“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” said Scott Hammack, chief executive officer at Prolexic.
Armed with the identity of the C&C server or infected host, and open source penetration-testing tools, it is possible to gain access to the C&C database backend and, more importantly, the server-side configuration files.
“With this information, it is possible to access the C&C server and stop the attack,” Hammack said. “Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large.”
In conjunction with the Dirt Jumper vulnerability disclosure report, the Prolexic Security Engineering & Response Team (PLXsert) has also issued a public threat advisory on the newest member of the Dirt Jumper family, Pandora. Both documents are available to the public, free of charge, at www.prolexic.com/threatadvisories.
Believed to be authored by the same individual responsible for the other Dirt Jumper family of toolkits, it includes five DDoS attack methods, designated Attack Types 0 through 4. These include HTTP Min, HTTP Download, HTTP Combo, Socket Connect and Max Flood. The HTTP Combo offers a one-two punch that targets the application and infrastructure layer simultaneously, while the Max Flood attack initiates a flood that contains a 1-million-byte payload within the POST request.
One advertisement for the toolkit claims that 10 infected bot workstations can take down an unhardened or poorly protected site, while a thousand bots supposedly slowed response times for Russia’s most popular search engine.
Prolexic already successfully mitigated a Pandora attack, which targeted KrebsOnSecurity.com on July 27, using the Max Flood attack method. It was the first documented use of the toolkit by PLXsert, and site owner Brian Krebs blogged about it last week.
“The first DDoS campaigns consisted of several hundred systems repeatedly requesting image-heavy pages on my site,” Krebs wrote. His site went down, and the traffic hurled at it was beginning to cause problems for other sites. On the recommendation of his hosting provider, Krebs turned to Prolexic for help and was able to fight off the attack.
Although effective, the code of the Pandora DDoS toolkit contains typographical errors, Prolexic analysts noted. Infected computers (bots) beacon to the user’s command and control (C&C) panel with broken GET requests that identify the availability of the bots. In addition, a GET request in the Socket Connect attack is sent as an ‘ET’ request, which is invalid HTTP request. Some web servers such as Apache, however, will interpret the ET request as a GET request and will respond with a valid OK response. Other web servers, such as nginx, will return a Bad Request error message.
“The DDoS problem is not going away and it’s only going to get worse,” Krebs says. “As illustrated by the denial of service attacks on my site using the Pandora toolkit, it’s never been easier to build your own DDoS bot army.”
An analysis of the Pandora threat, including recommended mitigation techniques, is available free of charge at www.prolexic.com/threatadvisories.
To learn more about the attack on KrebsOnSecurity.com, the full case study can be downloaded from www.prolexic.com/Krebs.
Prolexic Threat Advisories
Designed to provide early warnings of new or modified DDoS attack signatures and scripts, recently observed by PLXsert, each threat advisory contains a detailed description of the type of attack, a list of attack signatures, and the specific network infrastructure or application that it targets. In addition, Prolexic’s DDoS mitigation experts also offer insight into the nature of each type of attack, as well as provide specific warnings as to how the attack will affect businesses and enterprises of different sizes and infrastructures. PLXsert also provides threat remediation tips to help subscribers not only recognize the new attack signatures, but also proactively defend against them. The latest threat advisories, including HOIC and Dirt Jumper, are available to the public at www.prolexic.com/threatadvisories.
About the Prolexic Security Engineering & Response Team (PLXsert)
PLXsert monitors malicious cyber threats globally and analyzes DDoS attacks using proprietary techniques and equipment. Through data forensics and post attack analysis, PLXsert is able to build a global view of DDoS attacks, which is shared with customers. By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations adopt best practices and make more informed, proactive decisions about DDoS threats.
Details of Prolexic’s mitigation activities and insights into the latest tactics, types, targets and origins of global DDoS attacks are provided in quarterly reports published by the company. A complimentary copy of Prolexic's Q2 2012 Global DDoS Attack Report is available at www.prolexic.com/attackreports.
Prolexic is the world’s largest, most trusted Distributed Denial of Service (DDoS) mitigation provider. Able to absorb the largest and most complex attacks ever launched, Prolexic restores mission-critical Internet-facing infrastructures for global enterprises and government agencies within minutes. Ten of the world’s largest banks and the leading companies in e-Commerce, SaaS, payment processing, travel/hospitality, gaming and other at-risk industries rely on Prolexic to protect their businesses. Founded in 2003 as the world’s first in-the-cloud DDoS mitigation platform, Prolexic is headquartered in Hollywood, Florida and has scrubbing centers located in the Americas, Europe and Asia. To learn more about how Prolexic can stop DDoS attacks and protect your business, please visit www.prolexic.com, follow us on LinkedIn, Facebook and Google+ or follow @Prolexic on Twitter.