Popular Dirt Jumper DDoS toolkit riddled with security flaws, research finds

Command & control servers open to attack, says Prolexic

The criminal creators of the hugely popular Dirt Jumper DDoS toolkit appear to have been sloppy with their own security, introducing software vulnerabilities that leave the software's command and control (C&C) servers open to attack, security firm Prolexic has discovered.

Overwhelmingly, the business of DDoS defence is usually about blocking attacks once they start, or finding a conventional route to access the C&C servers on a case-by-case basis, so Prolexic's discovery of flaws in the code itself counts as noteworthy.

Despite Dirt Jumper's well-developed attack features, Prolexic found holes in the simplest part of the program, namely the GUI control panels used to control bots created by it which turned out to be cobbled together using hastily-coded PHP/MySQL scripts.

In Prolexic's words, these proved open to compromise on a number of levels including "weak authentication mechanisms, file inclusion vulnerabilities, directory traversal vulnerabilities, and SQL injections."

Irony of ironies; a criminal toolkit open to a SQL injection flaw in the front end used to control a botnet. Anyone gaining access to the C&C would be able to control what the DDoS software is doing, right down to the bots it controls and its target list. Game over, potentially.

"DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we've turned the tables and exposed crucial weaknesses in their own tools," said Prolexic's CEO, Scott Hammack.

"With this information, it is possible to access the C&C server and stop the attack," Hammack said. "Part of our mission is to clean up the Internet. It is our duty to share this vulnerability with the security community at large."

Importantly, the flaws found by the company affect all versions of the toolkit, which traces its lineage back as far as 2008, including a recent, multi-capable version called 'Pandora'.

Dirt Jumper seems to have overtaken rivals to become one of the most successful DDoS toolkits available on the Russian underground. Nobody knows why this has happened - rivals such as Black Energy and Optima had dominated before its appearance - but it could be down to its features or lively development.

Can attacks be stymied with this new knowledge? Prolexic said it had stopped a small but crafted 27 July Pandora DDoS on the website of security journalist Brian Krebs, which represents a start.

In theory the developers could fix the vulnerabilities spotted by Prolexic and come up with a version immune to interception. That remains a danger but because the source code was made available for Dirt Jumper and the number of different versions that exist, doing that for all of its bots built with it would be a major task at least in the short term.

It may not last but at least researchers can finally say that DDoS has one bad day.

Join the CSO newsletter!

Error: Please check your email address.
Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by John E Dunn

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts