These days you have to be browsing from under a rock to not be concerned about your online footprint and Internet privacy. For better or worse, we all know that we are being watched; our IPs are recorded, our cookies are traced and our movements are monitored, both by businesses and by our governments.

For many this is just the price of doing business. Still, not everyone is willing to pick up the bill. This is where anonymizers (a.k.a. anonymous proxies) come in.

Offering what could be described as Anonymity-as-a-Service, these help mask your online identity by having you browse through a proxy server that obfuscates your origin IP and your HTTP footprint.

Similar to the topic of Internet privacy, the subject of Internet anonymity is also a focal point of much controversy. Specifically, anonymizers are often accused of enabling cybercriminal activity and even turning on their users.

In the following post we discuss yet another threat enabled by anonymous proxy, explain how hackers are leveraging their innate scrambling capabilities to execute low-effort ”and yet extremely efficient” DDoS attacks.

Incapsula’s IP Reputation Project

This study was enabled by a project we launched nearly two years ago, with the goal of leveraging Incapsula’s network presence to create a worldwide map of hacker-controlled resources.

To achieve this, the team developed a system to monitor IP addresses ‘caught’ in the act of attempting malicious activity against protected domains within the network.

Today, Incapsula’s IP database holds records of the most up-to-date malicious activity from more than 4.2 million IP addresses across the globe.

While the focus of our IP reputation project was not on anonymizers per se, it did provide us with a way of tracing malicious activity originating from anonymous proxies.

More importantly, with a steady stream of fresh IP information we were able to keep pace with the shifty anonymizers landscape, where new servers are regularly introduced and old ones are taken out of circulation.

Anonymous Proxies in Shotgun DDoS Attacks

Observing DDoS traffic emerging from public proxies provided interesting insight into the way perpetrators are now abusing anonymizers for what we have come to call a ‘Shotgun’ DDoS attack.

The idea behind these attacks is to leverage a large number of open proxies to turn a single-source DoS attack into a distributed one (DDoS), making it much harder to mitigate.

In such attacks, the perpetrator’s first step is to harvest a list of publicly available proxy servers, using a DYI script of one of many list or tools available online.

Next, using a modified version of DoS toolkit (or homebrew DoS script) the perpetrator sends out a slew of malicious request through each of the harvested IPs.

Sieving the DoS traffic through a large number of proxies produces a scattering effect, similar to what you get with numerous smaller pellets shooting out of a single shotgun shell.

Yet, where the real shotguns shots would disperse, the DoS requests always zero-in on the same target; hitting it from multiple directions in what now, in fact, is a DDoS attack.

Figure 1: The methodology of a Shotgun DDoS attacks. ( The methodology of a Shotgun DDoS attacks. ( click to enlarge

From the perpetrator’s point-of-view, this tactic offers several key advantages:

1. Ease of Execution

Using this attack method perpetrators can execute multi-source DDoS attack using nothing but a personal home computer, a simple proxy harvesting script and one of the publicly available DoS toolkits.

2. IP Masking

Routing malicious requests through a network of proxy servers has the obvious benefit of hiding the perpetrator’s origin IPs or, more likely, the origin IPs of the hijacked device(s) used to execute the attack.

The fact that the owners of open proxy are unlikely to expose the perpetrator’s details, even if subpoenaed to do so, also plays into perpetrators’ favor.

ViaProxy IPProxy IPNot determined

Regular/Transparent Anonymous High Anonymous Source IP Proxy IP Proxy IP Proxy IP X-Forwarded-For OriginIP Proxy IP Not determined

Figure 2: Level of anonymity provided by different types of proxies.

3. Avoiding ACL Solutions

By routing malicious traffic through multiple proxy servers, the perpetrator is effectively transforming a single source DoS (Denial of Service) attack into a multi-source DDoS (Distributed Denial of Services) attack.

Doing so helps bypassing ACL security solutions, which could be easily used to stop a single-source DoS attack but are ineffective in a scenario where traffic is emerging from numerous IPs, that display no predictable pattern, and the number of which can easy scale up into thousands.

4. Avoiding Geo-Blacklisting

Many organizations use geo-blacklisting to completely block traffic from countries, from which they don’t expect any significant number of legitimate visitors.

With anonymous proxies the attack can not only spread across multiple IPs but also across multiple geo-locations, rendering geo-blacklisting ineffective.

Figure 3: Geo-distribution: Shotgun DDoS vs typical similarly sized attack. ( Geo-distribution: Shotgun DDoS vs typical similarly sized attack. ( click to enlarge

5. Low rate per source

By distributing the overall attack volume across multiple proxies, the perpetrator minimizes the individual payload, delivered by each single attack source. Doing so helps circumvent rate-limiting security mechanisms, often used to deflect DDoS traffic.

6. Header obfuscation

Routing HTTP traffic through a proxy has the side effect of introducing slight modifications to the HTTP headers. In the case of DDoS attacks, this plays to the perpetrator’s advantage, offering the ability to mass-scramble the HTTP headers of otherwise uniform DoS and DDoS bots.

Equipped with such scrambled headers, malicious bots have a better chance of circumventing signature-based security tools, since these solutions rely on detection of specific HTTP signatures, or common patterns in HTTP headers, in order to identify and block malicious bots.

Before: GET / HTTP/1.1 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Encoding: gzip, deflate Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 Host: www.mydomain.com User-Agent: Mozilla/4.0 Connection: Keep-Alive ——————————————————————- After: GET / HTTP/1.1 Host: www.mydomain.com User-Agent: Mozilla/4.0 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 Accept-Language: it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3 X-Forwarded-For: 1.1.1.1, 1.1.1.2, 1.1.1.3 Accept-Encoding: gzip, deflate Connection: keep-alive

Figure 4: Example of a HTTP header being modified while going through proxy.

Shotgun DDoS by Numbers

Combining a high rate of effectiveness with ease of execution, Shotgun DDoS attacks are becoming very common.

In the 31-day period from January 6 to February 7, 2015, DDoS attacks from anonymous proxies accounted for nearly 20% of all application layer DDoS attacks mitigated by Incapsula during that period.

The Tor Factor

Nearly 45% of all Shotgun DDoS attacks originated from IPs on the Tor network. Out of these, 60% were performed via the Tor’s Hammer DoS tool used to execute low-and-slow POST attacks.

Consequently, DDoS attacks originating from the Tor network area ”on average” smaller in spread and in volume.

Our data sample shows that, on average, perpetrators were directing traffic from 1,800 different IPs. The maximum number of IPs we recorded in a single attack was 4,387.

In terms of attack size, DDoS attacks from anonymous proxies averaged 540,000 requests per attack. The largest anonymous proxy attack in that 31-day period weighed in at over 5,000,000 requests.

Figure 5: Map of all IPs used for Shotgun DDoS attacks, during a 31-day period.

To avoid underplaying the threat posed by anonymous proxy attacks, it should be mentioned that when discussing application layer DDoS threats, the importance of an attack’s volume is secondary to its ability to circumvent security measures.

In application layer DDoS attacks (e.g., HTTP GET/POST flood) the goal is not to cause network saturation but to exhaust the server’s computing resources by initiating resource intensive processes.

If not blocked, an attack of 50-100 requests per seconds would suffice to take down a typical SME website running on a dedicated hosting server.

Protecting Our Clients

Our security research over the past two years has consistently pointed to the increased sophistication of application layer DDoS attacks. The practice of obfuscating DDoS bot HTTP fingerprint and IP of origin clearly reflects that trend and illustrates in-depth understanding of security measures and their creativity in finding ways to get around them.

To protect clients from these attacks, Incapsula employs a combination of behavior and reputation-based security techniques; the latter being enabled by the above-mentioned IP database.

Thus, by spotting abnormal traffic patterns, and by tracing traffic from potentially compromised devices, Incapsula security researchers can identify obfuscated DDoS traffic emerging from anonymous proxies.

Figure 6: Mitigating a DDoS attack emerging from Tor proxy servers.

Once identified, these bots are blocked either by default security heuristics or, in the case of new variants, by custom security rules deployed with the help of IncapRules engine.

Finally, our security’s team is also constantly expanding its signature pool to cover a wide variety of possible header variants like those created by obfuscation via proxies.