Recent
Web server zombies
Every now and then I like to visit black-hat community forums for a number of legitimate reasons. I like to see what the other side are up to, what they are buying/selling, at what price, who they are targeting, the skill level of the attackers, what exploitation techniques they use, etc. Visiting these underground community forums passively can be a great learning experience.
I had read stories about servers or web servers more specifically being targeted over personal computers for their use in DDoS attacks. Using a server rather than a client as a zombie means that the attackers have higher bandwidth, RAM, CPU and other resources at their disposal. Servers are generally more secure than clients as you would expect the people who set them up and manage them have a greater awareness of the risks involved. Although servers are generally more difficult to compromise, compromising 100 servers may be worth more than 1000 clients.
While browsing a particular black-hat community forum I came across a post by a user who wanted to purchase compromised web servers and made a particular request that the servers should have his supplied PHP script pre-uploaded.
The PHP script was named ‘shell.php’ and contained the following lines;
$rand = rand(1,65000);
$fp = fsockopen('udp://'.$host, $rand, $err, $errstr, 5);
The fsockopen PHP function opens a socket connection to a resource. As you can see from the code contained within the script, they are using the UDP protocol and opening sockets to random ports. This is known as a UDP Flood Attack. If you can imagine hundreds of web servers hosting this script, the attacker could write a simple script on his host machine to send simultaneous commands to all of them. With hundreds of web servers sending thousands of UDP packets each to a victim, it wouldn’t take long for it to go down. The PHP script could be uploaded to the compromised web server in a number of different ways.
Moral of the story?
This confirms to be what I had previously read. Attackers are starting to favor targeting servers rather than clients as their chosen zombies. Browsing black hat community forums now and then can be an enlightening exercise. I also ran across some other shenanigans while on the forums which certainly got me thinking.
3 Responses to “Web server zombies”
Gaurav Kumar said...
Nice observation but do you have any idea how to stop being attacked by DDoS.Any script that would limit UDP requests from clients or servers?
ethicalhack3r said...
I think a good firewall or IDS would do the trick. To be honest though I don’t have much experience in mitigating DDoS attacks.
Mr_Bonkers said...
You could try software, such as (D)DoS-Deflate or a hardware firewall. In my experience, most hosting companies are more than willing to help you get rid of annoying DDoS attacks, so contact them. You could also try using iptables.
In my opinion every network needs to block traffic from leaving their network with a source IP address that is not on their network. This can prevent their network from being used as the base of attack. If all networks did this, then a DDoS attack could never be initiated.