[<prev] [next>] [day] [month] [year] [list]
Message-ID: <003601cb58ea$2cb8c810$c103fea9@ml>
Date: Mon, 20 Sep 2010 20:32:17 +0300
From: "MustLive" <mustlive@...security.com.ua>
To: <rdobbins@...or.net>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: DDoS attacks via other sites execution tool
(DAVOSET)
Hello Roland!
Just recently found your letter. So I'll note about what I already told many
times to readers of Full-Disclosure and Bugtraq, that I not subscribed to
these lists, so always send copy of the messages to my e-mail also.
Concerning you letter.
> A more appropriate name for this sort of attack might be an 'application
> reflection attack'
Yes, it's possible to call this attack by such name (maybe better "web
application", then "application", but the reflection indeed exists in this
case). DDoS attacks via other sites execution tool (DAVOSET) - it's not name
of attack, but of the tool, which I created for demonstrating of such
attacks. The attack itself can be as DoS or DDoS, as any other. I wrote in
detail about it in my article Using of the sites for attacks on other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-July/075621.html).
There are two vulnerabilities which allow such attacks. It's Abuse of
Functionality (which allows to force one site to connect to arbitrary sites)
and Insufficient Anti-automation (which allows to conduct such attacks in
automated fashion)
> The servers themselves aren't botted, so they don't compromise a new form
> of botnet, per se.
But the sites (on the servers) are controlled by an attacker, which
instructs them what to do (force them to connect to arbitrary sites). So
this is new form of botnet. And attackers can hack some sites (where there
is no such vulnerabilities) to put the "simple script" (with such built-in
vulnerabilities) to them and then use these sites (and servers) for such
attacks. But it's even not needed with all of those Abuse of Functionality
holes (which allow such attacks) in Internet.
> The question then becomes whether this particular form of attack offers
> any advantages over a more conventional layer-7 DDoS attacks launched via
> botnets.
There are advantages in both classical botnets which works on Layer-7 and in
these attacks via sites (and in new botnets with sites-zombies). I wrote
about advantages of such attacks in my above-mentioned article. And benefits
of this attack is more evident comparing with making attack from your own
(single) computer, then comparing with large classical botnet.
Attacker can use zombies in classical botnets as for DDoS, as for other
attacks (but amount of attacks are limited, because developers of software
for botnets making limited functionality for their small number of needs).
In these attacks via sites attacker can use them for any attacks, for
example when he'll be using such benefit of this attack as hiding of attack
source (i.e. will be using sites as proxy), and he can easily make any
attack on target site just by changing of target URL. E.g. he can make DoS
or Persistent XSS or SQL Injection attack on target site, or he can make
DDoS attack on target site by using multiple zombie-sites (so the attack
itself and the tool are more flexible then in case of classical botnets).
> and since the sites being abused can in fact take measures to render
> themselves unsuitable for such abuse.
As vulnerable sites can be fixed in this type of attack, as users' computers
can be cleaned from trojans. But this is not a problem for both classical
and new botnets, as there are always many new vulnerable sites and users'
computers to be used for them.
> The question then becomes, is there an amplification factor to be gained
> by doing so?
There are amplifications (which is another advantage of this attack), I told
slightly about them in my article about the DAVOSET tool
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-July/075621.html).
The tool use small amount of traffic to forcing vulnerable sites to attack
target site and these sites used much more traffic for their own requests.
So in result you can send much more traffic to target site, then by doing
direct connections to it. And by using another advantage of this attack -
different IPs - it's possible to bypass restrictions by IP on target site
(and people mostly will not be blocking IPs of known and popular companies,
such as Google). So there are many advantages of such attacks.
Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua
> Dobbins, Roland rdobbins at arbor.net
> Wed Jul 14 12:51:16 BST 2010
>
> On Jul 14, 2010, at 6:28 PM, MustLive wrote:
>
> > In which I wrote particularly about creating of botnet from
> > zombie-servers
> > (which is a new type of botnets).
>
>
> A more appropriate name for this sort of attack might be an 'application
> reflection attack', as it's similar in concept to making use of open DNS
> recursors in the same vein. The servers themselves aren't botted, so they
> don't compromise a new form of botnet, per se.
>
> The question then becomes whether this particular form of attack offers
> any advantages over a more conventional layer-7 DDoS attacks launched via
> botnets.
>
> One advantage is obvious - it may prove problematic to block the attack
> traffic via conventional means such as S/RTBH, given that the servers
> being abused to launch the application reflection attack are legitimate
> servers which users on the targeted networks may well have the desire to
> access. However, as IDMSes can readily handle this sort of attack, while
> interesting, it's unclear whether it's worth the effort required to do
> this, given the prevalence of untold millions of botted hosts which can
> launch layer-7 attacks via existing command-and-control mechanisms which
> render said botnets completely under the control of the attacker, and
> since the sites being abused can in fact take measures to render
> themselves unsuitable for such abuse.
>
> The question then becomes, is there an amplification factor to be gained
> by doing so? The reason that DNS reflection attacks are of interest to
> the attackers is that they gain a considerable amplification effect from
> doing so - do you see an amplification resulting from this mode of attack?
>
> -----------------------------------------------------------------------
> Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
>
> Injustice is relatively easy to bear; what stings is justice.
>
> -- H.L. Mencken
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists