“DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we’ve turned the tables and exposed crucial weaknesses in their own tools,” said Scott Hammack, CEO at Prolexic.
Armed with the identity of the C&C server or infected host, and open source penetration-testing tools, it is possible to gain access to the C&C database backend and, more importantly, the server-side configuration files.
“With this information, it is possible to access the C&C server and stop the attack,” Hammack said. “Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large.”
In conjunction with the Dirt Jumper vulnerability disclosure report, the Prolexic Security Engineering & Response Team (PLXsert) has also issued a public threat advisory on the newest member of the Dirt Jumper family, Pandora.
Believed to be authored by the same individual responsible for the other Dirt Jumper family of toolkits, it includes five DDoS attack methods, designated Attack Types 0 through 4. These include HTTP Min, HTTP Download, HTTP Combo, Socket Connect and Max Flood.
The HTTP Combo offers a one-two punch that targets the application and infrastructure layer simultaneously, while the Max Flood attack initiates a flood that contains a 1-million-byte payload within the POST request.
One advertisement for the toolkit claims that 10 infected bot workstations can take down an unhardened or poorly protected site, while a thousand bots supposedly slowed response times for Russia’s most popular search engine.
Prolexic already successfully mitigated a Pandora attack using the Max Flood attack method. It was the first documented use of the toolkit by PLXsert.
Although effective, the code of the Pandora DDoS toolkit contains typographical errors, Prolexic analysts noted. Infected computers (bots) beacon to the user’s command and control (C&C) panel with broken GET requests that identify the availability of the bots.
In addition, a GET request in the Socket Connect attack is sent as an ‘ET’ request, which is invalid HTTP request. Some web servers such as Apache, however, will interpret the ET request as a GET request and will respond with a valid OK response. Other web servers, such as nginx, will return a Bad Request error message.
“The DDoS problem is not going away and it’s only going to get worse,” Krebs says. “As illustrated by the denial of service attacks on my site using the Pandora toolkit, it’s never been easier to build your own DDoS bot army.”