Security Advisory: DDOS Advisory - May 2010May 17, 2010
Imperva's lab, the Application Defense Center (ADC), has uncovered a new generation of DDoS attack that appears to be more powerful, more efficient and less detectable than traditional methods.
- This new type of DDoS attack that has currently infected hundreds of web servers
- Unlike traditional DDoS methods that capitalize on bot-infected PCs, the attackers have turned the web servers themselves into payload-throwing bots.
How it works
Rather than use the server as a means of distributing DDoS malware to PCs, the attackers infect the servers themselves with a malicious DDoS application. Then, using a simple software program with a dashboard and control panel, the hackers configure the IP, port and duration of an attack. See Figure 1 for an example. Hackers simply insert a URL they wish to attack, click and go. Imperva was able to obtain the source code of this application and has screenshots. We've also witnessed an attack as it was taking place and can describe what we saw and what we learned.
Why this is unique
- Although servers are typically harder to compromise than PCs, by capitalizing on their greater horsepower, the hackers create a much more efficient and powerful DDoS tool using servers as the attack platform. The volume of the attack is more easily multiplied by the number of exploited web servers as well.
- By using web servers, the attackers are even less detectable. Trace backs typically lead to a lone server at a random hosting company.
What companies should do
These attacks are ongoing, not a onetime occurrence. Now that a network of server bots has been created, it will be quite easy for them to 'rent' them out or increase their activity. Companies should regularly monitor their Google presence to look for evidence of being compromised. See Figure 2 for an example.
This new DDOS attack was discovered by monitoring hacker traffic. The hackers first hack vulnerable applications to include malicious DDoS application which automates the attack process. The malicious application allows the attacker to configure the IP, port and duration of attack. Now the hacker can launch a DDOS attack against any server.
Using the hacked web servers (and not their own PC) allows the hacker to:
- Disguise their true identity
- Use the servers resources – typically web servers have more network bandwidth than personal user
Imperva has managed to get a copy of the attack software and some insights on it from the author message in a hackers’ forum. An analysis of the source code shows us that this is a very simple program (even its author admits – that the code is “young and immature”) that sends very long (65K) UDP datagrams repeatedly to the attacked server.
Hundreds of sites were compromised and now host the malicious DDoS application, as can be seen from a simple Google search.
Imperva has seen the triggering of the attack in one of our honey pots.
Figure 1: Automated DDoS attack software screen capture as seen in TOR logs
The target site is a hosting provider. The hosting site is not listed as malicious in DShield.
Figure 2: Example search for similar, infected servers in Google
Some domains look genuine and compromised; some look as though they were only created in order to host the malware.
The information within this advisory is subject to change without notice. Use of this information constitutes acceptance for use in an AS IS condition. Any use of this information is at the user’s own risk. There are no warranties, implied or expressed, with regard to this information. In no event shall the author be liable for any direct or indirect damages whatsoever arising out of or in connection with the use or spread of this information.
Redistribution of this alert electronically is allowed as long as it is not edited in any way. To reprint this alert, in whole or in part, in any medium other than electronic medium, firstname.lastname@example.org for permission.