MP-DDoser: A rapidly improving DDoS threat

From Botnets.fr
Jump to navigation Jump to search

(Publication) Google search: [1]

MP-DDoser: A rapidly improving DDoS threat
Mp-ddoser-a-rapidly-improving-ddos-threat.png
Botnet MP-DDoser
Malware
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 2012-06-07
Editor/Conference Arbor Sert
Link https://asert.arbornetworks.com/mp-ddoser-a-rapidly-improving-ddos-threat/ (Archive copy)
Author Jeff Edwards
Type

Abstract

This blog post is the fifth installment in our ongoing series of articles surveying the crypto systems used by different DDoS-capable malware families. Today’s topic is MP-DDoser, also known as “IP-Killer”


As far as we are aware, MP-DDoser was first documented in February 2012 by Arbor analyst Curt Wilson in his pioneering survey of modern DDoS threats. Like many of the malware families we see these days, MP-DDoser is exclusively a DDoS bot; it has no ability to do key-logging, info-stealing, spamming, or other such mayhem. We started seeing the first MP-DDoser samples back in December 2011, which billed themselves as “Version 1.0″. These early versions had a number of serious flaws, such as a completely broken Slowloris attack implementation, and really awful crypto key management. But the latest samples (now up to “Version 1.6″) are much improved; the key management is quite good, and the buggy DDoS attacks are not only fixed, but now include at least one technique (“Apache Killer”) that may be considered reasonably cutting edge.

The full details of our analysis are included in the attached report, but here are the highlights:

In addition to a Slowloris-style attack and various generic flooding capabilities, the newest versions of MP-DDoser support an ApacheKiller-style attack, which is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers. It first appeared in the form of a proof-of-concept Perl script in August 2011. Then toward the end of 2011 we saw a version of it incorporated into the Armageddon DDoS bot; however that implementation turned out to be severely flawed. Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack. The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, “asymmetrical” HTTP attacks at the moment.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR1028,
   editor = {Arbor Sert},
   author = {Jeff Edwards},
   title = {MP-DDoser: A rapidly improving DDoS threat},
   date = {07},
   month = Jun,
   year = {2012},
   howpublished = {\url{https://asert.arbornetworks.com/mp-ddoser-a-rapidly-improving-ddos-threat/}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=MP-DDoser:_A_rapidly_improving_DDoS_threat&oldid=5143"