SECURITYWEEK NETWORK:

ICS:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Arbor Networks Warns of Evolving DDoS Threat as Apache Killer Returns

The bot’s name is IP-Killer, also known as MP-DDoser. First documented earlier this year, IP-Killer is purely a DDoS bot, as it cannot capture passwords or deliver spam by the truckload. Active development since its inception in 2011 has turned this specialty code into what Arbor Networks calls a rapidly improving threat, including a revamped and working version of the famed Apache Killer technique.

The bot’s name is IP-Killer, also known as MP-DDoser. First documented earlier this year, IP-Killer is purely a DDoS bot, as it cannot capture passwords or deliver spam by the truckload. Active development since its inception in 2011 has turned this specialty code into what Arbor Networks calls a rapidly improving threat, including a revamped and working version of the famed Apache Killer technique.

Early versions of IP-Killer were flawed. However, since December 2011, the tool has been actively developed and the latest version has corrected all of the previous flaws. In fact, on top of the Slowloris-style of DDoS and generic flooding abilities, Arbor says that the most recent version of IP-Killer supports an ApacheKiller-style of attack.

ApacheKiller, Arbor explains in a blog post, “is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers.”

The first time it appeared in public, ApacheKiller was nothing more than a broken Perl script. Towards the end of 2011, a version of it was incorporated into the Armageddon DDoS bot, but that code was severely flawed. It would seem though, that IP-Killer’s development team sought to fix this.

“Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Arbor’s Jeff Edwards wrote.

“The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

These developments, as well as the streamlined crypto being used by the bot’s code, make IP-Killer something to watch in the coming months, as it is still under active development.

Arbor’s complete report and research on the bot can be viewed here

Advertisement. Scroll to continue reading.
Written By

More from

Latest News

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Virtual Event: Threat Detection and Incident Response Summit
May 21, 2025

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Webinar: Which Security Testing Approach is Right for You?
March 25, 2025

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Tenable has appointed Eric Doerr as its Chief Product Officer.

Michael Adams has joined Docusign as the new Group Vice President and CISO.

Security awareness training firm KnowBe4 has named Bryan Palma as president and CEO effective May 5.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.