By Anthony M. Freed, Managing Editor and for the Infosec Island Network, with
Analysis of DoS Vulnerabilities by Michael Menefee, Principal at WireHead Security
There is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly… The Jester
Infosec Island has once again gained exclusive access to a video demonstration of the XerXeS DoS attack recently developed by the infamous patriot-hacker known only as The Jester (th3j35t3r).
This new video shows a little more of the XerXeS dashboard, and reveals even more about the attack technique – watch the text box on the left as Jester mentions “Apache” for the first time outside of our private conversations.
Second video of XerXes DoS Attack from Infosec Island on Vimeo.
(View Fullscreen most for the best experience)
As noted below in an analysis of DoS vulnerabilities by security consultant Michael Menefee, more than half of all the websites in the world use Apache, which means this exploit potentially poses a very serious problem should it ever be utilized by nefarious elements.
The weaknesses in Apache are fairly well known amongst the savvy tech elite, but it was only since The Jester came along with his non-distributed DoS attack that the unpatched vulnerabilities in Apache finally became the subject of much concern.
Should someone decide to use a tool like XerXeS in combination with a zombie army consisting of thousands of hijacked PC’s, the implications for critical systems security could be extremely serious.
Q: Tell us what is different in this video from the first you one sent me?
Well, I produced this new video to keep people in the loop with the progress of Project XerXeS. As you can see XerXes can now affect multiple server flavors – some still more are under development. This time I dropped a Secured server which is supposed have the Apache setup that is impervious to a XerXeS hit.
Q: Can you talk about more the Apache vulnerability exploit?
The Apache vulnerability you speak of is only the tip of the iceberg; Xerxes is also evolving to hit IIS - pretty easy by the way - a simple modification on the Apache vector is all, still in the experimental stages but works.
It's the backend databases that are really interesting they hold much of the content that the HTTP server pushes out, so if you knock the database over it has the same effect as taking out the HTTP server.
The aim is to create a single cohesive attack platform that will knock out with precision and no side-effects anything it comes up against, for any specified period.
Another vector I am working to build into XerxeS is the ability to auto-inject code into a site's landing page that causes the viewers browser to crash, no damage just hang up the browser, but disabling the site from the client-side instead of the server.
Q: One of our Members at the Infosec Island Network posed the question on a forum: Jester, whom do you serve?
I am quite clear on this. I 'serve' all the people who support my methods and want to make things difficult for the bad-guys.
At this time I am not officially funded, supported or otherwise sponsored in any way. I operate and develop this alone, and hope it is making a dent in the terrorists efforts, the feedback I am receiving says that it is working, alemarah.info (the official Taliban Shadow Government Website) and ansarnet.info have been down for 2 weeks now, as a direct result of the pressure XerXeS exerted on the target.
Also on another Ansar site, its members have been forbidden from even mentioning the XerXeS attacks, so somebody is more than a little annoyed.
I know there are some that consider all this morally, socially and ethically wrong, not to mention unlawful - but there is an UNEQUAL amount of good and bad in most things, the trick is to work out the ratio and act accordingly.
Q: Many critics of your tactics still object based in the argument that you may be interfering with Western intelligence operations your retort?
The intelligence gathering argument is really starting to wear thin. I know the value of good intel, but it must be actionable. There is very limited actionable intel to be gleaned from most of these sites.
They serve only 2 purposes: 1) to recruit homegrown terrorists (by invitation no less), and 2) to waste our sec services teams time trying to honey-trap them.
Why should we allow a site that actively recruits homegrown terrorists to operate, merely so it can be 'monitored' just in case we maybe get some intel? While we ‘monitor’ they are still going about the business of recruiting and coordinating.
And it's not like these servers are hosted on the moon! Most are hosted in the US and Europe. Why can't CT agencies just go after the hosting provider for this 'valuable intel'?
By knocking out the jihadi sites for random short periods, it causes them to be unable to rely on the site for recruitment, or co-ordination, this in turn will have the effect of drawing them out into the open and in person to do the recruiting, where the CT agencies really come into their own doing what they do best, which is intercepting and apprehending suspects. It’s a joke…
Brief History of Modern Web Server Vulnerabilities by Michael Menefee, Principal at WireHead Security
Q: Denial of Service (DDoS) attacks have been around for a long time, what is the difference between them and the attacks we are seeing today?
Michael Menefee: In January, 2007, Adrian Ilarion Ciobanu posted a thread to securityfocus.com describing a potential DoS scenario against Apache web servers (http://www.securityfocus.com/archive/1/456339/30/0/threaded).
The basic premise to this attack is that by sending (but never fully completing) numerous requests to Apache, one could get the Apache process to consume all system resources and stop serving up the actual web content.
Unlike traditional TCP-based Denial of Service attacks, which require many machines sending many, many packets, this attack can be performed by a single machine with relatively few packets to bring down the application only.
Think of this as sort of a “temporary denial of service”, because once the attacker stops sending requests, the server resumes normal operations
Q: Several forums have postulated that Jester is using “Slowloris”, which he adamantly denies – what is Slowloris and where did it come from?
Michael Menefee: In June of 2009, Robert “Rsnake” Hansen released the exploit tool called “Slowloris” (http://ha.ckers.org/slowloris/) which takes advantage of this vulnerability in Apache (and several other web servers, as it turns out).
Administrators rushed to implement various work-arounds to the problem on their own servers, while others port the Slowloris tool into other programming languages.
Q: If Jester is not using Slowloris, how is he performing these DoS attacks?
Michael Menefee: XerXeS is a much more complex attack tool which possibly exploits the same vulnerability.
Essentially, XerXeS is a weaponizing of the Slowloris-like attack model, and appears to utilize a network of anonymous proxies to amplify the attack against the targeted web server.
Q What makes XerXeS so special?
Michael Menefee: The attack is performed on a single low-spec computer, and while The Jester sends relatively few packets from his own machine, the attack results in brief outages of the target site.
Although mitigation strategies against this attack do exist, the web server software itself is still vulnerable to the Denial of Service condition.
Q: How widespread are these vulnerabilities?
Michael Menefee: With over 57% of the world’s websites (according to Netcraft) being run by various versions of Apache, the potential footprint for exploitation is huge. And –again- it’s not just Apache that is vulnerable.
Imagine if a coordinated, sustained global attack utilizing new or existing botnets (with millions of nodes) simultaneously targeted millions of websites globally—the result could be enormous financial costs for the global economy with disruption of commerce, travel, communications and vital infrastructure.
Q: Is there anything else like XerXeS out there now?
Michael Menefee: There is a new DoS attack vector effective against almost all web server software, including IIS and Lighttpd, both of which are supposedly immune to the Slowloris attack, which has been devised to utilize the same fundamental timeout exploitation model, whereby the web server’s resources are exhausted to the point of not being able to perform their primary function.
Although this emerging attack method has yet to see a publicly-released exploit tool, anyone with fundamental programming knowledge could write a basic attack tool similar to Slowloris, which could be used in an even larger global attack scenario.
There is speculation that th3j35t3r may be using something similar to this new attack vector with his latest release of XerXes, although who's to know for sure, except The Jester.
Conclusion
The debate continues as to the ethicality of The Jester’s one-hacker crusade. Currently, the poll at Infosec Island has the majority of security professionals registering their support for The Jester’s exploits.
Watch the video demonstration, and then register your opinion in the comments field below.
© 2010 Infosec Island - All rights reserved
