A clear trend in the security scene these days is the change in attacker profile. Computer hacking and DDoS attacks are no longer reserved for the small group of individuals who are familiar with the “bits and bytes” of underlying technologies. Today’s attackers may very well be ordinary computer users.
This is a result of an abundance of tools out there which do not require technical abilities surpassing the normal usage of a program, or simply the supplying of a credit card. A recent example is the Anonymous-OS which has been recently released. This is an Ubuntu- based OS which is pre-installed with all the necessary, and easy to use tools for the novice Anonymous member.
Today, with a quick search one could easily ‘hire’ – or employ – DDoS on any target, as a service. One of the examples is the Darkness (Optima) bot that has become very popular since 2011. This bot was used in DDoS service offerings in various community sites. In fact, we have seen its usage in several recent attacks handled by Radware’s Emergency Response Team (ERT).
The Darkness DDoS bot belongs to a family of DDoS orientated kits which have been competing for DoS paid attacks lately. It is capable of launching TCP, HTTP, and fragmented ICMP floods. All are specifically designed to cause as much damage as possible. The bot also incorporates a password stealer module which sends sensitive data to the command and control machine.
Analysis of the available attacks shows some interesting characteristics. The HTTP vector allows attacking several URL’s at once, thus generating requests specifically for heavy resources on the target web server. The ICMP attack generates a maximum sized ICMP data portion which targets the saturation of the stack’s buffer.
Although they are customizable to some extent, all attacks have some distinct characteristics, which may be deduced from the behavioral patterns they generate in the attacking traffic, specific traffic ordering and content of the traffic generated. You can read a full report on the Darkness bot in the “Radware Technical Notes” found here.
A possible protection strategy against all possible attack vectors of the Darkness bot should include a combination of network and HTTP DDoS protection which is based on behavioral patterns together with static patterns. This combination does a good job of characterizing the attacking traffic in order to analyze and mitigate the DDoS attack.
Yotam started with Radware as head of the ERT DDoS research lab where he led security research activities and new mitigation technology development. Following that, he transitioned to a product management role as a product manager for DefensePro. Presently, he leads the Radware Security Product Management team and handles Radware’s security portfolio.