Under Attack?
Search
Menu

Darkness (Optima) – DDoS for Hire

By Yotam Ben-EzraMarch 20, 2012

A clear trend in the security scene these days is the change in attacker profile. Computer hacking and DDoS attacks are no longer reserved for the small group of individuals who are familiar with the “bits and bytes” of underlying technologies. Today’s attackers may very well be ordinary computer users.

This is a result of an abundance of tools out there which do not require technical abilities surpassing the normal usage of a program, or simply the supplying of a credit card. A recent example is the Anonymous-OS which has been recently released. This is an Ubuntu- based OS which is pre-installed with all the necessary, and easy to use tools for the novice Anonymous member.

Today, with a quick search one could easily ‘hire’ – or employ – DDoS on any target, as a service. One of the examples is the Darkness (Optima) bot that has become very popular since 2011. This bot was used in DDoS service offerings in various community sites. In fact, we have seen its usage in several recent attacks handled by Radware’s Emergency Response Team (ERT).

The Darkness DDoS bot belongs to a family of DDoS orientated kits which have been competing for DoS paid attacks lately. It is capable of launching TCP, HTTP, and fragmented ICMP floods. All are specifically designed to cause as much damage as possible. The bot also incorporates a password stealer module which sends sensitive data to the command and control machine.

Analysis of the available attacks shows some interesting characteristics. The HTTP vector allows attacking several URL’s at once, thus generating requests specifically for heavy resources on the target web server. The ICMP attack generates a maximum sized ICMP data portion which targets the saturation of the stack’s buffer.

Although they are customizable to some extent, all attacks have some distinct characteristics, which may be deduced from the behavioral patterns they generate in the attacking traffic, specific traffic ordering and content of the traffic generated. You can read a full report on the Darkness bot in the “Radware Technical Notes” found here.

A possible protection strategy against all possible attack vectors of the Darkness bot should include a combination of network and HTTP DDoS protection which is based on behavioral patterns together with static patterns. This combination does a good job of characterizing the attacking traffic in order to analyze and mitigate the DDoS attack.

Posted in: Attack Mitigation Botnets DDoS Attacks SecurityTags:

Yotam Ben-Ezra

Yotam started with Radware as head of the ERT DDoS research lab where he led security research activities and new mitigation technology development. Following that, he transitioned to a product management role as a product manager for DefensePro. Presently, he leads the Radware Security Product Management team and handles Radware’s security portfolio.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?