10 July 2018
DDOS against websites critical against the Vietnam cybersecurity law.
Denial of service attacks started the 11th of June 2018 at 21 PM against luatkhoa.org and thevietnamese.org. The attacks started just a few hours before Vietnam passed the cybersecurity law despite privacy concerns. The graphs shows the bandwidth that hit the website and how still traffic leaked into the backend after Cloudflare setup the 14th of June.
The 11th of June attacks that originally lasted a few hours continued during the whole week. The application layer attacks consisted in thousand of GET and POST web requests coming from a botnet.
A large botnet composed of infected computers
In order to avoid detection and blocking, the botnet changes constantly the IP addresses and a single IP address will not use many “User Agents”.
175.144.28.x "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003)" 175.144.28.x "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)" 175.144.28.x "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02" 105.184.235.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 113.210.34.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 117.221.254.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 122.164.100.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 190.147.205.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 62 41.251.231.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8" 52.201.253.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10"
Botnet uses many different User-Agents without a distinctive pattern
The 30 most common User-Agents used by the botnet GET flood are:
Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0 Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003) Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001) Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36 Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:53.0) Gecko/20100101 Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.24 Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705) Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Linux; U; Android 6.0; en-US; GIONEE P7 Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.2.8.945 U3/0.8.0 Mobile Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101 Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727) Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721 Mozilla/5.0 (Linux; Android 4.2.1; en-us; Nexus 5 Build/JOP40D) AppleWebKit/535.19 (KHTML, like Gecko; googleweblight) Chrome/38.0.1025.166 Mobile Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95
A POST attack used the following agents
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101 Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02 Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1 Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81 Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36 Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87 Mozilla/5.0 (Macintosh; U; Intel Mac OS X; de-de) AppleWebKit/523.10.3 (KHTML, like Gecko) Version/3.0.4 Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1 Mozilla/5.0 (Linux; Android 5.1.1; SM-G925F Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0) Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.6.01001) Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003) Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]
Botnet Geolocation
The botnet is also widely geo-located with bots even hosted inside Vietnam. Some of the bots are hosted in locations like Guadalupe, Kenya or Salvador. The IP recorded indicate that the malware is hosted in consumer connections behind ADSLs.
AE AS5384 Emirates Telecommunications Corporation AL AS29170 Kujtesa Net Sh.p.k. AR AS10318 CABLEVISION S.A. BD AS38203 ADN Telecom Ltd. BG AS34368 Natskovi & Sie Ltd. BR AS28210 VM OPENLINK COMUNICAÇÃO MULTIMIDIA E INFORMÁTICA L BR AS52794 Net Flex Ltda ME CO AS10620 Telmex Colombia S.A. CY AS6866 Cyprus Telecommunications Authority EG AS8452 TE-AS GR AS25472 Wind Hellas Telecommunications SA GR AS6866 Cyprus Telecommunications Authority ID AS17974 PT Telekomunikasi Indonesia IN AS18002 AS Number for Interdomain Routing IN AS24560 Bharti Airtel Ltd. IN AS45194 Syscon Infoway Pvt. Ltd. IN AS45271 Idea Cellular Limited IN AS9829 National Internet Backbone IT AS3269 Telecom Italia KE AS15399 WANANCHI- LA AS131267 PO box T511 Phonexay road - Xaysettha district LA AS9873 Lao Telecom Communication MY AS4788 TM Net PH AS132199 Globe Telecom Inc. PH AS17639 Converge ICT Solutions Inc. PL AS41676 JMDI Jacek Maleszko PL AS5617 Orange Polska Spolka Akcyjna PS AS51737 Super Link Communications Co. Ltd QA AS42298 Ooredoo Q.S.C. RO AS8953 Orange Romania S.A. SA AS39891 Saudi Telecom Company JSC SV AS14754 Telgua VN AS18403 The Corporation for Financing & Promoting Technology VN AS24086 Viettel Corporation
Conclusions
One month after the denial of service attacks (10th July 2017), we have not yet successfully identified which botnet has been used for the attacks. If you have any hints please reach out!