Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Cybercrime

DirtJumper DDoS Toolkit Variant Adds Mitigation Bypass Techniques

Researchers at Arbor Networks have uncovered a new variant of a notorious distributed denial-of-service (DDoS) toolkit has been bolstered with new DDoS mitigation defenses.

Researchers at Arbor Networks have uncovered a new variant of a notorious distributed denial-of-service (DDoS) toolkit has been bolstered with new DDoS mitigation defenses.

The new version of the Drive variant of the DirtJumper kit is the first piece of DDoS malware that Arbor Networks has seen that incorporates DDoS mitigation bypass techniques, explained Jason Jones, security research analyst with Arbor Networks’ ASERT team.   

“The attack sends an initial attack packet and then looks for either a Set-Cookie or a Location header and will parse out either the Cookie value or new URL location using those values in the next packet it sends,” blogged Jones. “It will also look for a meta equiv refresh tag, location= or document.location.href inside of the response from the server in an attempt to defeat mitigations using those countermeasures as well.”

“When parsing out the Set-Cookie header, there [are] a lot of convoluted calls to @LStrPos and @LStrLen as it searches for the relevant parts of the cookie value,” he continued. “Once all that is sorted, it will then store the cookie value in the global cookie array for the attack and that cookie value will be available to all subsequent requests sent to the server as part of the attack.”

“The other parsing mechanisms perform similarly with respect to redirects – they store the new location in the global variable so the next time the attack is run it will target the proper path,” he added. “It will also check for the existence of the mitigation options each time a request is sent. While this adds some overhead, it will also ensure that the attack packets have a high chance of getting through.”

After parsing out the appropriate value to bypass, the attack will build a new HTTP request to send and generate a new random User-Agent to be used in the new attack, Jones noted.

The developers did not stop there however. The variant also comes with three other new attacks as well: -icmp, -byte and –long. The –icmp attack sends a standard icmp echo request towards the target host. The byte attack meanwhile appears to be a variant of the –ip and –ip2 attacks where only one random lowercase alpha byte is sent before the socket is closed instead of the other payloads, Jones explained.  

Advertisement. Scroll to continue reading.

“The -long attack is more interesting and as its name implies, attempts to keep a socket open for a long period of time while also sending a decent amount of data during that time,” Jones blogged. “A random payload is generated, sent and then randomly sleeps for 2 to 6 seconds before executing the send up to 10240 times. It seems unlikely that this attack will succeed for the maximum time as most services will close a socket upon receiving malformed data defined by their service, but it is possible some may not and allow the attack to continue long enough to exhaust available connections.”

Security researchers have been tracking DirtJumper has been around for years, with its first known detection tracing back to January 2009.

“Just as the first version of Drive raised the bar for DirtJumper variants, this version looks to be raising the bar for DDoS malware in general with its purposeful attempts at bypassing mitigations with its new -smart attack,” Jones blogged. “We expect that this is just the first of many pieces of malware to attempt to incorporate these bypass techniques and also expect that Drive will continue to evolve and attempt to improve its techniques for such bypass attacks.”

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.

Register

Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

Luxury retailer Neiman Marcus Group informed some customers last week that their online accounts had been breached by hackers.

Cybercrime

As it evolves, web3 will contain and increase all the security issues of web2 – and perhaps add a few more.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Cybercrime

Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.

Cybercrime

Zendesk is informing customers about a data breach that started with an SMS phishing campaign targeting the company’s employees.

Artificial Intelligence

The release of OpenAI’s ChatGPT in late 2022 has demonstrated the potential of AI for both good and bad.

Artificial Intelligence

The degree of danger that may be introduced when adversaries start to use AI as an effective weapon of attack rather than a tool...