Connect with us

Hi, what are you looking for?


Network Security

Flaws In Dirt Jumper DDoS Attack Tool Let Defenders Fight Back

Researchers have uncovered vulnerabilities in a popular denial of service attack kit that organizations could use to neutralize the attacks impacting their networks.

Researchers have uncovered vulnerabilities in a popular denial of service attack kit that organizations could use to neutralize the attacks impacting their networks.

Researchers from Prolexic, a provider of DDoS protection solutions, have uncovered SQL injection flaws in “Dirt Jumper,” a family of attack tools used to launch crippling denial-of-service attacks, according to a Vulnerability Disclosure Report released Wednesday. Just as malware writers exploit coding errors made by application developers to infect the computer with malware or launch debilitating attacks against the network, defenders can now take advantage of these flaws in the malicious software to stop the attacks from reaching the network.

Dirt Jumper DDoS Attack ToolDirt Jumper is one of the toolkits that allow attackers to send commands to a group of computers under his or her control instructing them to launch a distributed denial of service against a target. The master control server decides the type of attack to execute, and the bots follow the instructions.

If exploited, the vulnerabilities uncovered by Prolexic would give organizations control over the master servers and knock them offline, so that the bot armies would cease the attacks, according to the report.

Like other DDoS attack kits, Dirt Jumper is capable of launching various types of attacks and is very easy to operate, Michael Donner, senior vice-president and chief marketing officer of Prolexic, told SecurityWeek. Attack kits aren’t just limited to flooding the Web server with requests or using up network bandwidth. They can consume server resources trying to download something or sending exceptionally large requests that take a while for the resource to process.

“Many varieties of these types of tools can be found on, or even advertised via YouTube videos,” Donner said.

These kits have also increased the size of attacks, as they can be used to generate large bandwidth (20+Gbps) floods, Donner said. Attacks are also getting shorter, as average attack duration fell from 28.5 hours in first quarter 2012 to 17 hours in the second quarter. “

DDoS attacks are becoming shorter, but more powerful,” Donner said.

Advertisement. Scroll to continue reading.

Originally developed by a person with the name “sokol,” there are currently several variants of Dirt Jumper. Other malware authors can purchase a Dirt Jumper builder source code for about $5,000, which can be used to create spin-offs, Prolexic wrote in the report. At the moment, all the various members of the Dirt Jumper family are relying on the command and control Web panel built using PHP and MySQL without major modifications to control the bots, the report found.

“The weakest link within this malware family is the insecure coding practices used in the creation of the C&C panels,” Prolexic researchers wrote.

To successfully thwart Dirt Jumper-attacks, defenders need a handful of command-line instructions, the open source penetration testing tool SQLMap, and the actual location of the master server, according to Prolexic. The commands trigger the SQL injection vulnerabilities on the master server to reveal the name of the back-end database and the name of its configuration files. The defender can then use SQLMap to download the MySQL configuration file, which has all the account credentials for the server and database.

The developers made a fairly basic coding mistake, Prolexic researchers found, as Dirt Jumper’s check-in file has no input sanitization. In other words, the coders didn’t put in logic to check that the entered value does not contain SQL commands.

“It appears that the majority of effort put into developing these DDoS malware kits goes into the builders and binaries,” Proxlec wrote.

While developers are using polymorphism and hiding malicious processes from the operating system, they’ve left behind significant errors that leave the kits vulnerable, according to the report.

Prolexic also highlighted similar coding errors within Pandora, a recent addition to the Dirt Jumper family, which makes it susceptible to SQL injection attacks. Other coding errors cause bots to send broken HTTP requests to the master server.

Additionally, Prolexic released a separate advisory detailing mitigation techniques for Pandora attacks. This variant is capable of launching five different attack types, including a combination DDoS attack that targets both the application and infrastructure layers at the same time. There are claims that Pandora needs just 10 machines to bring down a targeted site.

Related Reading: Security Is Not Just About Defense [Part One]

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Network Security

Our networks have become atomized which, for starters, means they’re highly dispersed. Not just in terms of the infrastructure – legacy, on-premises, hybrid, multi-cloud,...