Re: BackOrifice == DDoS Server???

[Ryan () EEYE COM (Ryan Permeh)]

actually, such a tool already exists for bo2k, and is availible as a plugin.
it is a simple proof of concept, and is not as "powerful" as some of the
more widely availible ddos tools, simply because bo2k does not feature
distibuted computing capability.  i was playing with this, but the obstacles
are too great(time and testbed, mostly) to getting that complete.  The ddos
plugin is a UDP flooder(simple socket loop), that does not hide the source
address, does not spoof, and is not very sneaky.  However, it was easily
able to fill a 10 megabyte segment.  I added some lysine features to make it
easily spottable and stoppable(ie: you can't spoof, you can't shut it off
once it was on, lack of distributed attack features), however, the concept
of this type of attack is not new.

I don't have the source/dist handy for this anymore, but i'm certain it's
floating still.(check the bo2k mailing list for more information)

Signed,
Ryan
eEye Digital Security Team
http://www.eEye.com

----- Original Message -----
From: "Masial" <mrousseau () SECURED ORG>
To: <VULN-DEV () SECURITYFOCUS COM>
Sent: Thursday, June 29, 2000 10:41 PM
Subject: Re: BackOrifice == DDoS Server???

> Just raising some questions...
>
> > -----Original Message-----
> > From: John Swensson
> > [snip]
> > could put out a large flood, The largest drone list I have encounter
wasnt
> > more then 50, all of them on win9x, (backorifice doesnt run on NT). BO2k
> > does, but I have never seen it used for such.
>
> The idea of a DDoS plugin is scary. Does that RCR plugin exist for BO2K?
Or
> are plugins compatible between BO and BO2K?
>
> > -----Original Message-----
> > From: Bluefish
> > [snip]
> > BO is written to serve dual purposes (to be used and abused). That,
added
> > to it's bad security (two of the cryptographic plugins were broken due
to
> > flawed MD5 implementation, and because it was written to serve dual
> > pruposes, no one has bothered to analyse the security of it) sugest that
> > it now only is usefull for abuse..... Given how week the original
> > cryptographic modules were (same key always - MD5 gave a static
response)
> > it would seem the authors didn't bother to investigate the security of
it
> Would you also know if the encryption plugins for BO2K are also flawed?
They
> come in various flavors.
>
> Serpent Encryption
> Blowfish Encryption
> CAST-256 Encryption
> IDEA Encryption
> RC6 Encryption
>
> I think surely, there should be reasons to worry if the RCR plugin (or
> another DDoS plugin) runs on BO2K and if the BO2K code is actually cleaner
> then the original BO code, with working crypto and all. Think about a
> smart-replication plugin that would eMail a copy of itself along with some
> cute looking executable on your HD to some of your friends if the date
is...
> say a multiple of 7? Or propagate slowly via shared folders and files, one
> might be able to acheive a network of far more then 50 machines...
>
> There also comes the question of tracability, how easy can someone trace
> back to the 'master' of the DDoS if that attack was organised via BO?
Aside
> from the "wait for teen to brag and sacrifice him" technique.
>
> But is this more dangerous then the original DDoS networks (trinoo,
> shambralsumtin et al) ?
>
> I'm not sure.
>
>
> M.
> Secured Industries
> Why fear the unknown?
> 22E2 812A 50AA DC3B 107D 60E2 9998 959E 10E3 6031