Security Experts:

Flaws In Dirt Jumper DDoS Attack Tool Let Defenders Fight Back

Researchers have uncovered vulnerabilities in a popular denial of service attack kit that organizations could use to neutralize the attacks impacting their networks.

Researchers from Prolexic, a provider of DDoS protection solutions, have uncovered SQL injection flaws in "Dirt Jumper," a family of attack tools used to launch crippling denial-of-service attacks, according to a Vulnerability Disclosure Report released Wednesday. Just as malware writers exploit coding errors made by application developers to infect the computer with malware or launch debilitating attacks against the network, defenders can now take advantage of these flaws in the malicious software to stop the attacks from reaching the network.

Dirt Jumper DDoS Attack ToolDirt Jumper is one of the toolkits that allow attackers to send commands to a group of computers under his or her control instructing them to launch a distributed denial of service against a target. The master control server decides the type of attack to execute, and the bots follow the instructions.

If exploited, the vulnerabilities uncovered by Prolexic would give organizations control over the master servers and knock them offline, so that the bot armies would cease the attacks, according to the report.

Like other DDoS attack kits, Dirt Jumper is capable of launching various types of attacks and is very easy to operate, Michael Donner, senior vice-president and chief marketing officer of Prolexic, told SecurityWeek. Attack kits aren't just limited to flooding the Web server with requests or using up network bandwidth. They can consume server resources trying to download something or sending exceptionally large requests that take a while for the resource to process.

"Many varieties of these types of tools can be found on hackforums.net, pastebin.com or even advertised via YouTube videos," Donner said.

These kits have also increased the size of attacks, as they can be used to generate large bandwidth (20+Gbps) floods, Donner said. Attacks are also getting shorter, as average attack duration fell from 28.5 hours in first quarter 2012 to 17 hours in the second quarter. "

DDoS attacks are becoming shorter, but more powerful," Donner said.

Originally developed by a person with the name "sokol," there are currently several variants of Dirt Jumper. Other malware authors can purchase a Dirt Jumper builder source code for about $5,000, which can be used to create spin-offs, Prolexic wrote in the report. At the moment, all the various members of the Dirt Jumper family are relying on the command and control Web panel built using PHP and MySQL without major modifications to control the bots, the report found.

"The weakest link within this malware family is the insecure coding practices used in the creation of the C&C panels," Prolexic researchers wrote.

To successfully thwart Dirt Jumper-attacks, defenders need a handful of command-line instructions, the open source penetration testing tool SQLMap, and the actual location of the master server, according to Prolexic. The commands trigger the SQL injection vulnerabilities on the master server to reveal the name of the back-end database and the name of its configuration files. The defender can then use SQLMap to download the MySQL configuration file, which has all the account credentials for the server and database.

The developers made a fairly basic coding mistake, Prolexic researchers found, as Dirt Jumper's check-in file has no input sanitization. In other words, the coders didn't put in logic to check that the entered value does not contain SQL commands.

"It appears that the majority of effort put into developing these DDoS malware kits goes into the builders and binaries," Proxlec wrote.

While developers are using polymorphism and hiding malicious processes from the operating system, they've left behind significant errors that leave the kits vulnerable, according to the report.

Prolexic also highlighted similar coding errors within Pandora, a recent addition to the Dirt Jumper family, which makes it susceptible to SQL injection attacks. Other coding errors cause bots to send broken HTTP requests to the master server.

Additionally, Prolexic released a separate advisory detailing mitigation techniques for Pandora attacks. This variant is capable of launching five different attack types, including a combination DDoS attack that targets both the application and infrastructure layers at the same time. There are claims that Pandora needs just 10 machines to bring down a targeted site.

Related Reading: Security Is Not Just About Defense [Part One]

Fahmida Y. Rashid is a contributing writer for SecurityWeek. She has experience writing and reviewing security, core Internet infrastructure, open source, networking, and storage. Before setting out her journalism shingle, she spent nine years as a help-desk technician, software and Web application developer, network administrator, and technology consultant.