DirtJumper DDoS Toolkit Variant Adds Mitigation Bypass Techniques

Researchers at Arbor Networks have uncovered a new variant of a notorious distributed denial-of-service (DDoS) toolkit has been bolstered with new DDoS mitigation defenses.

The new version of the Drive variant of the DirtJumper kit is the first piece of DDoS malware that Arbor Networks has seen that incorporates DDoS mitigation bypass techniques, explained Jason Jones, security research analyst with Arbor Networks’ ASERT team.   

“The attack sends an initial attack packet and then looks for either a Set-Cookie or a Location header and will parse out either the Cookie value or new URL location using those values in the next packet it sends,” blogged Jones. “It will also look for a meta equiv refresh tag, location= or document.location.href inside of the response from the server in an attempt to defeat mitigations using those countermeasures as well.”

“When parsing out the Set-Cookie header, there [are] a lot of convoluted calls to @LStrPos and @LStrLen as it searches for the relevant parts of the cookie value,” he continued. “Once all that is sorted, it will then store the cookie value in the global cookie array for the attack and that cookie value will be available to all subsequent requests sent to the server as part of the attack.”

“The other parsing mechanisms perform similarly with respect to redirects – they store the new location in the global variable so the next time the attack is run it will target the proper path,” he added. “It will also check for the existence of the mitigation options each time a request is sent. While this adds some overhead, it will also ensure that the attack packets have a high chance of getting through.”

After parsing out the appropriate value to bypass, the attack will build a new HTTP request to send and generate a new random User-Agent to be used in the new attack, Jones noted.

The developers did not stop there however. The variant also comes with three other new attacks as well: -icmp, -byte and –long. The –icmp attack sends a standard icmp echo request towards the target host. The byte attack meanwhile appears to be a variant of the –ip and –ip2 attacks where only one random lowercase alpha byte is sent before the socket is closed instead of the other payloads, Jones explained.  

“The -long attack is more interesting and as its name implies, attempts to keep a socket open for a long period of time while also sending a decent amount of data during that time,” Jones blogged. “A random payload is generated, sent and then randomly sleeps for 2 to 6 seconds before executing the send up to 10240 times. It seems unlikely that this attack will succeed for the maximum time as most services will close a socket upon receiving malformed data defined by their service, but it is possible some may not and allow the attack to continue long enough to exhaust available connections.”

Security researchers have been tracking DirtJumper has been around for years, with its first known detection tracing back to January 2009.

“Just as the first version of Drive raised the bar for DirtJumper variants, this version looks to be raising the bar for DDoS malware in general with its purposeful attempts at bypassing mitigations with its new -smart attack,” Jones blogged. “We expect that this is just the first of many pieces of malware to attempt to incorporate these bypass techniques and also expect that Drive will continue to evolve and attempt to improve its techniques for such bypass attacks.”