KillNet - Analysis of Blood Deluxe DDoS - ENG

Download as pdf or txt
Download as pdf or txt
You are on page 1of 12

Contents

KillNet: Analysis of Blood Deluxe DDoS .............................................................. 2


Background ..................................................................................................... 2
Assessment ..................................................................................................... 2
Brief report ..................................................................................................... 2
Technical Analysis ........................................................................................... 2
Spoofing of the User Agent .......................................................................... 4
Public IP retrieval: check () ........................................................................... 4
Traffic routing through public proxies: get_proxylist (), get_proxies () ........ 4
Cloudflare WAF Bypass: get_cookie ().......................................................... 6
Sender IP spoofing: spoofing () .................................................................... 6
IGMP flood attacks: runflooder (), flooder () ................................................ 6
UDP flood attacks: sender (), runsender () ................................................... 6
Attacks on Minecraft and Valve servers: mine (), runmine (), vse (), runvse ()
.................................................................................................................... 7
HTTP HEAD attacks: LaunchHEAD (), AttackHEAD ()..................................... 7
HTTP GET Attacks: LaunchRAW (), AttackRAW () ......................................... 7
Proxy-mediated HTTP GET attacks: .............................................................. 7
HTTP GET Attacks: LaunchPPS (), AttackPPS () ............................................. 7
Cloudflare Bypass Attacks: LaunchPXCFB (), AttackPXCFB (), LaunchCFB (),
AttackCFB (). ................................................................................................ 8
Cloudscraper Attacks: LaunchCFPRO (), AttackCFPRO () .............................. 8
Hulk Attacks: LaunchHULK (), AttackHULK () .......................................... 9
Slowloris Attacks: Launchslow (), Attackslow ()............................................ 9
Google Project Shield Bypass Attacks: Launchbypass (), Attackbypass () ... 10
"Sky" DDoS attacks: LaunchSTELLAR (), AttackSTELLAR (), AttackSKY (),
LaunchSKY (). ............................................................................................. 11
Cloudflare Bypass Socket Attacks: LaunchCFSOC, AttackCFSOC ................. 12
Note........................................................................................................... 12
KillNet: Analysis of Blood Deluxe DDoS
Category: Hacktivism, Threat
Distribution: TLP:GREEN

Background
The TS-WAY CIOC performed an in-depth analysis of one of the tools adopted by
Killnet for perform demonstration actions, Blood Deluxe DDoS, recently
surfaced on a public repository.

Assessment
The tool provides a long list of DDoS attacks, made even more accessible by a
simple multiple choice menu. most of the methods present take advantage of
the level application (7), but there are also simple connections at the transport
level (4). Blood Deluxe DDoS contains an automatic system that takes care of
finding proxy servers from lists public, which are then used to mask the real
origin of the traffic malevolent.

Brief report
• Blood Deluxe DDoS packs several DDoS and WAF bypass techniques
• Use of proxy lists to mask the source of malicious traffic.
• A tool is available to download the list of proxies in real time

Technical Analysis
The Blood Deluxe DDoS tool [1] has on multiple occasions been associated with
executed DDoS attacks from KillNet in the last period and has even appeared
within the Telegram channels used from the group.
The tool appears to be a fork of the well-known open source tool KARMA DDoS
[2], with which shares most of the sources

The python code published on Github [1] features a light, obfuscation based
layer on base64 and hex2ascii. Once removed, you can evaluate the code inside
and then document its functionality.
Spoofing of the User Agent
The tool contains a static list of valid user agents, available at this link -
UserAgents. During the attacks, Blood Deluxe DDoS selects one at random, in
order to deflect filters which are based on this header.

Public IP retrieval: check ()


The tool verifies the public IP of the host used for the attack by relying on the
service http[:]//fsystem88.ru[/]ip.

Traffic routing through public proxies: get_proxylist (), get_proxies ()


The tool is able to recover the proxies used to mask the real origin of the
attacks by relying on a long series of lists of public proxies. The lists are as
follows:
The recovered proxies are then stored in the proxy.txt file and are used by
various attack functions.
TS-WAY analysts have created a script, available at this link, capable of
consolidate proxies from each of the mentioned lists into one file
“output.txt” .
Cloudflare WAF Bypass: get_cookie ()
The tool uses the fork of Selenium Chromedriver undetected_chromedriver [3]
to create a headless instance of Chrome / Chromium and with it visit the target
website, then captures the cf_clearance cookie for the purpose of recycling it
later in attacks massive and thus deceive the Cloudflare filters that are based on
the presence or absence of such cookies to filter malicious traffic.
Sender IP spoofing: spoofing ()
Many of the wired connections inside the instrument rely on the spoof ()
function, which prepares a series of headers for an HTTP request by
generating a random address reusing it to forge the sender's IP within Via,
Client-IP, X-Forwarder-For and Real-IP.

IGMP flood attacks: runflooder (), flooder ()


These two functions implement a flood attack on the IGMP protocol. Packages
sent they have inside them pseudo randomly generated data.

UDP flood attacks: sender (), runsender ()


These two functions implement a flood attack on UDP protocol. Packages sent
they have inside them pseudo randomly generated data.
Attacks on Minecraft and Valve servers: mine (), runmine (), vse (), runvse ()
The functions in question implement an attack designed to target Minecraft or
Valve servers Source Engine. The protocol used for the attacks appears to be
IGMP while packets contain a fixed payload x06x00x00x00x00x02x0cx00

HTTP HEAD attacks: LaunchHEAD (), AttackHEAD ()


The functions make a large number of HTTP HEAD requests. HTTP POST attacks:
LaunchPOST (), AttackPOST () The functions make a large number of HTTP POST
requests.
HTTP GET Attacks: LaunchRAW (), AttackRAW ()
The functions make a large number of HTTP GET requests.

Proxy-mediated HTTP GET attacks: LaunchPXRAW (), AttackPXRAW ()


The functions make a large number of HTTP GET requests, but mediated by HTTP
proxies for obfuscate the real origin of the traffic.
HTTP GET attacks mediated by SOCKS proxies: LaunchPXSOC (), AttackPXSOC ()
The functions make a large number of HTTP GET requests mediated by SOCKS
proxies. The request header is constructed as follows:

HTTP GET Attacks: LaunchPPS (), AttackPPS ()


The functions make a large number of GET requests over HTTPS protocol
directed to the root of the victim site (GET / HTTP / 1.1).
HTTP GET "null" attacks: LaunchNULL (), AttackNULL ()

This pair of functions uses the following headers to make HTTP GET requests
characterized by the null value associated with the User-Agent and Referrer
headers:
Furthermore, the sender address is obfuscated by spoofing (see spoof ()).
Proxy + Spoofing Attacks: LaunchPXSPOOF (), AttackPXSPOOF ()

It performs a large number of requests, mediated by SOCKS proxies, with the


following configuration:

Furthermore, the sender address is obfuscated by spoofing (see spoof ()).


Cloudflare Bypass Attacks: LaunchPXCFB (), AttackPXCFB (), LaunchCFB (),
AttackCFB ().
The functions in question use the cloudscraper [4] library to bypass the
Cloudflare's anti-bot measures [5].
The requests are of the HTTP GET type and can be mediated by a proxy
(LaunchPXCFB (),

Cloudscraper Attacks: LaunchCFPRO (), AttackCFPRO ()


The tool establishes an HTTP session using the cloudscraper [4] library to
perform the bypass of Cloudflare's anti-bot measures. Necessary cookies are
created by exploiting Chrome in headless mode (see get_cookie ()).
The requests generated are of the HTTP GET type with the following headers:
Hulk Attacks: LaunchHULK (), AttackHULK ()
The functions in question implement an HTTP flood DDoS attack which can be
also configured to generate HTTPS traffic. The URL of the request is changed for
each iteration. The HTTP method is chosen randomly among GET, POST and
HEAD for each of the requests, which follow the following configuration:

Slowloris Attacks: Launchslow (), Attackslow ()


The Slowloris attack is an application-level DDoS that relies on an attempt by
one of the opponent to establish and then keep the largest number of HTTP
connections open as long as possible.

The attack can be divided into four phases:


1. The attacker opens multiple connections to the target server by sending
headers of partial HTTP requests

2. For each, the server allocates resources, which should be released in case
the connection remains inactive beyond a time considered acceptable (timeout)

3. To prevent the connection from being cut off due to timeout, the opponent
continues to send partial headers.

4. The server uses a large amount of resources to manage these timed


connections indefinite, which causes damage to the performance or availability
of the service.
In the tool under analysis, the attack is also mediated by a proxy. The first
portion of the request is configured as follows:

Subsequent request portions, which repeat every 14 seconds, appear as instead


follows:

Google Project Shield Bypass Attacks: Launchbypass (), Attackbypass ()


Attack designed to bypass Google Project Shield protections [6]. Even in this
case, the attack can be mediated by a proxy.
The HTTP method is chosen randomly between GET, POST and HEAD for each of
the requests, which follow the following configuration:
Traffic is sent from a socket to port 443 (TCP / HTTPS) of the target server.
"Sky" DDoS attacks: LaunchSTELLAR (), AttackSTELLAR (), AttackSKY (), LaunchSKY
().

The "Stellar" attack, which appears as an evolution of the "Sky" technique, uses
a simple one combination of HTTP headers in association with a user agent and
an HTTP method (GET, POST and HEAD) chosen at random. Traffic is routed
through a socket to port 443 (TCP / HTTPS) of the target server.

The payload is then sent 400 times (200 repetitions with 2 sends each) to the
server victim. The approach for the Sky attack is identical, inherited from the
DDoS karma tool [2]. In this case however the HTTP method appears fixed on
GET and the payload is sent 200 times (100 repetitions with 2 mailings each).
Cloudflare Bypass Socket Attacks: LaunchCFSOC, AttackCFSOC
The attack attempts to bypass the protection offered by Cloudflare by using
sockets.

Necessary cookies are retrieved from a headless chrome instance as described


in precedence (see get_cookie ()). The user agent, on the other hand, appears
to be statically defined and corresponds to Mozilla / 5.0 (iPhone; CPU iPhone OS
10_3_3 like Mac OS X) AppleWebKit / 603.3.8 (KHTML, like Gecko) Mobile /
14G60 MicroMessenger / 6.5.18 NetType / WIFI Language / en. A large number
of HTTP GET requests are then generated, the headers of which are like this
configured:

[1] https://github.com/firstapostle/Blood
[2] https://github.com/HyukIsBack/KARMA-DDoS
[3] https://github.com/ultrafunkamsterdam/undetected-chromedriver
[4] https://pypi.org/project/cloudscraper/
[5] https://www.cloudflare.com/it-it/ddos/
[6] https://projectshield.withgoogle.com/

Note
For more information about TLPs, please consult https://www.cisa.gov/tlp

You might also like