The esteemed security group CastleCops was under a distributed denial-of-service attack back at the beginning of September. The DDoS apparently consisted of both a TCP SYN flood and an HTTP request flood. They posted some great data to help the community identify suspected zombie computers used to carry out the attack: an http log of suspicious web access from their site, and a list of IPs with whois data of possible bot infected hosts.

As with most web server logs, the last field is the value from the User-Agent header sent in the HTTP request. You might think that in an effort to cloak the malicious intent of their HTTP requests, bot authors would simply cut-and-paste the User-Agent from a current version of a popular browser. Here’s what my version of Firefox sends:

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.7) Gecko/20070914 Firefox/2.0.0.7

Here are a few suspicious entries from the CastleCops list:

Mozilla/4.0 compatible ZyBorg/1.0 (wn.zyborg@looksmart.net; http://www.lolyousuck.com)

FAST-WebCrawler/3.8 (atw-crawler at fast dot no; http://i.love.teh.c**k/support/crawler.asp)

Googlebot/2.1 (+http://www.googlebawt.com/bot.html)

Wow. That’s incredibly brazen. There’s really only one explanation for why the bot authors aren’t attempting to cloak their User-Agents: nobody is capable of acting on this information to significantly affect the success of a DDoS.

Now there are a jillion known User-Agents out there in the wild, and these appear to be small modifications on recognized User-Agent values. But it’s data that security appliance vendors (like 8e6) could act on at the gateway. Watching inbound requests to a network, you could help mitigate a DDoS. But perhaps more interestingly for enterprises and school districts who are unlikely to come under DDoS, watching outbound requests from a network, you could identify potentially infected hosts inside that network. If one of your computers is being used to carry out a DDoS attack from inside your network, that’s definitely a liability for your company.

Another observation here is that different User-Agents coming from a single source address in a short period of time is clearly a heuristic for identifying infected machines. Again, from the web server log:

200.181.98.197 - [02/Sep/2007:01:30:51 +0000] “Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007″
200.181.98.197 - [02/Sep/2007:01:30:52 +0000] “Mozilla/5.0 (X11; U; FreeBSD i386; en-US; rv:1.5) Gecko/20031021″
200.181.98.197 - [02/Sep/2007:01:30:52 +0000] “Mozilla/4.75 [en]”
200.181.98.197 - [02/Sep/2007:01:30:52 +0000] “Mozilla/4.0 (compatible; MSIE 5.5; Windows 98)”

That’s four web requests from the same host using different User-Agent strings inside of two seconds.

Tags: Bots, castlecops, ddos

This entry was posted on Friday, September 28th, 2007 at 2:00 pm and is filed under Bots. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.