Anonymous proxies now used in a fifth of DDOS attacks

The number of distributed denial of service attacks using anonymous proxies has increased dramatically over the past year, according to a new research report, as attackers use these proxies to create an instant pseudo-botnet.

Ofer Gayer, security researcher at Redwood Shores, CA-based Incapsula Inc., said he first spotted the trend about a year ago.

Incapsula was working on creating a database of IP addresses spotted attempting malicious activity, and discovered that attackers were abusing anonymous proxies to turn a regular single-origin denial of service attack into a distributed denial of service attack with traffic flowing through thousands — or tens of thousands — different IP addresses.

A year ago, fewer than 5 percent of DDOS attacks came through anonymous proxies. Today, the number is close to 20 percent, Gayer said.

“The trend intensified over the past two months,” Gayer said. “Currently, 20 percent of all application-layer attacks are originating from these proxy servers.”

Of those, nearly 45 percent came from the TOR network of anonymous routers, and, of those, 60 percent used the TOR Hammer DoS tool.

On average, a single attacker would direct traffic from 1,800 different IP addresses, with 540,000 requests per instance.

According to Incapsula product evangelist Igal Zeifman, what this means is that an attacker could be sitting at home, on a single computer, and route traffic to a list of anonymous proxies to create an instant botnet-style attack.

All it takes is a proxy harvesting script and a publicly-available DOS toolkit.

Anonymous proxies, or anonymizers, can serve a useful purpose, preventing identity theft, protecting search histories, avoiding geographical marketing and access restrictions, and allowing activists to bypass Internet censorship of repressive regimes.

They also offer several benefits to DDOS attackers.

First, they mask the source of an attack and help the attackers evade security measures based on access control lists. They also help the attacker avoid geo-blacklisting, since the attack can be spread among proxies in many different countries.

Second, since each proxy is only passing along a small number of messages, it helps the attackers avoid counter-measures based on limiting the number of messages from a single source.

Finally, proxies make slight changes to message headers. That helps the attackers avoid signature-based defenses.

“You can Google to find several options to generate lists of these servers,” said Zeifman. “And these servers accept requests from anyone.”

Each of the anonymous proxies can be used to forward a small amount of traffic, that, together, add up to enough to take down an application.

“It’s like a thousand needles, stinging all at the same time,” said Zeifman.

Since the attackers are going after application, not much traffic is required.

“Very few server operators think about over-provisioning their CPUs,” he said. “Even a small overhead of 100 requests per second is enough to take down a dedicated server environment.”