DC++ and DDoS attacks – the full story
Hello, (security) world!
This is my first post on StormSecurity blog and I am going to talk about a paper I wrote called DC++ and DDoS attacks. This is a rather old subject (2007) but this kind of attack can hit a server anytime even in nowadays and there are not so many companies out there prepared to handle it. This paper describes in detail the anatomy of such an attack and also talks about a tool I wrote – HubMonitor– that is able to detect the attacker hubs. You can download it from here.
The paper is intended to be a full reference on this topic but I am going to highlight here the most interesting ideas of it.
What is it about?
I believe many of you used or still use the DC++ network to download or upload files. It’s not a secret although most of the time is not a legal activity. The DC++ network is pretty much spread around the world and there are many people using it. But what they don’t know is that they could participate anytime in a devastating DDoS attack against a victim server. The DC++ clients won’t know this and they would not care either but the victim server could be easily shutdown because of them.
Why is this still actual?
Do you know who are the persons that own the DC++ hubs you connect to? Most probably no. So you can’t trust them. You can’t know if they will use your DC++ client in a DDoS attack or not. And they COULD do that anytime. You won’t know it but others will suffer.
There still are many unpatched hub servers out there (Verlihub-0.9.8c, Verlihub-0.9.8d-rc1, Ynhub < 1.0306, Ptokax < 0.3.5.2) and others have custom backdoored hub software that can be used anytime to generate a DDoS attack.
Connections hitting the victim:
connections/sec = hub_no * hub_clients * $CTMs/sec
hub_no = number of hubs participating in the attack
hub_clients = average number of clients on each hub
$CTMs/sec = number of $ConnectToMe commands received by each client per second
For a moderately big attack, the variables are:
hub_no ~= 5
hub_clients ~= 5000
$CTMs/sec ~= 1
=> 25.000 connections/sec
How to stop it?
Lots of money is needed to effectively stop such an attack. Because it is an application layer attack, the good solution is a deep packet inspection capable device but this is very expensive. There are other ways described in the paper to try to defend against it.
But when you want to find the attacker hubs, there’s a real problem. The packets reaching the victim contain no information about him. Here is where HubMonitorcomes into scene. This application connects simmultanously to many suspected DC++ hubs and listens for attack packets. When it receives specific packets related to the victim server, it declares the hub as attacker and legal measures can be taken.
Although the number of DDoS attacks generated using DC++ network has decreased, hacker teams could set up anytime such an attack against a victim server and the intensity of the attack could easily overwhelm it. HubMonitor is a tool that can be used to find the attacker hubs. You can find more details about it and about this kind of attacks in my paper.