Vulnerability Development mailing list archives
Re: BackOrifice == DDoS Server???
From: Ryan () EEYE COM (Ryan Permeh)
Date: Fri, 30 Jun 2000 09:06:36 -0700
actually, such a tool already exists for bo2k, and is availible as a plugin. it is a simple proof of concept, and is not as "powerful" as some of the more widely availible ddos tools, simply because bo2k does not feature distibuted computing capability. i was playing with this, but the obstacles are too great(time and testbed, mostly) to getting that complete. The ddos plugin is a UDP flooder(simple socket loop), that does not hide the source address, does not spoof, and is not very sneaky. However, it was easily able to fill a 10 megabyte segment. I added some lysine features to make it easily spottable and stoppable(ie: you can't spoof, you can't shut it off once it was on, lack of distributed attack features), however, the concept of this type of attack is not new. I don't have the source/dist handy for this anymore, but i'm certain it's floating still.(check the bo2k mailing list for more information) Signed, Ryan eEye Digital Security Team http://www.eEye.com ----- Original Message ----- From: "Masial" <mrousseau () SECURED ORG> To: <VULN-DEV () SECURITYFOCUS COM> Sent: Thursday, June 29, 2000 10:41 PM Subject: Re: BackOrifice == DDoS Server???
Just raising some questions...-----Original Message----- From: John Swensson [snip] could put out a large flood, The largest drone list I have encounter
wasnt
more then 50, all of them on win9x, (backorifice doesnt run on NT). BO2k does, but I have never seen it used for such.The idea of a DDoS plugin is scary. Does that RCR plugin exist for BO2K?
Or
are plugins compatible between BO and BO2K?-----Original Message----- From: Bluefish [snip] BO is written to serve dual purposes (to be used and abused). That,
added
to it's bad security (two of the cryptographic plugins were broken due
to
flawed MD5 implementation, and because it was written to serve dual pruposes, no one has bothered to analyse the security of it) sugest that it now only is usefull for abuse..... Given how week the original cryptographic modules were (same key always - MD5 gave a static
response)
it would seem the authors didn't bother to investigate the security of
it
Would you also know if the encryption plugins for BO2K are also flawed?
They
come in various flavors. Serpent Encryption Blowfish Encryption CAST-256 Encryption IDEA Encryption RC6 Encryption I think surely, there should be reasons to worry if the RCR plugin (or another DDoS plugin) runs on BO2K and if the BO2K code is actually cleaner then the original BO code, with working crypto and all. Think about a smart-replication plugin that would eMail a copy of itself along with some cute looking executable on your HD to some of your friends if the date
is...
say a multiple of 7? Or propagate slowly via shared folders and files, one might be able to acheive a network of far more then 50 machines... There also comes the question of tracability, how easy can someone trace back to the 'master' of the DDoS if that attack was organised via BO?
Aside
from the "wait for teen to brag and sacrifice him" technique. But is this more dangerous then the original DDoS networks (trinoo, shambralsumtin et al) ? I'm not sure. M. Secured Industries Why fear the unknown? 22E2 812A 50AA DC3B 107D 60E2 9998 959E 10E3 6031
Current thread:
- Re: BackOrifice == DDoS Server??? Ex Machina (Jun 30)
- Re: BackOrifice == DDoS Server??? Bluefish (Jul 01)
- <Possible follow-ups>
- Re: BackOrifice == DDoS Server??? Ryan Permeh (Jun 30)
- Re: BackOrifice == DDoS Server??? Bluefish (Jul 01)
- Re: BackOrifice == DDoS Server??? Brooke, O'Neil (Jul 05)