![]() The once-effective mitigation policies are now ineffective in the face of new attacks. New mobile devices of the botnet were constantly added in the attack process, so a blacklist mechanism may not be enough to effectively block the attack. In addition, majority of the attack sources are large cellular base station gateway IP addresses rendering traditional defense policies such as blacklisting useless, as blacklisting a cellular base station will result in a large number of normal users unable to access the cellular services. Even if the request frequency of a single device is low, the aggregated number of requests from all devices can overwhelm the target site, making it easy for a hacker to attack the target site without triggering any rate limiting policies. However, mobile devices are far more uqibuitous than PCs, resulting in a large quantity of attacks initiated by malicious apps disguising as normal applications, even though the apps may themselves are obscure. The combination of rate-limiting and blacklisting was an effective mitigation policy in the era of PC botnets. ![]() Number of IP addresses with different attack durations and the number of their requests in an attack Traditional Mitigation Policies Are No Longer Effective More than half of the attack source IP addresses were not attack initiations, the attack duration of each source IP address varies, and the request frequency of a single attack source IP address is not high. Nearly half of the attack source IP addresses originated from large cellular base station gateway IP addresses, meaning that the same source IP address carries both attack traffic and a large amount of normal user traffic.ĭue to the way mobile phones constantly change connection to networks and how apps start and stop, we have observed an unusually high number of attack source IP addresses. Cellular base stations contributing most attack source IP addresses Geographically distributed attack source IP addressesĪttack source IP addresses came from nearly 40 different ISPs in more than 160 countries around the world.ĭistribution of attack source IP addressesĤ. In a single attack, the peak number of requests per second (QPS) can reach millions, which are initiated through more than 500,000 mobile devices, with very few source IP addresses repetition in each attack instance.ģ. Huge attack with a large number of mobile devices Evenly distributed mobile device operating system affectedĪbout 40% are iOS system devices and 60% are Android system devices.Ģ. What Are the Features of This Mobile Botnet DDoS Attack?ġ. ![]() This pattern indicates that hackers are upgrading their techniques to deliver more severe impact. It is clear malicious apps disguised as common applications have turned a massive number of mobile devices into a new generation of botnets. More than 500,000 mobile devices were seen using this DDoS attack tools in the past few months, giving a single attack the same severity as a PC botnet DDoS attack. These malicious apps will initiate attacks to target websites dynamically by the attacker. The tracing analysis show that these DDoS attacks were caused because by a large number of users installing malicious apps that were disguised as normal applications on their mobile phones. This article further analyzes characteristic features of the DDoS attack mitigated by the intelligent protection engine of Alibaba Cloud Anti-DDoS Service. A few months back, Alibaba Cloud security team observed a new trend of DDoS attack where common, everyday mobile apps are becoming DDoS attack tools, and the traditional mitigation policies are not effective anymore for the attacks launched by mobile botnets.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |