Critical vulnerabilities in popular DDoS toolkit exposed
Posted on 15 August 2012.
Prolexic Technologies exposed weaknesses in the command and control (C&C) architecture of the Dirt Jumper DDoS Toolkit family that could neutralize would-be attackers. The Dirt Jumper family of toolkits is considered one of the most popular attack tools on the market today.

“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” said Scott Hammack, CEO at Prolexic.

Armed with the identity of the C&C server or infected host, and open source penetration-testing tools, it is possible to gain access to the C&C database backend and, more importantly, the server-side configuration files.

“With this information, it is possible to access the C&C server and stop the attack,” Hammack said. “Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large.”

In conjunction with the Dirt Jumper vulnerability disclosure report, the Prolexic Security Engineering & Response Team (PLXsert) has also issued a public threat advisory on the newest member of the Dirt Jumper family, Pandora.

Believed to be authored by the same individual responsible for the other Dirt Jumper family of toolkits, it includes five DDoS attack methods, designated Attack Types 0 through 4. These include HTTP Min, HTTP Download, HTTP Combo, Socket Connect and Max Flood.

The HTTP Combo offers a one-two punch that targets the application and infrastructure layer simultaneously, while the Max Flood attack initiates a flood that contains a 1-million-byte payload within the POST request.

One advertisement for the toolkit claims that 10 infected bot workstations can take down an unhardened or poorly protected site, while a thousand bots supposedly slowed response times for Russia’s most popular search engine.

Prolexic already successfully mitigated a Pandora attack using the Max Flood attack method. It was the first documented use of the toolkit by PLXsert.

Although effective, the code of the Pandora DDoS toolkit contains typographical errors, Prolexic analysts noted. Infected computers (bots) beacon to the user’s command and control (C&C) panel with broken GET requests that identify the availability of the bots.

In addition, a GET request in the Socket Connect attack is sent as an ‘ET’ request, which is invalid HTTP request. Some web servers such as Apache, however, will interpret the ET request as a GET request and will respond with a valid OK response. Other web servers, such as nginx, will return a Bad Request error message.

“The DDoS problem is not going away and it’s only going to get worse,” Krebs says. “As illustrated by the denial of service attacks on my site using the Pandora toolkit, it’s never been easier to build your own DDoS bot army.”


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Tue, Feb 9th