Imperva: New Generation of DDoS Attack Turns Servers Into Bots
May 2010 by Imperva
Imperva’s Application Defense Center (ADC), has uncovered a new generation of Distributed Denial-of-Service (DDoS) attack that appears to be more powerful, more efficient and less detectable than traditional methods.
What is it?
· A new type of DDoS attack that has currently infected hundreds of web servers
· Unlike traditional DDoS methods that capitalize on bot-infected PCs, the attackers have turned the web servers themselves into payload-throwing bots
How does it work?
Rather than use the server as a means of distributing Denial of Service (DoS) malware to PCs, the attackers infect the servers themselves with a malicious DoS application. Then, using a simple software program with a dashboard and control panel, the hackers configure the IP, port and duration of an attack. They simply insert the URL they wish to attack, click and go. Imperva was able to acquire the source code of this application and has screenshots which show it consisted of just 90 lines of PHP code.
Why is this unique?
Although servers are typically harder to compromise than PCs, by capitalizing on their greater horsepower, the hackers create a much more efficient and powerful DDoS tool using servers as the attack platform. The volume of the attack is more easily multiplied by the number of exploited web servers as well.
By using web servers, the attackers are even less detectable. Trace backs typically lead to a lone server at a random hosting company.
What should businesses do?
According to CTO Amichai Shulman, these attacks are ongoing and are not a onetime occurrence. Now that a network of server bots has been created, it will be quite easy for them to ’rent’ them out or increase their activity. Companies should regularly monitor their Google presence to look for evidence of being compromised.