Hackers route via Tor for stealthy 'slow-death' DoS attacks
Hackers route via Tor for stealthy 'slow-death' DoS attacks

Jonathan Davies, director of engineering at Pervade Software, revealed to SCMagazineUK.com how his company had been testing layer 7 DoS techniques in a lab environment prior to noting that hackers named ‘Tor Reaper' and ‘Bitcoin Baron' were using a similar method to hit numerous sites, including child and animal pornography sites, one of which had a membership of more than 39,000 users.

Speaking on the attack, otherwise known as ‘darkreaper', before his briefing on the subject at last week's S&P conference, Davies detailed how DoS and DDoS attacks have developed from the early layer four attacks to layer seven, with the latest technique seeing the Tor Reaper, Bitcoin Baren and others route attacks through the Tor network to hit Apache and IIS servers, both on the Tor network (.onion sites) and the main web.

In his test, Davies used a program written in PHP, which allows the attack to be carried out on any Windows, Mac or Linux laptop or server, and can also be upscaled to a Distributed-Denial-of-Service (DDoS) to direct multiple servers against the same target.

Davies describes how this example is a level up from ‘The Jester', which launched similar layer seven attacks against WikiLeaks, albeit ones that were rerouted through compromised web hosts and not an anonymity network. The Jester's attack would be detectable if the victim organisation used Security Information & Event Management (SIEM) tools to analyse the web server logs because it left both error and access logs on the target system.

He suggests that only system monitoring performance data could identify the effects of the attack. However, alerts from performance monitoring systems would be going to the wrong people who would most likely think the server ‘was misconfigured or just needs restarting'.

“What's probably most scary is that [Tor Reaper] could route them through Tor and launch attacks against normal internet sites. It leaves no logs behind, but even if it did, the true source would be unknown” Davies told SC. “Detecting the source of the attack is impossible, detecting the attack is happening at all is difficult enough.”

“The logs from legitimate requests would be processed by the SIEM as normal and everything would look fine, but actually the system could be under a very dangerous attack.”

In his test against a hardened Linux web server, Davies was able to rack up 257 hung web server requests in minutes, knocking over the test server, most of which typically support up to 150 to 200 processes (a single laptop could run 1,000 – enough to launch DoS attacks against four separate targets). As layer seven attacks have very little impact on bandwidth and do not require the attacker to have a public IP address, they can be launched from anywhere.

Tor Reaper posted screenshots on Twitter suggesting that he had command fed a control script that launched child processes to drip feed HTTP requests to the web server. 257 processes were running in Davies' test, but over 500 processes allowed Tor Reaper to declare ‘Tango down' in just 16 minutes against a large target.

Davies explained how this application-level DoS attack sees the hacker use multiple child processes to ‘drip-feed' genuine web requests to the server. Each time a request is made, the server forks a new process and waits for the rest of the request, up to 400 seconds on Apache. [Davies added you could lower this timeout but would risk of your server becoming unusable for low-bandwidth users.]

He adds that layer seven attacks like these would take 15 minutes or more to ‘trickle up the processes' depending on the size and capacity of the web server being targeted.