Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


DDoS Tools Flourish, Give Attackers Many Options

More than 55 DDoS tools and services on the market offer hacktivists, increasingly driven by ideological or political goals, a wide range of choices, Arbor security researcher reports.

Securing The Super Bowls Of Sports
Securing The Super Bowls Of Sports
(click image for larger view and for slideshow)
How hard is it to launch a distributed denial-of-service (DDoS) attack?

Arguably, the hacktivist collective Anonymous has made launching DDoS attacks look easy, due to its high-profile DDoS campaigns against everyone from PayPal and MasterCard to the FBI and Department of Justice. In addition, Anonymous offered the promise of one-click attacks via its low orbit ion cannon (LOIC) DDoS attack tool.

While LOIC was great at building buzz for Anonymous, it also provided valuable intelligence for law enforcement agencies, since many users apparently didn't realize that the tool alone wouldn't obscure their IP address from the sites they attacked.

[ They may be impossible to prevent, but 10 Strategies To Fight Anonymous DDoS Attacks can help you mitigate an attack in progress. ]

But LOIC, it turns out, is just one of many DDoS tools now available for online use, downloading, or renting. Indeed, there's now a thriving DDoS tool and botnet ecosystem that includes "single user flooding tools, small host booters, shell booters, remote access Trojans (RATs) with flooding capabilities, simple DDoS bots, complex DDoS bots, and some commercial DDoS services," said Curt Wilson, a research analyst at Arbor Networks, in a blog post. "Many types of threats can be blended into any given tool in order to make the tool more attractive and financially lucrative"--as in, profitable for whoever's renting out the DDoS capabilities.

All told, Wilson recently counted 55 different DDoS tools, which are still just a fraction of what's publicly and commercially available. Of course, some of these tools are more dangerous than others. For example, Fg Power DDOSER is designed to flood a gaming competitor with packets, thus slowing their connection speed or knocking them offline, although the DDoS toolkit also includes a Firefox password stealer, said Wilson. Another relatively simple tool, Silent-DDoSer, can launch UDP, SYN, and HTTP attacks, and also offers "triple-DES and RC4 encryption, IPv6 capabilities, and password stealing functions," he said.

At the other end of the spectrum, meanwhile, there are a number of complex DDoS toolkits and related bots, and typically also Web-based command-and-control interfaces. These toolkits sport names such as Darkness/Optima, DeDal, Dirt Jumper, G-Bot, and Russian Armageddon. Finally, services such as Death DDoS Service and Totoro offer commercial DDoS options, meaning that rather than running the tools themselves, attackers can just outsource the job.

Why launch a DDoS attack? Many times, as with botnets, the goal is to steal valuable information, such as financial details. But such attacks can also be used for business purposes. "While there are numerous motives for DDoS, such as revenge, extortion, competitive advantage, and protest, many of the commercial DDoS services emphasize competitive advantage with wording devoted to taking down a competitor," said Wilson. "More troubling is the recently reported distracting use of DDoS to flood networks after financial theft has been performed via a banking Trojan in order to allow the thieves extended access to the loot."

But some of those drivers may be changing. In fact, half of DDoS attacks are now ideologically driven, according to a new study of 2011 attacks conducted by Arbor. "Ideologically and politically motivated DDoS attacks have dramatically risen as the perceived root cause of large-scale DDoS attacks on the Internet," said Roland Dobbins, Asia-Pacific solutions architect for Arbor Networks, via phone.

Previously, he said, service providers and network operators saw the leading causes of DDoS attacks as "nihilism, vandalism, criminal activity, and gaming activity--people unhappy with their gaming comrades, who DDoS them," he said. "Then there's criminal extortion, where people will demand 'protection money' to allow a DDoS'd site to come back up."

Another interesting finding--with DDoS implications--from Arbor's new research is that wireless network operators' security capabilities appear to lag their wireline counterparts by about 10 years, principally in terms of the visibility they do or don't have into what's happening on their TCP/IP networks, which now serve an enormous number of smartphone users and their increasing data consumption requirements. "Wireless operators around the world had become what I like to call 'accidental ISPs' over the last four years, since the introduction of the iPhone," Dobbins said.

"Some of the larger providers have really done a tremendous job of making a transition, understanding that TCP/IP is really the future," he said. "But there are a number of wireless providers around the world at which the senior management doesn't agree with the proposition that their primary business is now Internet access, and that voice...will become [only] packetized TCP/IP."

At those organizations, knowledge of TCP/IP security can lag, which leaves the telecommunications carriers at greater risk of not being able to cope with DDoS attacks launched at their wireless networks. "There's still this focus on minutes versus packets. It's going to take a lot of time for the industry to make that conceptual shift," said Dobbins.

There are no silver bullets when it comes to protecting company and customer data from loss or theft, but there are technological and procedural systems that will go a long way toward preventing a WikiLeaks-like data dump. Download our How To Prevent An Online Data Dump report. (Free registration required.)

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, when determining the common dimension size of two tensors, TFLite uses a `DCHECK` which is no-op outside of debug compilation modes. Since the function always returns the dimension of the first tensor, malicious attackers can ...
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, a crafted TFLite model can force a node to have as input a tensor backed by a `nullptr` buffer. This can be achieved by changing a buffer index in the flatbuffer serialization to convert a read-only tensor to a read-write one....
PUBLISHED: 2020-09-25
In tensorflow-lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, if a TFLite saved model uses the same tensor as both input and output of an operator, then, depending on the operator, we can observe a segmentation fault or just memory corruption. We have patched the issue in d58c96946b and ...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 1.15.4, 2.0.3, 2.1.2, 2.2.1 and 2.3.1, saved models in the flatbuffer format use a double indexing scheme: a model has a set of subgraphs, each subgraph has a set of operators and each operator has a set of input/output tensors. The flatbuffer format uses indices f...
PUBLISHED: 2020-09-25
In TensorFlow Lite before versions 2.2.1 and 2.3.1, models using segment sum can trigger writes outside of bounds of heap allocated buffers by inserting negative elements in the segment ids tensor. Users having access to `segment_ids_data` can alter `output_index` and then write to outside of `outpu...