In recent years, cyber attackers have adopted a new, more surreptitious operational mandate; one that employs a set of strategies and technologies that dramatically complicate the detection process. At the forefront of these rogues like tactics are serving up dynamic IP addresses.
To overcome traditional defenses, attackers commonly use headless browser software, such as PhantomJS or a Selenium WebDriver. They also employ multiple evasion tactics. To avoid triggering size- or rate-limiting thresholds, they split the load between dozens of IP addresses and constantly add new IP addresses. Human-like “behaviors” are incorporated—starting at different landing pages and mimicking human-like timings and patterns of movement. They can be especially difficult to detect when attacks are low rate and low volume and are spread over time and across a large pool of changing IP addresses.
Types of Dynamic IP Attacks
Dynamic IP attacks come in various shapes and colors, but some of the most common scenarios include:
- HTTP/S flooding: This technique involves full-page reloads of dynamic content, fetching
large elements and bypassing cache. Imagine 100 visitors arriving from what appear to be legitimate IP addresses and client headers. The empty browser cache issues a full-page reload that fetches about 50 HTML elements. After a minute, the process repeats with a new group of 100 IP addresses—resulting in 5,000 HTTPS requests per second.
- Password brute-force attempts: These often target HTTP, FTP, SQL, SSH and RDP. For example, 100 simultaneous clients, each with a unique IP, issue one request per second. After a minute, every client returns with a new IP address, generating 100 password attempts per second.
- Web scraping/data harvesting by gray marketers: This technique can be used to attack online ticketing systems, enabling attackers to buy and sell tickets at a profit. Launching 500 clients with unique IPs, attackers monitor 500 tickets, waiting for a dramatic price drop to make a “bargain” purchase. Every client refreshes the pages every 10 seconds. After a minute, each of the 500 clients returns with a new IP— resulting in 500 bots online, each making 50 requests per second.
- Web scraping/data harvesting by competitors: This type of attack is similar to the one described above but is executed to collect competitive pricing and plagiarize content. In this type of dynamic IP attack, 100 clients with unique IPs issue 10 requests per minute, with each client crawling through a different category and clicking on items in random order. After three minutes, each client returns with a new IP. The result is the ability to “scrape” 1,000 items per minute.
- Clickjacking: This attack involves click fraud on a competitor’s pay-per-click (PPC) advertisements. A common scenario: An operator remotely controls 1,000 malware-infected PCs. Every day, the malware generates 1,000 faked clicks on a competitor’s PPC affiliate ads, leading to 30,000 monthly clicks. The competitor must then pay the affiliate regardless of whether or not a purchase is made. At one cent per click, the attack drums up $300 for the affiliate.
Methods of Execution
Attackers commonly use one of four methods to gain access to a large pool of IP addresses: malware botnets, lists of SOCK proxies, VPN services or cloud services.
Malware Botnets: The notorious botnet created by the Linux XOR. DDOS malware has been responsible for thousands of DDoS attacks and hundreds of thousands of SSH brute-force attempts. The vast majority of targets infected by this malware are personal home routers or modems, all of which receive dynamic IPs from the respective Internet service providers.
Another example is the recently discovered Linux Ellipses malware, which infects the Linux host. In a sophisticated technique, it installs an anonymous proxy server that carries out future attacks. This malicious behavior further increases the prevalence of dynamic IT attacks.