[Full-disclosure] DDoS attacks via other sites execution tool (DAVOSET)



Hello participants of Full-Disclosure!

Last month I told you about my article Using of the sites for attacks on
other sites
(http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html).
In which I wrote particularly about creating of botnet from zombie-servers
(which is a new type of botnets).

For drawing more attention to the problem described in my article, on last
week I made additional researches and made a program - DDoS attacks via
other sites execution tool (DAVOSET). To show that these attacks are not
just my assumption, but they are quite real and they have enough
effectiveness. And I'll tell you briefly about my last researches and tool.

DDoS attacks with using of many other sites as zombie-servers.

For researching of effectiveness of these attacks I created a program for
conducting of DDoS attacks via using of other sites. Which I called DDoS
attacks via other sites execution tool (DAVOSET). It's tool for conducting
of DDoS attacks via Abuse of Functionality vulnerabilities on the sites.

For researching I used 20 zombie-servers - these are 20 online services,
which have Abuse of Functionality vulnerabilities, which are located at 10
physical servers (some of these services are located at the same server).
For testing I selected two small sites at two not very high-powered servers
(taking into account small amount of zombie-servers in the botnet).

For the first site: as a result of attack the loading of main page of the
site grew on average at 21.19% - from 4.72 s. to 5.72 s. I.e. the site
becomes slowing down at short time. And this is only with 20 zombie-servers.

At that results of work of DAVOSET are the next (at one start): time 0:05,
requests 20, bytes sent 3068. I.e. small amount of traffic used by the
program leaded to much bigger amount of traffic at attacked server. At
cyclic starting of the program (e.g. every 5 seconds) and at larger amount
of zombie-servers it's possible to completely block the work of this server.

For the second site: as a result of attack the loading of main page of the
site grew on average at 1677% - from 2.21 s. to 39.28 s. (and at 3465% - to
78.80 s. at second testing after half an hour). And this is only with 20
zombie-servers.

At that results of work of DAVOSET are the next (at one start): time 0:03,
requests 20, bytes sent 3368. Note, that second server after starting of few
attacks (for counting of average value) becomes not just very slowing down,
but freezes almost at half an hour at all. So even small DDoS attack with 20
zombie-servers can freeze server for a long time.

Taking into account widespread of Abuse of Functionality vulnerabilities at
the sites, which allow to attack other sites, and ignoring of sites' admins
of this problem, it's actual. And taking into account that network from
these zombie-servers can be created without wasting of resources (including
financial), as it occurs in classical botnets, then this type of botnets is
very profitable from financial side. So this method of attacks can become
widespread in short-term outlook.

Best wishes & regards,
MustLive
Administrator of Websecurity web site
http://websecurity.com.ua


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/