Javascript DDoS Tool Analysis

Published: 2012-01-22
Last Updated: 2012-01-23 18:16:34 UTC
by Johannes Ullrich (Version: 1)
4 comment(s)

 

  Last week's denial of service attack agains the Department of Justice (justice.gov), the FBI (fbi.gov) and other sites didn't just rely on Anonymous's favorite tool Low Orbit Ion Canon. Instead, a new method was employed to recruit denial of service clients.

  The new method uses some pretty simple javascript to launch the attack. The folowers are usually requested to visit a particular web page. The page includes a simple form to adjust the denial of service attack parameters but just launches the attack with default parameters as the page is opened in the browser.

  IMPORTANT: The script will start running as soon as the user vists the page. You do not have to press the "fire" button.

  Javascript code retrieving the parameters:

var fireInterval;
var isFiring = false;
var currentTime = new Date()
var lastSuccess = currentTime.getTime();
var requestedCtrNode = document.getElementById("requestedCtr"),
succeededCtrNode = document.getElementById("succeededCtr"),
failedCtrNode = document.getElementById("failedCtr"),
targetURLNode = document.getElementById("targetURL")
...

   an unused part of the code hints at plans to implement a hash table, likely to exploit the recently discussed hashtable denial of service vulnerability

var requestsHT = {}; // requests hash table, may come in handy later

  Originally, I figured the attack may take advantage of XMLHTTPRequest. Instead, the code takes a simpler route. It just changes an image URL to a URL on the attacked page. I suspect that this method is more reliable as it does not require the client to implement XMLHTTPrequest Level 2 or XDomainrequest but should work with pretty much any client.

It will not necessarily retrieve an actual image, but just whatever URL was targeted, followed by an "id" parameter and a "msg" (which is also set by the user). This format should make it pretty easy to filter the attacks at a web application firewall. Even other content sensitive firewalls should be able to deal with this.

Sample weblog:

GET /?id=1327271393334&msg=No%20A%20la%20CENSURA%20EN%20INTERNET%A1%A1%A1 
 HTTP/1.1" 200 8395 

  In order to prevent crashing the browser, the script will limit the number of outstanding requests. The script attempts to send 5,000 requests per second. I tested it directing my requests to a lab web server across a pretty slow VPN connection. It managed to create about 5 requests per second. The referer for the request will be the URL of the attack page. The user's user agent is not altered. 

 Update: Spiderlabs did a nice analysis of this tool, including other "LOIC" variants just about a year ago: blog.spiderlabs.com/2011/01/loic-ddos-analysis-and-detection.html

------
Johannes B. Ullrich, Ph.D.
SANS Technology Institute
Twitter

4 comment(s)

Mailbag - "Attacks"

Published: 2012-01-22
Last Updated: 2012-01-23 05:25:39 UTC
by Lorna Hutcheson (Version: 1)
11 comment(s)

We got an email to the list today that got me to thinking.  Alyce was concerned because of "Attacks" toward her computer that were being logged by the firewall that is part of the locally installed antivirus suite.  Alyce wisely checks the history and logs section on a fairly regular basis but admits to being a novice.  Recently Alyce observed that about every ten minutes the same IP was trying different attacks to gain access to the computer.  As was stated in the email "I know that no one is going to jump through my computer screen, but it is scaring me..."

It is scary to know traffic coming toward your system is not friendly.  The internet is not a safe, nice place where you can leave your computer open and no one will bother it.  However, if you keep your system patched, run antivirus software and have your firewall turned on, you are pretty safe from the externally initiated attacks that are aimed at your system.  Most tools are automated and are looking for home systems with vulnerabilities.  There are far to many open and unprotected system's out there to go after then trying to compromise one that takes effort.

The bigger worry actually comes from what the user at the keyboard is doing.  Currently as I write this, I have to make a decision as to whether I should rebuild my box.  I keep it patched and locked down to what I need.  I don't run as administrator and I run a firewall and antivirus software.  All of this it seems, could not save my computer from one of my kids who got on it to surf around the internet. It appears they have picked up something on their travels as my computer is not running right.  Even through all the lectures of not clicking on every link out there just because Google returned it, the message still did not get through.  The attackers don't have to break in if you open the door for them. 

Trying to teach the user community to be careful of where they go and what they click on seems to be a never ending saga.  How many years have we spent trying to educate the end users?  I have a couple of family members that unintentionally keep creating their own malware zoo on their computers.  No matter how much I try to caution and explain, it obviously isn't getting through.  I'm sure many of you have the same problem and similar users.  The problem is trying to bridge the gap between those who work in the computer world and those who just use it.  So, I would like to compile a simple, best practice list for safe internet travels for the "non computer savvy" home/work user.  If you have any recommendations for best practices/advice for this list, please send them in and I will compile the results.  I'll post the results of this in a diary next week.      

 

Keywords: mailbag
11 comment(s)

Comments


Diary Archives