Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Arbor Networks Warns of Evolving DDoS Threat as Apache Killer Returns

The bot’s name is IP-Killer, also known as MP-DDoser. First documented earlier this year, IP-Killer is purely a DDoS bot, as it cannot capture passwords or deliver spam by the truckload. Active development since its inception in 2011 has turned this specialty code into what Arbor Networks calls a rapidly improving threat, including a revamped and working version of the famed Apache Killer technique.

The bot’s name is IP-Killer, also known as MP-DDoser. First documented earlier this year, IP-Killer is purely a DDoS bot, as it cannot capture passwords or deliver spam by the truckload. Active development since its inception in 2011 has turned this specialty code into what Arbor Networks calls a rapidly improving threat, including a revamped and working version of the famed Apache Killer technique.

Early versions of IP-Killer were flawed. However, since December 2011, the tool has been actively developed and the latest version has corrected all of the previous flaws. In fact, on top of the Slowloris-style of DDoS and generic flooding abilities, Arbor says that the most recent version of IP-Killer supports an ApacheKiller-style of attack.

ApacheKiller, Arbor explains in a blog post, “is a relatively new (and sophisticated) low-bandwidth technique for inflicting denial-of-service attacks against Apache web servers.”

The first time it appeared in public, ApacheKiller was nothing more than a broken Perl script. Towards the end of 2011, a version of it was incorporated into the Armageddon DDoS bot, but that code was severely flawed. It would seem though, that IP-Killer’s development team sought to fix this.

“Now, we are seeing it show up in MP-DDoser – and a review of the bot’s assembly code indicates that it does indeed appear to be a fully functional, working implementation of the Apache Killer attack,” Arbor’s Jeff Edwards wrote.

“The core of the attack involves the sending of a very long Range HTTP header that is intended to bring web servers (especially Apache) to their knees by forcing them to do a great deal of server-side work in response to a comparatively small request. It is therefore one of the more effective low-bandwidth, ‘asymmetrical’ HTTP attacks at the moment.”

These developments, as well as the streamlined crypto being used by the bot’s code, make IP-Killer something to watch in the coming months, as it is still under active development.

Arbor’s complete report and research on the bot can be viewed here

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Cybersecurity Funding

Forward Networks, a company that provides network security and reliability solutions, has raised $50 million from several investors.

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Cisco patched a high-severity SQL injection vulnerability in Unified Communications Manager (CM) and Unified Communications Manager Session Management Edition (CM SME).

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...