attack of the shuriken: many hands, many weapons
TRANSCRIPT
Attack of the Shuriken 2015: Many Hands, Many Weapons
Introduction
• This 2015 installment of our ongoing “Attack of the Shuriken” series profiles some attack tools and tactics that have not received much or any coverage, or have appeared or become popular within the last year
• For full technical details, please visit the ASERT blog: http://bit.ly/1JuCn8R
• This presentation shares a very high-level summary of attack tools and tactics, as researched by the ASERT Threat Intelligence and Response team
vDoS Stressor
• The VD0os service appears to be operated by “P1st.” (aka “P1st0”) and “Apple J4ck”, with “Red Sox” and “jeremyfgt” joining the team at a later date
• The service reports attack capabilities between 20Gbps - 282.9Gbps, with a rough average of 10-50Gbps of traffic per attack
• The service appears to be operating with 5-10 attack servers at any given time
Screenshot from June 2015 shows a5ack types
A5ack types adver<sed
VDos Stresser login page
vDoS Stressor
Spoofing attacks are a selling point Guarantee of 10-50 Gbps of SSDP traffic
Screenshot of an SSDP attack in-progress
vDoS Stressor
The operators posted a graph showing an alleged 216 Gbps attack (unconfirmed by ATLAS)
While some of the underground “Server Stress Testing” (SST) services overstate their capabilities, this screenshot of a 90 Gbps attack in-progress is real and was confirmed through ATLAS data. While not the largest DDoS attack, this is
still a substantial punch to networks that are not prepared.
Alpha Stress Tool
Screenshot of attack types available in the Alpha Stress Tool
• This is a stresser service advertised on a prominent underground forum
• They claim to offer 150 Gbps total attack capacity
Alpha Stress Tool
Screenshot of attack types available in the Alpha Stress Tool
• This stressor offers a variety of options for attack:
– NTP Amplification/reflection – SSYN – SSDP amplification/reflection – SOURCE ENGINE – Team Speak 3 – VENTRILO – HTTP GET, POST, HEAD – XMLRPC – ICMP – SDROP – TBD – HOME – CHARGEN – JOOMLA – ESSYN – DOMINATE – DNS – SUDP
Twbooter2
Twbooter2 UDP reflec<on/amplifica<on a5ack
• There is a fairly long history to this tool family, with indicators of the early Twbooter service being available in 2010
• Twbooter2 code leaked to the underground a few years ago, and is still receiving substantial interest, with forum comments on the leaks appearing within the last several weeks as well as active downloads as of June 2015
Packet capture of first leg of chargen attack
• Twbooter code has been behind many attacks over the last several years and the attack code has been re-used in a variety of forms
• These include outright copying of the source code, as well as modification of the source code to change some aspects of the attack behavior
Twbooter2
Twbooter2 ESSYN attack (SYN flood or connection exhaustion attack)
• There are a variety of ESSYN attack implementations available
– Some are simple TCP connection exhaustion
– Others send spoofed TCP traffic to more rapidly fill up firewall state tables and to generate more rapid target downtime
– Others modify TCP flags in an attempt to bypass DDoS defenses
Packet capture of ESSYN attack
Twbooter2
Twbooter2 ghp attack (HTTP GET attack through proxy)
• GHP provides flooding using HTTP GET, HEAD or POST requests (specified on the command line) with the same proxy capabilities as in the slow and RUDY attack code
• The GHP attack types generated between 31.64 Kbps / 219.77 pps and 196 Kbps / 319 pps of attack traffic, depending upon which options were used.
Packet capture of GHP SOCKS4 GET attack
Twbooter2 RUDY (R U Dead Yet) attack
• RUDY is a slow HTTP POST attack targeting minecraft servers (TCP/25565) or HTTP servers (TCP/80)
Twbooter2
Twbooter2 scloud attack
• Scloud uses code similar to the other UDP based attacks herein to target a Skype user
• One instance of this attack code generated 35 Mbps / 150 Kpps of traffic
Packet capture of a portion of an scloud attack
Slow attack with SOCKS4 option
• In this case, the “slow” command launches a Slowloris attack • Similar to RUDY attack, packets are sent via a list of proxy IPs
Questions? [email protected]