Background
Distributed denial of service (DDoS) is one of the most commonly used cybercriminal methods. It’s easy, cheap and difficult to trace, and “service providers” can be found throughout the “dark” Web. As a result, the impact on e-commerce and other online business can be tremendous. According to a recent survey by Neustar, a DDoS attack can cost a victim organization as anywhere from $10,000 to $50,000 per hour in lost revenue. Depending on the industry, the damage can reach as high as $2 million a day, or more than $100,000 per hour in revenue.
A typical massive DDoS attack involves a large botnet: a network of compromised computers, usually personal end points and/or mobile devices that have been infected with malware, where the larger the botnet – the larger the attack. The attacker controls the bots from a control panel which displays the existing bots, their online status, and a set of commands that can be delivered to them.
Providing these services requires constant upkeep on the part of the attackers: Infecting new machines, maintaining the bot net, and having enough bandwidth to perform a massive DDoS attack.
And then comes the storm…
Check Point researchers Liad Mizrachi & Oded Vanunu have conducted a research on the Storm Kit functionality and attack methods.
Storm Kit
The Storm DDoS Kit is unique in the DDoS botnet landscape. The first noticeable change is that the attacks are no longer performed by a large amount of infected end-point machines but rather by small yet strong servers (compromised servers and/or rented VPS).
As a result, Storm Kit is very easy to maintain. The attacker only needs to control a limited number of servers instead of thousands compromised endpoints without compromising on the attack capabilities, and there is no need to constantly infect new endpoints to maintain the botnet capabilities in terms of attack bandwidth.
These facts make the Storm DDoS Kit the most popular kit among the DDoS community and the weapon of choice among DDoS “providers.”
DDoS Techniques
Storm Kit is a DDoS attack web application which enables the operator to perform large scale attacks, using common DDoS techniques:
- Syn Flood – Sends multiple syn requests (from legitimate or non-legitimate IP sources) to “flood” the target connection table and prevent other, legitimate users from connecting to the machine. This attack exploits the time-out gap of the “three-way hand shake” required to achieve a TCP connection between two end points.
- UDP Flood – Sends multiple UDP packets on random ports (from legitimate or non-legitimate IP sources). The machine tries to process the packets: it checks for an associated service or application, and issues a response (or an ICMP Destination Unreachable packet). The result is that the machine is flooded with mass UDP packets that consume its resources to the point where it is no longer responsive.
- HTTP Flood – Also known as a Layer 7 attack, this attack targets the application layer (and not the stack layer) of the machine, usually by flooding the machine with GET/ POST requests. The attempt to reply to all these requests ultimately consumes a significant amount of the server’s resources.
The Storm Kit also enables the operator to initiate amplification attacks by including all the necessary means to conduct these attacks in a simplified way. Amplification is used to increase the traffic volume in an attack and lower the overall costs. Types of amplification attacks include:
- DNS Amplification – The attacker issues a DNS request that will invoke a large response, and directs the response (using a spoofed source) to the target IP address. This causes the server to reply back to the target address with a large DNS response. Using this technique, the attacker can send a minimal DNS request (with less than 100 bytes) and “attack” the target IP with over 4,000 bytes. (The industry ratio is 70:1).
- NTP Amplification –This is a form of reflection attack, in which the attacker uses a middle man to reflect the attack traffic on the target and at the same time amplify the traffic volume. In the specific case of NTP, the attacker can issue the “monitor list” command (get monlist) which will send back the last 600 hosts connected to the NTP server. With a spoofed IP address, the attacker can trick the server into sending this request to the target IP. The response side in this case depends on the last 600 hosts that connected to the NTP server. The query to response ratio is somewhere between 20:1 and 200:1.
- In a Syn Abuse attack, the purpose is not to take down the target web server or cause any disruption to the service. The goal is to overload the administrator with a flood of abuse complaints from different organizations around the world. The attack mode is very simple: the kit sends multiple syn flood attacks to various large organizations, using the target as the source IP address. This fools the organizations’ administrators into thinking the targeted server attacked them, and will result in multiple abuse complaints.
In addition to the use of compromised servers and rented VPS, the Storm panel lets the attacker scan for vulnerable DNS and NTP servers. Once found, the kit automatically adds these servers to the “attacking servers list” and will use them when a suitable attack is launched. This feature enables the attacker to perform large scale attacks with just the Storm Kit installed; the rest of the botnet machines are vulnerable DNS and NTP servers which can amplify the attacks generated by the panel.
The kit is sold in various underground forums with the price tag of $2,500, and a guarantee to achieve up to 300GB/s in flood attacks (using amplification).
DNS open resolvers and vulnerable NTP servers lists are also offered for sale.