10 July 2018

DDOS against websites critical against the Vietnam cybersecurity law.

Denial of service attacks started the 11th of June 2018 at 21 PM against  luatkhoa.org and thevietnamese.org. The attacks started just a few hours before Vietnam passed the cybersecurity law despite privacy concerns. The graphs shows the bandwidth that hit the website and how still traffic leaked into the backend after Cloudflare setup the 14th of June.

The 11th of June attacks that originally lasted a few hours continued during the whole week. The application layer attacks consisted in thousand of GET and POST web requests coming from a botnet.

A large botnet composed of infected computers

In order to avoid detection and blocking, the botnet changes constantly the IP addresses and a single IP address will not use many “User Agents”.

175.144.28.x "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003)"
175.144.28.x "-" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)"
175.144.28.x "-" "Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02"


105.184.235.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
113.210.34.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
117.221.254.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
122.164.100.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
190.147.205.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
62 41.251.231.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8"
52.201.253.x "-" "Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.2.10) Gecko/20100915 Ubuntu/10.04 (lucid) Firefox/3.6.10"

Botnet uses many different User-Agents without a distinctive pattern

The 30 most common User-Agents used by the botnet GET flood are:

Opera/9.80 (Windows NT 5.1; U; en) Presto/2.10.289 Version/12.01
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:11.0) Gecko/20100101 Firefox/11.0
Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98
Mozilla/5.0 (Windows NT 6.1; rv:34.0) Gecko/20100101
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003)
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81
Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/28.0.1500.72
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133
Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:53.0) Gecko/20100101
Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US) AppleWebKit/532.0 (KHTML, like Gecko) Chrome/3.0.195.24
Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Mozilla/5.0 (Windows NT 5.1; rv:5.0.1) Gecko/20100101 Firefox/5.0.1
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; .NET CLR 1.0.3705)
Mozilla/5.0 (Windows NT 6.0) AppleWebKit/535.1 (KHTML, like Gecko) Chrome/13.0.782.112 Safari/535.1
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Linux; U; Android 6.0; en-US; GIONEE P7 Build/MRA58K) AppleWebKit/534.30 (KHTML, like Gecko) Version/4.0 UCBrowser/11.2.8.945 U3/0.8.0 Mobile
Mozilla/5.0 (Windows NT 6.2; WOW64; rv:12.0) Gecko/20100101
Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.8) Gecko/20100721
Mozilla/5.0 (Linux; Android 4.2.1; en-us; Nexus 5 Build/JOP40D) AppleWebKit/535.19 (KHTML, like Gecko; googleweblight) Chrome/38.0.1025.166 Mobile
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.98
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_10_0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/39.0.2171.95

A POST attack used the following agents

Mozilla/5.0 (X11; U; Linux x86_64; de; rv:1.9.2.8) Gecko/20100723 Ubuntu/10.04 (lucid) Firefox/3.6.8
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:36.0) Gecko/20100101
Mozilla/5.0 (Windows NT 6.1; WOW64; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Mozilla/5.0 (Windows NT 6.1; rv:5.0) Gecko/20100101 Firefox/5.02
Mozilla/5.0 (Windows NT 5.1; rv:13.0) Gecko/20100101 Firefox/13.0.1
Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.116 Safari/537.36
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.81
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Mozilla/5.0 (Windows NT 10.0) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/56.0.2924.87
Mozilla/5.0 (Macintosh; U; Intel Mac OS X; de-de) AppleWebKit/523.10.3 (KHTML, like Gecko) Version/3.0.4
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_1) AppleWebKit/602.2.14 (KHTML, like Gecko) Version/10.0.1
Mozilla/5.0 (Linux; Android 5.1.1; SM-G925F Build/LMY47X) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/45.0.2454.94 Mobile
Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; WOW64; Trident/5.0)
Mozilla/5.0 (compatible; Baiduspider/2.0; +http://www.baidu.com/search/spider.html)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.7.01001)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.6.01001)
Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; FSL 7.0.5.01003)
Mozilla/4.0 (compatible; MSIE 6.0; MSIE 5.5; Windows NT 5.0) Opera 7.02 Bork-edition [en]

Botnet Geolocation

The botnet is also widely geo-located with bots even hosted inside Vietnam. Some of the bots are hosted in locations like Guadalupe, Kenya or Salvador. The IP recorded indicate that the malware is hosted in consumer connections behind ADSLs.

AE AS5384 Emirates Telecommunications Corporation
AL AS29170 Kujtesa Net Sh.p.k.
AR AS10318 CABLEVISION S.A.
BD AS38203 ADN Telecom Ltd.
BG AS34368 Natskovi & Sie Ltd.
BR AS28210 VM OPENLINK COMUNICAÇÃO MULTIMIDIA E INFORMÁTICA L
BR AS52794 Net Flex Ltda ME
CO AS10620 Telmex Colombia S.A.
CY AS6866 Cyprus Telecommunications Authority
EG AS8452 TE-AS
GR AS25472 Wind Hellas Telecommunications SA
GR AS6866 Cyprus Telecommunications Authority
ID AS17974 PT Telekomunikasi Indonesia
IN AS18002 AS Number for Interdomain Routing
IN AS24560 Bharti Airtel Ltd.
IN AS45194 Syscon Infoway Pvt. Ltd.
IN AS45271 Idea Cellular Limited
IN AS9829 National Internet Backbone
IT AS3269 Telecom Italia
KE AS15399 WANANCHI-
LA AS131267 PO box T511 Phonexay road - Xaysettha district
LA AS9873 Lao Telecom Communication
MY AS4788 TM Net
PH AS132199 Globe Telecom Inc.
PH AS17639 Converge ICT Solutions Inc.
PL AS41676 JMDI Jacek Maleszko
PL AS5617 Orange Polska Spolka Akcyjna
PS AS51737 Super Link Communications Co. Ltd
QA AS42298 Ooredoo Q.S.C.
RO AS8953 Orange Romania S.A.
SA AS39891 Saudi Telecom Company JSC
SV AS14754 Telgua
VN AS18403 The Corporation for Financing & Promoting Technology
VN AS24086 Viettel Corporation

Conclusions

One month after the denial of service attacks (10th July 2017), we have not yet successfully identified which botnet has been used for the attacks. If you have any hints please reach out!