Site icon Check Point Blog

Storm Kit – Changing the rules of the DDoS attack

Background

Distributed denial of service (DDoS) is one of the most commonly used cybercriminal methods. It’s easy, cheap and difficult to trace, and “service providers” can be found throughout the “dark” Web. As a result, the impact on e-commerce and other online business can be tremendous. According to a recent survey by Neustar, a DDoS attack can cost a victim organization as anywhere from $10,000 to $50,000 per hour in lost revenue. Depending on the industry, the damage can reach as high as $2 million a day, or more than $100,000 per hour in revenue.

A typical massive DDoS attack involves a large botnet: a network of compromised computers, usually personal end points and/or mobile devices that have been infected with malware, where the larger the botnet – the larger the attack. The attacker controls the bots from a control panel which displays the existing bots, their online status, and a set of commands that can be delivered to them.

 

Providing these services requires constant upkeep on the part of the attackers: Infecting new machines, maintaining the bot net, and having enough bandwidth to perform a massive DDoS attack.

 

And then comes the storm…

 

Check Point researchers Liad Mizrachi & Oded Vanunu have conducted a research on the Storm Kit functionality and attack methods.

 

Storm Kit

 

The Storm DDoS Kit is unique in the DDoS botnet landscape. The first noticeable change is that the attacks are no longer performed by a large amount of infected end-point machines but rather by small yet strong servers (compromised servers and/or rented VPS).

 

Server management tab

 

As a result, Storm Kit is very easy to maintain. The attacker only needs to control a limited number of servers instead of thousands compromised endpoints without compromising on the attack capabilities, and there is no need to constantly infect new endpoints to maintain the botnet capabilities in terms of attack bandwidth.

 

These facts make the Storm DDoS Kit the most popular kit among the DDoS community and the weapon of choice among DDoS “providers.”

 

DDoS Techniques

 

Storm Kit is a DDoS attack web application which enables the operator to perform large scale attacks, using common DDoS techniques:

 

 

 

Attack management tab (UDP attack)

 

The Storm Kit also enables the operator to initiate amplification attacks by including all the necessary means to conduct these attacks in a simplified way. Amplification is used to increase the traffic volume in an attack and lower the overall costs. Types of amplification attacks include:

 

 

 

Abuse attack

 

In addition to the use of compromised servers and rented VPS, the Storm panel lets the attacker scan for vulnerable DNS and NTP servers. Once found, the kit automatically adds these servers to the “attacking servers list” and will use them when a suitable attack is launched. This feature enables the attacker to perform large scale attacks with just the Storm Kit installed; the rest of the botnet machines are vulnerable DNS and NTP servers which can amplify the attacks generated by the panel.

 

DNS vulnerable server scanning screen

 

The kit is sold in various underground forums with the price tag of $2,500, and a guarantee to achieve up to 300GB/s in flood attacks (using amplification).
DNS open resolvers and vulnerable NTP servers lists are also offered for sale.

 

Exit mobile version