Posts tagged: Denial of Service

Sep 27 2013

16-Year Old Arrested Over World’s Biggest Cyber Attack

Spamhaus DDoS AttackIn March 2013, a distributed denial of service (DDoS) attack of unprecedented ferocity was launched against the servers of Spamhaus, an international non-profit dedicated to battling spam.

The March Spamhaus attack peaked at 300 gigabits per second, Spamhaus CEO Steve Linford told the BBC at the time – the largest ever recorded, with enough force to cause worldwide disruption of the internet.

In April, one suspect was arrested in Spain.

Now, it’s come to light, another suspect was also secretly arrested in April – this one being a London schoolboy.

The 16-year-old was arrested as part of an international dragnet against a suspected organised crime gang, reports the London Evening Standard.

Detectives from the National Cyber Crime Unit detained the unnamed teenager at his home in southwest London.

The newspaper quotes a briefing document on the British investigation, codenamed Operation Rashlike, about the arrest:

“The suspect was found with his computer systems open and logged on to various virtual systems and forums. The subject has a significant amount of money flowing through his bank account. Financial investigators are in the process of restraining monies”.

Officers seized his computers and mobile devices.

The boy’s arrest, by detectives from the National Cyber Crime Unit, followed an international police operation against those suspected of carrying out the massive cyber attack, which slowed down the internet worldwide.

The briefing document says that the DDoS affected services that included the London Internet Exchange.

The boy has been released on bail until later this year, the London Evening Standard reports.

Oct 24 2011

THC SSL DOS Tool Released

THC-SSL-DOS is a tool to verify the performance of SSL.

Establishing a secure SSL connection requires 15x more processing power on the server than on the client.

THC-SSL-DOS exploits this asymmetric property by overloading the server and knocking it off the Internet.

This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed.

This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.

Windows binary :
Unix Source : thc-ssl-dos-1.4.tar.gz

Use “./configure; make all install” to build.

./thc-ssl-dos 443
Handshakes 0 [0.00 h/s], 0 Conn, 0 Err
Secure Renegotiation support: yes
Handshakes 0 [0.00 h/s], 97 Conn, 0 Err
Handshakes 68 [67.39 h/s], 97 Conn, 0 Err
Handshakes 148 [79.91 h/s], 97 Conn, 0 Err
Handshakes 228 [80.32 h/s], 100 Conn, 0 Err
Handshakes 308 [80.62 h/s], 100 Conn, 0 Err
Handshakes 390 [81.10 h/s], 100 Conn, 0 Err
Handshakes 470 [80.24 h/s], 100 Conn, 0 Err

Comparing Flood DDoS vs. SSL-Exhaustion Attack:
A traditional flood DDoS attack cannot be mounted from a single DSL connection.
This is because the bandwidth of a server is far superior to the bandwidth of a DSL connection: A DSL connection is not an equal opponent to challenge the bandwidth of a server.

This is turned upside down for THC-SSL-DOS: The processing capacity for SSL handshakes is far superior at the client side: A laptop on a DSL connection can challenge a server on a 30Gbit link.

Traditional DDoS attacks based on flooding are sub optimal: Servers are prepared to handle large amount of traffic and clients are constantly sending requests to the server even when not under attack.

The SSL-handshake is only done at the beginning of a secure session and only if security is required. Servers are _not_ prepared to handle large amount of SSL Handshakes.

The worst attack scenario is an SSL-Exhaustion attack mounted from thousands of clients (SSL-DDoS).

Tips & Tricks for WhiteHats:
– The average server can do 300 handshakes per second. This would require 10-25% of your laptops CPU.
– Use multiple hosts (SSL-DOS) if an SSL Accelerator is used.
– Be smart in target acquisition: The HTTPS Port (443) is not always the best choice. Other SSL enabled ports are more unlikely to use an SSL Accelerator (like the POP3S, SMTPS, … or the secure database port).

Counter measurements:
No real solutions exists. The following steps can mitigate (but not solve) the problem:
– Disable SSL-Renegotiation
– Invest into SSL Accelerator

Either of these countermeasures can be circumventing by modifying THC-SSL-DOS. A better solution is desireable. Somebody should fix this.

Nov 15 2010

DDOSIM – Layer 7 DDoS Simulator

ddosim is a tool that can be used in a laboratory environment to simulate a distributed denial of service (DDOS) attack against a target server. The test will show the capacity of the server to handle application specific DDOS attacks. ddosim simulates several zombie hosts (having random IP addresses) which create full TCP connections to the target server. After completing the connection, ddosim starts the conversation with the listening application (e.g. HTTP server).

ddosim is written in C++ and runs on Linux. Its current functionalities include:

  • HTTP DDoS with valid requests
  • HTTP DDoS with invalid requests (similar to a DC++ attack)
  • TCP connection flood on random port

In order to simulate such an attack in a lab environment we need to setup a network like this:


Download : ddosim-0.2.tar.gz

More Info :
1) DDOSIM at Sourceforge
2) Application Layer DDoS Simulator