Feeds

Peer-to-peer networks co-opted for DOS attacks

DC++ flaw sees massive data storms

High performance access to file storage

A flaw in the design of a popular peer-to-peer network software has given attackers the ability to create massive denial-of-service attacks that can easily overwhelm corporate websites, a security firm warned last week.

Over the past three months, more than 40 companies have endured attacks emanating from hundreds of thousands of Internet Protocol addresses (IPs), with many of the attacks producing more than a gigabit of junk data every second, according to security solutions provider Prolexic Technologies.

The sheer number of internet addresses has caused problems for routers and firewalls, burying solutions that rely on some form of blacklisting, said Paul Sop, chief technology officer for the firm.

"It's like asking how fast can you bail your boat?" Sop said. "If you stop for a minute you get overwhelmed."

Unlike past attacks, which use tens of thousands of compromised computers to deluge a web server or network with data, the latest attacks came from a collection of computers running peer-to-peer software known as DC++. The software is based on Direct Connect, a protocol which allows the exchange of files between instant messaging clients.

While the file-sharing network is distributed, the directories of where to find certain files resides in a few servers, known as hubs. Older versions of the hub server software have a flaw that allows an attacker to direct clients to get information from another server, said Fredrik Ullner, a developer for the DC++ project and an computer-science undergraduate at Sweden's Lund Institute of Technology. Maliciously redirecting those client results in a large number of computers continuously demanding data from the victim's web server, overwhelming it with requests.

The attacks were used against DC++ own developers and hub directories as early as 2005. The first attacks targeted the project's directory of hubs, known as Hublist.org. Rogue DC++ users had created tools to flood a hub, and when Hublist.org removed the rogue users' servers, the group responded by attacking Hublist.org, Ullner said. The site is no longer accessible. The rogue group also hit DCPP.net, the project's main site, forcing the developers to move to SourceForge.

"These attacks are, unfortunately, getting more common," Ullner stated in an email interview with SecurityFocus.

The technique proved so effective that attackers have turned it on other companies.

In March, companies started seeking out Prolexic to help them stave off some devastating denial-of-service attacks. In many of the attacks, more than 150,000 computers would open a handful of connections each, burying the Web server in a avalanche of network data. The largest attacks seen by the company involved more than 300,000 computers, said Prolexic's Sop.

"We had millions and millions of connections in. We could identify the attacks with zero difficulty but new IPs were hitting us faster than we could block them."

While many of the attacks were part of an extortion attempt - a common way in the past to turn denial-of-service capabilities into cash - about three quarters of the attacks were motivated by industrial espionage, Sop said.

"The amount of money involved is pretty large," Sop said. "If you have a good internet business in Europe, and you can knock out your competitor, why spend money on marketing?"

The firm announced on Wednesday that it had developed a way to defend against the attacks.

A general solution is unlikely to appear from the DC++ project. While the problem has already been fixed in the DC++ hub software, it's hard to force everyone to adopt the fix, said developer Ullner.

"The attackers take advantage of people's reluctance to upgrade."

Moreover, even if all the hub administrators upgraded their systems, the attackers could run their own hubs until they commanded enough DC++ clients to attack a target.

"It's difficult to impossible to restrict this," said Ullner.

This article originally appeared in Security Focus.

Copyright © 2007, SecurityFocus

High performance access to file storage

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
OpenSSL Heartbleed: Bloody nose for open-source bleeding hearts
Bloke behind the cockup says not enough people are helping crucial crypto project
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Experian subsidiary faces MEGA-PROBE for 'selling consumer data to fraudster'
US attorneys general roll up sleeves, snap on gloves
NSA denies it knew about and USED Heartbleed encryption flaw for TWO YEARS
Agency forgets it exists to protect communications, not just spy on them
prev story

Whitepapers

Mainstay ROI - Does application security pay?
In this whitepaper learn how you and your enterprise might benefit from better software security.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Mobile application security study
Download this report to see the alarming realities regarding the sheer number of applications vulnerable to attack, as well as the most common and easily addressable vulnerability errors.