DISTRIBUTED DENIAL OF SERVICE (DDoS) MALWARE AND TOOLS THREATEN AN ORGANIZATION’S INTERNET-FACING SYSTEMS. A DDoS ATTACK CAN HAVE A SUBSTANTIAL IMPACT ON THE AVAILABILITY OF THE TARGETED SYSTEM. THIS IMPACT CAN CAUSE AN ORGANIZATION TO EXPERIENCE FINANCIAL LOSSES, TARNISH BRAND AND REPUTATION, AND REQUIRE FINANCIAL AND PERSONNEL RESOURCES TO MITIGATE THIS.
Not all DDoS malware and tools are created equal, as some are feature-rich and perform remarkably well, whereas others include marring shortcomings.
The Russkill family focuses on flooding Web servers with HTTP requests, and it succeeds by generating a considerable amount of traffic by creating hundreds of threads to flood a target. Darkness is another capable DDoS bot, as it creates significant amount of traffic in both Internet Control Message Protocol (ICMP) and HTTP floods that iDefense has observed. The capabilities of the Russkill and Darkness botnets make them attractive to attackers, as they use both types of botnets to offer DDoS services to their customers. Other tools, such as Slowloris, for example, do not require flooding the target with traffic to cause a denial of service (DoS) condition and actually trick the Web server into not logging request attempts.
Miscreants have also used this tool to create DDoS-for-hire services; such is the case with the DDoS tool atBellum.co.uk. Other DDoS malware and tools are less successful. For instance, Erratic Demise’s HTTP flooding capabilities have severe flaws, as the authors did not include the “INTERNET_FLAG_RELOAD” flag when connecting to the target, which results in the bot’s reading locally cached content for subsequent HTTP requests rather than reading from the remote server.
Another flawed attack implementation occurred within Mariposa, as the authors advertised that the tool is capable of TCP SYN floods, but it will actually create a full TCP connection instead. Mariposa also does not generate multiple threads and therefore does not create a significant amount of traffic. The most recent financial institution attacks have been launched via the BroBot/itsoknobroblembro toolkit. This advanced toolkit supports multiple attack methods, including HTTP, HTTPS and DNS.
The successful attacks that have occurred in the recent past should prompt organizations to recognize a DDoS attack as a potential risk and to create a comprehensive strategy for dealing with attacks of all sizes and complexities. To minimize the impact of a DDoS attack, organizations should engage the services of a DDoS protection provider – attacks are far too large and complex to handle on their own. In addition, with the increased use of DNS as an attack vector, outsourcing an enterprise’s DNS services provides an additional layer of protection.
If you are worried about your web security and wish to check that your Internet-facing connections are not vulnerable to Denial of Service attacks, contact Wimbledon IT on 0845 838 1356.