Anonymous proxies used to carry out shotgun DDoS attacks
We're all increasingly concerned about our privacy and the footprint that we leave on the internet. It's not surprising then that more of us are turning to anonymous proxies to hide our origin IP and HTTP details.
But new research from website security company Incapsula has uncovered a darker side to the use of anonymizers as a source of DDoS attacks.
According to the findings DDoS attacks from anonymous proxies accounted for 20 percent of all application layer attacks. On average, perpetrators were directing traffic from 1,800 different IPs. This is what Incapsula calls a "Shotgun" attack.
The idea behind this type of attack is to use a large number of open proxies, turning a single-source denial of service (DoS) attack into a distributed one (DDoS), thereby making it much harder to mitigate. It's also attractive to attackers as it makes them harder to trace.
The attackers harvest a list of publicly available proxy servers, using a script or online list tools available online. They then use a modified version of a DoS toolkit or a homemade DoS script to send out a batch of malicious requests through each of the harvested proxies.
This produces a scattering effect, similar to the small pellets from a shotgun shell -- hence the name. Yet, where the real shotgun pellets would disperse, the DoS requests always zero-in on the same target; hitting it from multiple directions creating a DDoS attack.
The graphic below shows the distribution of a Shotgun DDoS compared to that of a similarly sized conventional attack. With anonymous proxies, the attack cannot only spread across multiple IPs, but also across multiple geographic locations, making geo-blacklisting techniques ineffective.
The report shows that nearly 45 percent of all shotgun DDoS attacks originated from IPs on the Tor network. Of those, 60 percent were performed using Tor's Hammer DoS tool. Anonymous proxies averaged 540,000 requests per attack.
For more about Incapsula's research into DDoS attacks and how to guard against them you can visit the company's website.