KillNet - Analysis of Blood Deluxe DDoS - ENG
KillNet - Analysis of Blood Deluxe DDoS - ENG
KillNet - Analysis of Blood Deluxe DDoS - ENG
Background
The TS-WAY CIOC performed an in-depth analysis of one of the tools adopted by
Killnet for perform demonstration actions, Blood Deluxe DDoS, recently
surfaced on a public repository.
Assessment
The tool provides a long list of DDoS attacks, made even more accessible by a
simple multiple choice menu. most of the methods present take advantage of
the level application (7), but there are also simple connections at the transport
level (4). Blood Deluxe DDoS contains an automatic system that takes care of
finding proxy servers from lists public, which are then used to mask the real
origin of the traffic malevolent.
Brief report
• Blood Deluxe DDoS packs several DDoS and WAF bypass techniques
• Use of proxy lists to mask the source of malicious traffic.
• A tool is available to download the list of proxies in real time
Technical Analysis
The Blood Deluxe DDoS tool [1] has on multiple occasions been associated with
executed DDoS attacks from KillNet in the last period and has even appeared
within the Telegram channels used from the group.
The tool appears to be a fork of the well-known open source tool KARMA DDoS
[2], with which shares most of the sources
The python code published on Github [1] features a light, obfuscation based
layer on base64 and hex2ascii. Once removed, you can evaluate the code inside
and then document its functionality.
Spoofing of the User Agent
The tool contains a static list of valid user agents, available at this link -
UserAgents. During the attacks, Blood Deluxe DDoS selects one at random, in
order to deflect filters which are based on this header.
This pair of functions uses the following headers to make HTTP GET requests
characterized by the null value associated with the User-Agent and Referrer
headers:
Furthermore, the sender address is obfuscated by spoofing (see spoof ()).
Proxy + Spoofing Attacks: LaunchPXSPOOF (), AttackPXSPOOF ()
2. For each, the server allocates resources, which should be released in case
the connection remains inactive beyond a time considered acceptable (timeout)
3. To prevent the connection from being cut off due to timeout, the opponent
continues to send partial headers.
The "Stellar" attack, which appears as an evolution of the "Sky" technique, uses
a simple one combination of HTTP headers in association with a user agent and
an HTTP method (GET, POST and HEAD) chosen at random. Traffic is routed
through a socket to port 443 (TCP / HTTPS) of the target server.
The payload is then sent 400 times (200 repetitions with 2 sends each) to the
server victim. The approach for the Sky attack is identical, inherited from the
DDoS karma tool [2]. In this case however the HTTP method appears fixed on
GET and the payload is sent 200 times (100 repetitions with 2 mailings each).
Cloudflare Bypass Socket Attacks: LaunchCFSOC, AttackCFSOC
The attack attempts to bypass the protection offered by Cloudflare by using
sockets.
[1] https://github.com/firstapostle/Blood
[2] https://github.com/HyukIsBack/KARMA-DDoS
[3] https://github.com/ultrafunkamsterdam/undetected-chromedriver
[4] https://pypi.org/project/cloudscraper/
[5] https://www.cloudflare.com/it-it/ddos/
[6] https://projectshield.withgoogle.com/
Note
For more information about TLPs, please consult https://www.cisa.gov/tlp