Hackers route via Tor for stealthy 'slow-death' DoS attacks

News by Doug Drinkwater

Vigilante hactivists have been taking down pornography, Jihadi and other websites by using a new type of "slow-death" Denial-of-Service (DoS) attack that is virtually undetectable, bypassing some leading security solutions.

Jonathan Davies, director of engineering at Pervade Software, revealed to SCMagazineUK.com how his company had been testing layer 7 DoS techniques in a lab environment prior to noting that hackers named ‘Tor Reaper' and ‘Bitcoin Baron' were using a similar method to hit numerous sites, including child and animal pornography sites, one of which had a membership of more than 39,000 users.

Speaking on the attack, otherwise known as ‘darkreaper', before his briefing on the subject at last week's S&P conference, Davies detailed how DoS and DDoS attacks have developed from the early layer four attacks to layer seven, with the latest technique seeing the Tor Reaper, Bitcoin Baren and others route attacks through the Tor network to hit Apache and IIS servers, both on the Tor network (.onion sites) and the main web.

In his test, Davies used a program written in PHP, which allows the attack to be carried out on any Windows, Mac or Linux laptop or server, and can also be upscaled to a Distributed-Denial-of-Service (DDoS) to direct multiple servers against the same target.

Davies describes how this example is a level up from ‘The Jester', which launched similar layer seven attacks against WikiLeaks, albeit ones that were rerouted through compromised web hosts and not an anonymity network. The Jester's attack would be detectable if the victim organisation used Security Information & Event Management (SIEM) tools to analyse the web server logs because it left both error and access logs on the target system.

He suggests that only system monitoring performance data could identify the effects of the attack. However, alerts from performance monitoring systems would be going to the wrong people who would most likely think the server ‘was misconfigured or just needs restarting'.

“What's probably most scary is that [Tor Reaper] could route them through Tor and launch attacks against normal internet sites. It leaves no logs behind, but even if it did, the true source would be unknown” Davies told SC. “Detecting the source of the attack is impossible, detecting the attack is happening at all is difficult enough.”

“The logs from legitimate requests would be processed by the SIEM as normal and everything would look fine, but actually the system could be under a very dangerous attack.”

In his test against a hardened Linux web server, Davies was able to rack up 257 hung web server requests in minutes, knocking over the test server, most of which typically support up to 150 to 200 processes (a single laptop could run 1,000 – enough to launch DoS attacks against four separate targets). As layer seven attacks have very little impact on bandwidth and do not require the attacker to have a public IP address, they can be launched from anywhere.

Tor Reaper posted screenshots on Twitter suggesting that he had command fed a control script that launched child processes to drip feed HTTP requests to the web server. 257 processes were running in Davies' test, but over 500 processes allowed Tor Reaper to declare ‘Tango down' in just 16 minutes against a large target.

Davies explained how this application-level DoS attack sees the hacker use multiple child processes to ‘drip-feed' genuine web requests to the server. Each time a request is made, the server forks a new process and waits for the rest of the request, up to 400 seconds on Apache. [Davies added you could lower this timeout but would risk of your server becoming unusable for low-bandwidth users.]

He adds that layer seven attacks like these would take 15 minutes or more to ‘trickle up the processes' depending on the size and capacity of the web server being targeted.

“The targets are susceptible if they run a web server directly behind a firewall and not via a proxy. FTSE 250 businesses are at risk from this for sure,” said Davies.

He added that it would be simple to upscale the attack: “What if 15 of Tor Reaper are all attacking the same targets?” said Davies further citing that 100 people, working up 2,500 processes ‘would be enough to trip up an enterprise system in banks, governments and utilities companies'.

The one saving grace is that those using reverse proxy services like Cloudflare, which acts a buffer to the web server, would be less likely to be affected, although Bitcoin Baron claimed to have downed a website on Akamai infrastructure. One source, an Akamai customer, confirmed to SC that this test bypassed their defences before quickening the server's response time.

Industry experts were divided how new this tactic is, and the use of Tor, but Davies said it represents a step up from Slowloris as these are no longer malformed requests (they are genuine) or old ‘Get' requests with no data. They are multi-part POST requests instead with deep packet inspection only looking for malformed requests.

“There has never been a DoS attack before that is so effective and produces no logs,” Davies said. “Anybody who thinks this is the same as SlowLoris or PyLoris from a few years ago has not understood the threat, it is a different type of attack that works on all types of servers and is practically undetectable by most Security Operations Centers.”

Alan Woodward, Europol adviser and visiting professor at Surrey University's Computing department, told SC that there's not been a huge amount published on alternate Tor DoS attacks, which have previously been discounted as they are restricted by internet bandwidth, limited to 100mbs rather than GBPS, and only able to send TCP packets (not UDP). On the bandwidth issues, he said it was the equivalent of forcing ‘large men through a revolving door'.

On this method of attack he said: “I'd say it has potential to cause some real problems, and if you are using the right platform to send from, eg can keep enough connections open, I can't see what is to stop it.  I suspect it may already be in use, and if it is and proves reliable as an attack vector, I can see it gaining popularity even if only because it offers a way to avoid some current defences.”

He added that this was the latest proof hackers and hacktivists are trying to penetrate defences in newer ways, especially using anonymity networks to hide their activity. He said that there has been evidence of timing and DNS leakage attacks, with 3DOS attacks working at multiple layer seven stack. 

“It won't be that long before user Tor, VPN, i2p or combination to avoid sort of defences Cloudflare and others are employing."


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews