The bot’s name is IP-Killer, also known as MP-DDoser. First documented earlier this year, IP-Killer is purely a DDoS bot, as it cannot capture passwords or deliver spam by the truckload. Active development since its inception in 2011 has turned this specialty code into what Arbor Networks calls a rapidly improving threat, including a revamped and working version of the famed Apache Killer technique.
Early versions of IP-Killer were flawed. However, since December 2011, the tool has been actively developed and the latest version has corrected all of the previous flaws. In fact, on top of the Slowloris-style of DDoS and generic flooding abilities, Arbor says that the most recent version of IP-Killer supports an ApacheKiller-style of attack.
ApacheKiller, Arbor explains in a blog post, “is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers.”
The first time it appeared in public, ApacheKiller was nothing more than a broken Perl script. Towards the end of 2011, a version of it was incorporated into the Armageddon DDoS bot, but that code was severely flawed. It would seem though, that IP-Killer’s development team sought to fix this.
“Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Arbor’s Jeff Edwards wrote.
“The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”
These developments, as well as the streamlined crypto being used by the bot’s code, make IP-Killer something to watch in the coming months, as it is still under active development.
Arbor’s complete report and research on the bot can be viewed here.
