[WEB SECURITY] [Full-disclosure] DDoS attacks via other sites execution tool

psy root at lordepsylon.net
Wed Jul 24 23:22:27 EDT 2013


On 18/07/13 22:55, MustLive wrote:
> Hello psy!

hey MustLive!

> I'm glad that you liked DOVOSET. And I'm glad that you liked my articles,
> including those old articles about attacks via redirectors (Redirectors'
> hell and Hellfire for redirectors).

Thanks. Of course I like them. This kind of web abuse is a possible
vector than can be very effective if is good conducted and is present in
a lot of place over the Internet. Also, it is not very easy to filter it
so, has a lot of points to review for new attacking researching ways.
Congrats again!

> Such attacks can be used together with XSS holes. So it can be useful for
> your tool. Specially for using with your UFONet - to use XSS holes with
> looped redirectors to conduct more powerful DDoS attacks - I released
> advisory about Denial of Service vulnerabilities WordPress at 27.06.2013.
> Any redirector at any web site or any redirector service can be used with
> XSS vulnerabilities to conduct DDoS attack via UFONet.

XSSer (http://xsser.sf.net) has some DoS features implemented; client
DoS (for reflected XSS) and server side DoS (for persistent XSS). Idea
for UFONet is try to unify that features, add a simple test to discover
on a target posible vectores, and try to add them to a list of
"zombies". More or less, try to simplify (be specific) a DDoS attack
using XSS payloads.

>> Curiously, I posted a tool written in python the same day. It is called:
>> UFONet
> 
> I made my tool already in 2010. That time I made an announcement of the
> tool, where I described DAVOSET and its effectiveness, but didn't release
> the tool. I made it private and gave it only to one security researcher,
> who
> wanted to look at it. I didn't want to give such kind of attacking tool to
> script kiddies (to prevent mass attacks, because there were a lot such
> Abuse
> of Functionality vulnerabilities in Internet, since 2007 when I start
> finding them and presented in zombies-lists with my tool). But because for
> three years people continue to ignore such holes and almost nobody fixed
> such holes (just few most serious ones, and even Yahoo lamerly ignored
> for a
> long time such hole in their Babelfish and in 2012 just lamerly closed it),
> so I decided to release it publicly in June 2013.

Don't think about "kidding" possible uses. Just try to put more near
some features to try to advance in other fields. Like I told you, I
published that tool this day, but idea borns like a module of XSSer just
on same time like you (arround 2009/2010).

Btw, is interesting to put both tools on public to try to unify a bit
some researching processes. For example, UFONet (with GPL license) now
evades cache on clients, that probably, can be a usefull feature for
future DAVOSET releases.

>> My idea now, is to work the detection of new 'zombies' by crawlering
>> techniques and increase the "strike" capability requests.
> 
> Good ideas. But concerning automated searching XSS holes by crawlering.
> It'll be already XSS scanner, not just attacking tool for using existent
> vulnerabilities, and it'll give a lot of power to an attacker. No need for
> him to find XSS holes, your tool will do everything for him ;-). Just enter
> target site and UFONet will do all the work (find a lot of zombies and
> attack the target with all of them), so be careful with such functionality.

Hehehe. Yes, I know, but you know, always trying to be more near of the
"big red button". Strategically, I think that this kind of crawlering
processes can be nice to obtain more possible "zombies". A positive
attack needs minumun a hundred of them.

On testing tasks, I tryed some attacks against a ngnix web server with
the list that you provide on DAVOSET, plus a list that some people
interesting did on a piratepad, and it was not to much effective, at
start. After some attempts, we tryed the attack coordinate from
different machines and using this "big" list that we recopile and target
loading time was considerably reduced. Not "Dosed"... By the way,
probably "old" web server configurations cannot resists the attack
scenario proposed.

>> I have seen that your tool doesn't allows the use of proxies. It may be
>> interesting to add that functionality.
> 
> Thanks for suggestion. I've added it to ToDo - in addition to all my ideas
> (which I have a lot). The reason, why I've not done it earlier and was
> not planning, is simple - DAVOSET is using other sites as proxies for
> conducting DoS attacks. So target sites after received DDoS attacks from
> multiple zombie sites will be seeing in logs only Google, W3C and other
> sites/IPs. So proxying is part of attack :-). But for paranoids, who worry
> that admins on zombie-sites will give their logs to admins of victim-sites
> (or not admins, but special services), then additional proxy will be good
> solution (and I'll add proxy support in the future).

Yeah :-)

>> + Video: http://vimeo.com/68772290
> 
> I've seen your video. And I wrote you feedback about video and some
> feedback
> about UFONet last month. And will write more feedback soon.
> 
> Keep working on your software. Concerning your release of v.0.2. Think
> about making more detailed changelog (not just mention concerning
> release of new version, but with detailed description of changes).

Yes. But as you know, actually I am involved in some "social-physical"
projects. I will try to propose a "hackaton" on summer to try to advance
UFOnet 0.3 roadmap.

I will be glad if you can participate with some suggestions.

> Best wishes & regards,

Keep strong!! ;-)

> MustLive
> Administrator of Websecurity web site
> http://websecurity.com.ua
> 
> ----- Original Message ----- From: "psy" <root at lordepsylon.net>
> To: "MustLive" <mustlive at websecurity.com.ua>
> Cc: <full-disclosure at lists.grok.org.uk>; <websecurity at lists.webappsec.org>
> Sent: Wednesday, June 19, 2013 10:25 PM
> Subject: Re: [Full-disclosure] DDoS attacks via other sites execution tool
> 
> 
>> Hi,
>>
>> On 18/06/13 22:50, MustLive wrote:
>>> Hello participants of Mailing List.
>>>
>>> If you haven't read my article (written in 2010 and last week I wrote
>>> about
>>> it to WASC list) Advantages of attacks on sites with using other sites
>>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2013-June/008846.html),
>>>
>>>
>>> feel free to do it. In this article I reminded you about using of the
>>> sites
>>> for attacks on other sites
>>> (http://lists.grok.org.uk/pipermail/full-disclosure/2010-June/075384.html),
>>>
>>> DDoS attacks via other sites execution tool (DAVOSET)
>>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006832.html),
>>>
>>>
>>> sending spam via sites and creating spam-botnets
>>> (http://lists.webappsec.org/pipermail/websecurity_lists.webappsec.org/2010-July/006863.html)
>>>
>>>
>>> and wrote about advantages of attacks on sites with using other sites.
>>
>> I have read the articles and they are very interesting, for example, the
>> "hell" redirection. This kind of web abuse can be very powerful.
>>
>> Nice work! ;-)
>>
>>> Last week I've published online my DDoS attacks via other sites
>>> execution
>>> tool (http://websecurity.com.ua/davoset/). It's tool for conducting
>>> of DDoS attacks via Abuse of Functionality vulnerabilities on the sites,
>>> which I've made in 2010. Description and changelog on English are
>>> presented
>>> at my site. Where you can get my DAVOSET v.1.0.5 (made at 18.07.2010).
>>
>> Curiously, I posted a tool written in python the same day. It is called:
>> UFONet
>>
>> http://ufonet.sf.net
>>
>> At first, I designed a module for XSSer (http://xsser.sf.net) to use XFS
>> found on third-party, on the direction of DoS attacks. But, I decided
>> that best thing was to create a unique tool, because of the interesting
>> subject.
>>
>> My idea now, is to work the detection of new 'zombies' by crawlering
>> techniques and increase the "strike" capability requests.
>>
>> I have thought for example, that may be is interesting to obtain the
>> images, flash movies, etc., like a benchmarking process on the target,
>> to pass to the 'zombies' the places heavier on the site and do a more
>> effective attack.
>>
>>> This is the last version of my DAVOSET. After that I've stopped its
>>> development. But now I am planning to continue development of the
>>> software
>>> and to release new versions (I'll release v.1.0.6 today).
>>
>> I have seen that your tool doesn't allows the use of proxies. It may be
>> interesting to add that functionality.
>>
>>> For three years I was holding this tool privately, but now released it
>>> for
>>> free access. So everyone can test Abuse of Functionality vulnerabilities
>>> at
>>> multiple web sites - like Google's sites, W3C and many others, which
>>> were
>>> informed by me many times during many years (I was informing admins of
>>> web
>>> sites about such vulnerabilities since 2007), but ignored and don't want
>>> to
>>> fix these holes for a long time, and for example Google continued to
>>> create
>>> new services with Abuse of Functionality and Insufficient
>>> Anti-automation
>>> vulnerabilities, which can be used for such DoS and DDoS attacks.
>>
>> I would like to propose that we work together. I'm sure that the
>> community would appreciate our agreement on a single line of development.
>>
>> Thank you very much for publish your research.
>>
>> A greeting.
>>
>> psy 
> 
> 





More information about the websecurity mailing list