Specialists disclose holes in DDoS attack toolkit

The command and control (C&C) servers of the Dirt Jumper DDoS toolkit can be compromised and, in principle, completely taken over via SQL injection holes. The vulnerabilities were disclosed by Prolexic, a company that specialises in protecting systems against distributed denial-of-service (DDoS) attacks.

Prolexic discovered various places in the PHP functions of the toolkit, which is being sold on the black market, that accept parameters for MySQL database queries without filtering them. These can be tracked down with open source tools such as SQLmap and then used to display the content of the PHP config file. This file contains plaintext access data that could, for example, be used to log into the DDoS toolkit's web frontend as an administrator. Prolexic describes the required commands in detail; however, using them to access a third-party server is potentially an criminal offence in itself.

The measure would be of little use to those who are the target of an acute DDoS attack, because the C&C server is not involved in the attacks and doesn't show up in the server's log files. It only controls the activities of the drone systems. To get to the C&C server it would be necessary to gain control of one of the drones and analyse its communication with the server, which can prove to be quite difficult in practice. It is possible that Prolexic was grappling with this very problem yesterday – after the release of its "Vulnerability Disclosure Report", which is available for free but requires users to register, the company's web site became temporarily unavailable.

(crve)