A Game of Cat and Mouse: Dynamic IP Address and Cyber Attacks

In recent years, cyber attackers have adopted a new, more surreptitious operational mandate; one that employs a set of strategies and technologies that dramatically complicate the detection process. At the forefront of these rogue like tactics are serving up dynamic IP addresses.

In general, dynamic IP attacks target Layer 7, the application layer. Using real IP addresses, they establish a three-way TCP handshake and successfully bypass cookie and JavaScript challenges. These attacks are highly disruptive and difficult, if not impossible, for IP-based defense systems to distinguish between legitimate and malicious visitors.

To overcome traditional defenses, attackers commonly use headless browser software, such as PhantomJS or a Selenium WebDriver. They also employ multiple evasion tactics. To avoid triggering size- or rate-limiting thresholds, they split the load between dozens of IP addresses and constantly add new IP addresses. Human-like “behaviors” are incorporated—starting at different landing pages and mimicking human-like timings and patterns of movement. They can be especially difficult to detect when attacks are low rate and low volume and are spread over time and across a large pool of changing IP addresses.

Types of Dynamic IP Attacks

Dynamic IP attacks come in various shapes and colors, but some of the most common scenarios include:

• HTTP/S flooding: This technique involves full-page reloads of dynamic content, fetching large elements and bypassing cache. Imagine 100 visitors arriving from what appear to be legitimate IP addresses and client headers. The empty browser cache issues a full-page reload that fetches about 50 HTML elements. After a minute, the process repeats with a new group of 100 IP addresses—resulting in 5,000 HTTPS requests per second.

• Password brute-force attempts: These often target HTTP, FTP, SQL, SSH and RDP. For example, 100 simultaneous clients, each with a unique IP, issue one request per second. After a minute, every client returns with a new IP address, generating 100 password attempts per second

• Web scraping/data harvesting by gray marketers: This technique can be used to attack online ticketing systems, enabling attackers to buy and sell tickets at a profit. Launching 500 clients with unique IPs, attackers monitor 500 tickets, waiting for a dramatic price drop to make a “bargain” purchase. Every client refreshes the pages every 10 seconds. After a minute, each of the 500 clients returns with a new IP— resulting in 500 bots online, each making 50 requests per second.

• Web scraping/data harvesting by competitors: This type of attack is similar to the one described above but is executed to collect competitive pricing and plagiarize content. In this type of dynamic IP attack, 100 clients with unique IPs issue 10 requests per minute, with each client crawling through a different category and clicking on items in random order. After three minutes, each client returns with a new IP. The result is the ability to “scrape” 1,000 items per minute.

• Clickjacking: This attack involves click fraud on a competitor’s pay-per-click (PPC) advertisements. A common scenario: An operator remotely controls 1,000 malware-infected PCs. Every day, the malware generates 1,000 faked clicks on a competitor’s PPC affiliate ads, leading to 30,000 monthly clicks. The competitor must then pay the affiliate regardless of whether or not a purchase is made. At one cent per click, the attack drums up $300 for the affiliate.

Methods of Execution

Attackers commonly use one of four methods to gain access to a large pool of IP addresses: malware botnets, lists of SOCK proxies, VPN services or cloud services.

Malware Botnets: The notorious botnet created by the Linux XOR. DDOS malware has been responsible for thousands of DDoS attacks and hundreds of thousands of SSH brute-force attempts. The vast majority of targets infected by this malware are personal home routers or modems, all of which receive dynamic IPs from the respective Internet service providers.

Another example is the recently discovered Linux Ellipses malware, which infects the Linux host. In a sophisticated technique, it installs an anonymous proxy server that carries out future attacks. This malicious behavior further increases the prevalence of dynamic IT attacks

Lists of SOCK Proxies

A huge number of SOCK proxies lists are floating publicly on various amateur forums. New lists are submitted every day, with numerous offers from sellers of “verified and working” lists. Some sites have transformed this into a business of renting SOCK servers for a specific duration. Various attack scripts and tools can use lists of SOCK proxies to generate traffic over thousands of real clients.

VPN Services

A variety of companies offer virtual private networking (VPN) services—including Hotspot Shield, TunnelBear, Private Internet Access, HideMyAss and CyberGhost, to name just a few. With hundreds of servers spread all over the world, these providers offer a pool of more than 100,000

IP addresses. In mid-2015, the free “Hola VPN” browser extension was used to carry out a DDoS attack against the popular 8chan image board. More than 50 million users around the world use Hola to mask their true locations—bypassing censorship and gaining access to geo-blocked content, such as Netflix and BBC programming.

Cloud Services

Many cloud providers offer a free tier for developers and users who want to run small-sized servers and applications on cloud infrastructures. Such cloud providers are often the target of hackers, who are continually seeking access to more servers and services for launching malicious activity.

In the quest to attract more customers, many cloud providers offer a simple and easy process for creating a new account. This ease of use has a dark side: insufficient security validations that enable hackers to abuse the cloud services and generate massive quantities of fraudulent accounts. Those fraudulent accounts can then be used to launch network attacks. Existing cloud customers also can be the target of hackers, who welcome opportunities to obtain leaked or stolen API keys. Hackers can then use those keys to programmatically manipulate cloud services, such as Google AppEngine and Amazon Web Services (AWS). When such API keys fall into the wrong hands, they can be abused—as evidenced by a web developer who recently lost a reported $6,500 in just a few hours after his Amazon API keys were accidentally leaked on the public Internet.

Defending Against Dynamic IP Attacks

It is not unusual for dynamic IP attacks to be overlooked. After all, these attacks are challenging to defend against and most defense systems are not capable of acting against attacks that so closely resemble real user patterns. Even so, Radware expects focus and attention on these attacks to grow as organizations become more aware of the risks.

If traditional cyber and application protection systems cannot thwart dynamic IP attacks, what can organizations do to protect themselves? The answer lies in advanced defense systems that leverage behavioral-based detection mechanisms. These sophisticated capabilities help in identifying malicious bots, headless browsers and other dynamic IP attacks. Ideally, behavioral-based defense should offer an advanced host fingerprinting mechanism, which goes far beyond IP-based detection to identify—and block—malicious actors in real time.

Nikhil Taneja
Managing Director - INDIA & SAARC
Radware March 2017