Security Experts:

Firm Says “itsoknoproblembro” DDoS Toolkit Was Used in Recent Debilitating Cyber Attacks

A series of unusually large and highly sophisticated DDoS attacks that hit various organizations last month appear to have used a highly sophisticated toolkit, Prolexic Technologies said.

A distributed denial of service toolkit called "itsoknoproblembro" was behind some of the largest attacks recently, Prolexic said in a statement on Tuesday. The toolkit is capable of simultaneously attacking various components of a Website's infrastructure and flooding the servers with sustained traffic peaking at 70 Gbps, the company said. Most mitigation providers would struggle to combat DDoS attacks with these characteristics, according to Prolexic.

“What we are experiencing is a dramatic uptick in the size and sophistication of DDoS attacks to a level not previously observed,” said Prolexic CEO Scott Hammack in a statement.

Last month, a number of U.S.-based financial institutions, including Bank of America, JPMorgan Chase, PNC Bank, and others, were suspected of being crippled by powerful distributed denial of service attacks. While not all the institutions have confirmed being hit by DDoS attacks, they all experienced extremely high traffic volumes that affected the availability of their sites within days of each other. Prolexic did not explicitly say the toolkits were used in these banking attacks in the report, but stuck to the vague phrase, "end of quarter" attacks.

Neal Quinn, Prolexic's chief operating officer, and Scott Scholly, president of Prolexic, also declined to clarify the phrase in a conversation with SecurityWeek, citing confidentiality reasons.

Prolexic "does not comment on customers" or what the customers may or may not be seeing, Scholly said.

While the company can't discuss specific identities or incidents, Scholly and Quinn said the itsoknoproblembro toolkit had been behind a number of attacks across a variety of industrial sectors over the past year. The toolkit was not unique to just financial sector attacks, Scholly said.

This tool has been used "in conjunction with sophisticated attack methods" that indicate the attackers are quite familiar with common DDoS mitigation methods, Prolexic said. The toolkit includes multiple infrastructure and application-layer attack vectors, such as SYN floods, that can simultaneously attack multiple destination ports and targets, as well as ICMP, UDP and SSL encrypted attack types, Prolexic said. These attacks often take the form of a large UDP flood targeting DNS infrastructures, according to the company.

It appears that the attacking botnet contains many legitimate IP addresses, which makes it harder to use anti-spoofing mechanisms to block the junk traffic.

The itsoknoproblembro kit doesn't appear to be widely marketed on underground forums at this time, nor has the Prolexic team observed any itsoknoproblembro botnets available for rent, Quinn and Scholly said. While it's possible the tool may become more widely available at a later date, for the time being, all the campaigns launched by itsoknoproblembro appear to have been the work of a small group of attackers, they said.

“The size and sophistication of this threat has created a high-alert within various industries and with good reason,” said Hammack.

The Financial Services Information Sharing and Analysis Center (FS-ISAC) set its Threat Level to “High” on Sept. 19 and the Federal Bureau of Investigation warned about possible attacks targeting financial institutions.

Prolexic has successfully mitigated multiple itsoknoproblembro campaigns throughout the year, Hammock said. Again, the company did not identify any customers.

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.