Distributed Dragons, the latest Chinese cybercriminals DDoSing the Internet

There’s a new breed of cyberattack breathing fire onto the Internet.

Security researchers have uncovered a wave of distributed-denial-of-service (DDoS) attacks originating from China. The operation, dubbed “Distributed Dragons,” has been going on for several months and has infected more than 7,000 servers worldwide. 

According to the report released by Tiger Security, the attackers—who do not seem to be connected with the Chinese government—have been able to infect machines located even in security-oriented institutions, such as the Department of Computer Science of the University of Las Vegas, Korean company Dacom Corp. (a subsidiary of LG), and the American company Clear-DDoS, a supplier of services for the mitigation of DDoS attacks.

The Distributed Dragons attackers also list Internet service proviers (ISPs), players in the leisure and gaming industries, and major Internet firms, companies such as Akamai, a leading provider of cloud services, among their targets.

A DoS (denial-of-service) is a type of cyberattack that aims to make a machine or a network resource unavailable by bombarding it with a massive stream of requests to a server—in other words, a whole bunch of fake traffic. In its “distributed” variant (DDoS), attackers use many machines to create a so-called botnet, which they control. Most botnets use Internet users’ PCs that have been infected by malware. These machines are called “zombies” since they can be remotely controlled by a botmaster. 

The Distributed Dragons operation, however, seems to be an entirely new breed of DDoS attacks. Rather than infecting just one type of computer, the Distributed Dragons attackers started with the breach of Linux servers and gradually extended to Windows machines and embedded devices, such as routers and webcams.

“By infecting servers the attackers can count on larger bandwith and computing power than the ones obtained by normal PCs,” Emanuele Gentili, cofounder and CEO of Tiger Security, told the DailyDot. “The campaign has been able to take offline some Akamai’s nodes by using just 170 servers of the over 7,000 they have worldwide.”

The Distributed Dragons cyberattacks reached traffic peaks of more than 200 Gbps bandwith and pound targets with 180 Mbps of volume (maximum packet per second) without the use of amplification techniques, which are normally employed to increase the traffic volume directed to the target. More generally, the campaign tends to focus on systems and applications that are not subject to continuous checks, updates and upgrades by the administrators.

The Distributed Dragons operation started infecting machines in January 2014, the report says. Meanwhile, its DDoS attacks kicked off in June and are still happening. The infected machines, later used as an army to attack specific targets, are scattered globally, many of them being identified in Canada, the Netherlands, Hungary and Germany.

Cybersecurity has been a bone of contention in the U.S.-China relationship, with both states accusing each other of hacking.  However, according to the researchers of Tiger Security, an Italy-based company working for various governments and corporations, it is most likely that the promoters of this specific campaign are not acting under the “sponsorship” of their government, since they also attacked Chinese state domains. Thus, the most plausible explanation at this stage seems to be that criminals are driven by financial and economic motives.

“They probably attack targets on a commission basis, on demand. In some cases they plan attacks in advance,” says Gentili. 

DDoS attacks date back to 1996, but according to some older reports, the DDoS-as-a-service market came to light in recent years, where cybercriminals provide custom, a la carte “services”—attacks on specific targets—to their clients in return for some sort of reward.

Gentili says that it took months to localize the Distributed Dragons criminals, who tried to hide the origin of the attacks by cancelling the logs left on the infected machines and other techniques. At this stage, says Gentili, it seems very difficult to contain the campaign and prevent the infection of new machines. 

For now, the number of bots involved increases by the day, making the Distributed Dragons campaign a noteworthy subject in the diverse and ever-increasing range of mercenary cyberarmies.

Photo by aztlek/Flickr (CC BY SA 2.0) | Remix by Fernando Alfonso III