Prolexic releases itsnoproblembro mitigation tools
The sophisticated multi-level DDoS toolkit has been plaguing the US banking industry
DDoS protection services expert Prolexic, has released a suite of detection and mitigation rules, a log analysis tool and a comprehensive threat advisory on the itsoknoproblembro DDoS toolkit.
The effective, multi-level threat called itsoknoproblembro has been the favoured weapon in headline-making DDoS attacks against the US banking industry.
"Our security experts have successfully mitigated this threat multiple times, in tense, real-time digital battles," said Prolexic chief executive officer Scott Hammack. "This toolkit, which was dangerous to begin with, has been evolving rapidly over the past year, and has been increasingly used in coordinated campaigns targeting specific industries. The December attacks against the banking industry represented the fourth documented campaign against finance companies; we've also documented smaller campaigns against the energy and hosting provider industries."
Hackers use the toolkit to target known vulnerabilities in web content management systems, including Joomla and WordPress, to infect web servers with malicious PHP scripts. The toolkit then leverages a unique, two-tier command mode that can launch multiple high-bandwidth attack types simultaneously, according to Prolexic. Some of these attacks have peaked at 70 Gbps and more than 30 million pps, a magnitude of traffic that demonstrably overwhelms most network infrastructures.
"Given the chatter in the hacker underground, we expect these itsoknoproblembro DDoS campaigns will continue to grow in frequency," Hammack said. "We want to support the security community by sharing our knowledge, so we can help eradicate this threat and remove these malicious scripts from infected machines before they do even more damage."
The Prolexic Security Engineering & Response Team (PLXsert) first issued a public warning about itsoknoproblembro in October.
The threat advisory issued by Prolexic profiles 11 different attack signatures and provides detailed SNORT rules for DDoS mitigation. The attack vectors include POST, GET, TCP and UDP floods, with and without proxies, including a so-called Kamikaze GET flood script that can repeatedly relaunch automated attacks.
Additionally, PLXsert published a set of detection rules to identify infected web servers (bRobots), along with a free log analysis tool that can be used to pinpoint which scripts were accessed, by what IP address and for what DDoS targets. Armed with this information, the infected servers can be sanitised, preventing them from being used in subsequent itsoknoproblembro campaigns.
"The nature of these threats requires the cooperation of everyone in the network protection community to work together," Hammack said. "Working with our fellow engineers and researchers, we will continue to provide free updates of this log analysis tool and encourage users to share their logs of compromised servers for continued analysis and refinement."