attack Types (Methods) The attacking method(s) used is another important aspect when studying the DDoS attacks. Different methods have different characteristics such as traffic volume generated, ease of implementation and detection, system dependencies, etc. 3.7.1 Attack Type vs. Attack Volume The next chart shows the composition of various attack types across different attack volume ranges. Figure 9 Attack Type vs. Attack Volume 0 20 40 60 80 100 0-30T 30-70T 70-200T 200-400T 400-700T 700TPercentage (%) SYN FLOOD ACK FLOOD UDP FLOOD DNS REQUEST FLOOD DNS RESPONSE FLOOD NTP REFLECTION FLOOD SSDP REFLECTION FLOOD IP Gang Attack-Type Classification against Attack Volume Size SNMP REFLECTION FLOOD NTP reflection flood type attacks make up most of volume in the high-volume attacks (due to their great amplification factor), while SYN flood attacks spread across all the spectrums (most probably due to their simplicity). These two attack types along with UDP flood and SSDP reflection flood make up the majority of the attack types across the board. 3.7.2 Single-type Attacks vs. Mixed-type Attacks Many gangs have their preferred attacking method. This obviously reflects the skills and preference of the threat actors behind the gang. However, we also see some gangs employ multiple atta