Prolexic, a provider of distributed denial of service (DDoS) protection services based in Hollywood, Fla., has released detection and mitigation rules, a log analysis tool and a threat advisory on the itsoknoproblembro DDoS toolkit, which the company says has been used in many DDOS attacks on banks of late. In an email interview yesterday, Michael E. Donner, senior vice president of Prolexic, answered some of our questions about the attack toolkit and what banks should do about it.
What is new since you talked about the itsoknoproblembro toolkit in October?
The itsoknoproblembro toolkit has been evolving rapidly. In October, the threat had reached a level of critical mass and was considered damaging enough to issue a public alert. As the toolkit is used to infect more web servers, it is creating an exponentially larger army of brobots to launch future campaigns.
This threat advisory goes beyond that initial alert and provides an analysis of the how the toolkit operates, it identifies the scripts that can be found on infected servers, it provides a detection and log analysis tool to help IT staff locate — and more importantly cleanse — infected servers, and lastly it provides mitigation solutions (via SNORT rules) for 11 different attack types. These SNORT rules can be implemented to block these 11 attack variations.
In essence, the threat advisory doesn't just talk about the problem; it provides solutions.
What is a brobot?
A brobot is a web server infected with itsoknoproblembro scripts.
Was itsoknoproblembro used in the large-scale DDoS attacks on banks perpetrated by the Izz ad-Din al-Qassam Cyber Fighters this fall?
Itsoknoproblembro has been used in a significant number of attacks in the financial services sector; some dating back to January 2012. We cannot comment on which people or organizations may be responsible for the attacks. That is for law enforcement to determine.
Does knowing which toolkit was used help law enforcement detect and apprehend the instigators?
One of the interesting aspects of the itsoknoproblembro toolkit is that it doesn't leverage spoofed (fake) IP addresses. So, in theory, that can help law enforcement track down the source of the attacks. But the nature of the toolkit allows infected servers to change roles, either launching the attack, or issuing attack commands to the servers that launch the attack. Plus, it is able to leverage proxy servers so it can launch encrypted attacks. Tracing the source IP can be more difficult than it would seem at first glance.
Are there many other DDOS toolkits like this one, or is this unique?
This is a new type of DDoS toolkit. What really makes it unique is the multi-tiered attack architecture, as well as the sheer power, scale and number of attacks it is capable of launching simultaneously. It's a very effective tool which spreads rapidly and delivers devastating results.
Based on your investigation, what are the behaviors or markers of this type of attack?
First of all, it leverages web servers. Most DDoS attacks use workstations. Secondly, it often infects web servers through known vulnerabilities in a number of popular content management systems such as Joomla and WordPress. Most importantly it hits hard and fast, targeting the application layer with a mix of POST, GET, TCP and UDP floods (some with proxies). One of the attack scripts, Kamikaze, can repeatedly relaunch GET floods. In-depth details on each attack script we analyzed are provided in the threat advisory.