[Full-disclosure] DDoS attacks via other sites execution tool (DAVOSET)



Hello participants of Full-Disclosure!

Last month I told you about my article Using of the sites for attacks on
other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).
In which I wrote particularly about creating of botnet from zombie-servers
(which is a new type of botnets).

For drawing more attention to the problem described in my article, on last
week I made additional researches and made a program - DDoS attacks via
other sites execution tool (DAVOSET). To show that these attacks are not
just my assumption, but they are quite real and they have enough
effectiveness. And I'll tell you briefly about my last researches and tool.

DDoS attacks with using of many other sites as zombie-servers.

For researching of effectiveness of these attacks I created a program for
conducting of DDoS attacks via using of other sites. Which I called DDoS
attacks via other sites execution tool (DAVOSET). It's tool for conducting
of DDoS attacks via Abuse of Functionality vulnerabilities on the sites.

For researching I used 20 zombie-servers - these are 20 online services,
which have Abuse of Functionality vulnerabilities, which are located at 10
physical servers (some of these services are located at the same server).
For testing I selected two small sites at two not very high-powered servers
(taking into account small amount of zombie-servers in the botnet).

For the first site: as a result of attack the loading of main page of the
site grew on average at 21.19% - from 4.72 s. to 5.72 s. I.e. the site
becomes slowing down at short time. And this is only with 20 zombie-servers.

At that results of work of DAVOSET are the next (at one start): time 0:05,
requests 20, bytes sent 3068. I.e. small amount of traffic used by the
program leaded to much bigger amount of traffic at attacked server. At
cyclic starting of the program (e.g. every 5 seconds) and at larger amount
of zombie-servers it's possible to completely block the work of this server.

For the second site: as a result of attack the loading of main page of the
site grew on average at 1677% - from 2.21 s. to 39.28 s. (and at 3465% - to
78.80 s. at second testing after half an hour). And this is only with 20
zombie-servers.

At that results of work of DAVOSET are the next (at one start): time 0:03,
requests 20, bytes sent 3368. Note, that second server after starting of few
attacks (for counting of average value) becomes not just very slowing down,
but freezes almost at half an hour at all. So even small DDoS attack with 20
zombie-servers can freeze server for a long time.

Taking into account widespread of Abuse of Functionality vulnerabilities at
the sites, which allow to attack other sites, and ignoring of sites' admins
of this problem, it's actual. And taking into account that network from
these zombie-servers can be created without wasting of resources (including
financial), as it occurs in classical botnets, then this type of botnets is
very profitable from financial side. So this method of attacks can become
widespread in short-term outlook.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



Relevant Pages

  • Re: Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Bugtraq)
  • RE: VmWare and Pen-test Learning
    ... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
    (Pen-Test)
  • Re: [Full-disclosure] Web Server Botnets and Server Farms as Attack Platforms
    ... Web Server Botnets and Server Farms as Attack ... We discuss how these attacks work using file inclusion ... vulnerabilities and PHP shells. ... place platform by platform, ...
    (Full-Disclosure)
  • Re: ARP Spoofing and Routing
    ... I would like to know how to go abt spoofing arp caches, ... >What I was trying to do was arpspoof a server so that I could intercept ... Up to 75% of cyber attacks are launched on shopping carts, forms, ... Check your website for ...
    (Pen-Test)
  • RE: Penetration test of 1 IP address
    ... You could use a whole sleth of tools on some server, ... Audit your website security with Acunetix Web Vulnerability Scanner: ... Check your website for vulnerabilities to SQL injection, ... Up to 75% of cyber attacks are launched on shopping ...
    (Pen-Test)