what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

Orbit Downloader SYN Flood

Orbit Downloader SYN Flood
Posted Jul 24, 2013
Authored by Bhadresh Patel

Cyberoam is warning the general public that Orbit Downloader is causing massive SYN flooding.

tags | advisory, denial of service
SHA-256 | 90e5f178d86720bbe16c5ed5b968847e9f32057836a9e8e77e7dd1b41134ee7d

Orbit Downloader SYN Flood

Change Mirror Download
Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices into a SYN Flooder. It is found that as soon as orbit downloader launches itself, it starts sending very high amount of SYN traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging in networks and abrupt ceases to respond to commands, especially with gateway devices/network switches. The immediate rise in traffic also leads to severe bandwidth crunch.

The article intends to throw further light on the issue. Read on to know more.


Orbit Downloader is creating very high amount of SYN traffic with random source IP addresses to create DDOS attack that immediately hangs Gateway Devices/network switches completely and breaks down the entire network operation along with network security devices exposing networks to higher vulnerabilities. The issue was noticed on various computers with the latest versions of Orbit Downloader, leading to immediate and high bandwidth usage.

As per the content on the official website of Orbit Downloader, it is the….

‘most popular YouTube Downloader chosen by millions of people.’
‘most popular Flash video Downloader chosen by millions of people.’
‘most popular Metacafe Downloader chosen by millions of people.’
‘most popular Veoh Downloader chosen by millions of people.’

These comments clearly highlight the large number of users of Orbit Downloader. Apart from this, the official forum of Orbit Downloader states that the ‘Total number of registered users: 1003785’. These figures are alarming. The more the number of users, the wider the range of the impact.
About Orbit Downloader

Orbit Downloader is a leader of download manager revolution, is devoted to new generation web downloading, such as video, music, streaming media from MySpace, YouTube, Imeem, Pandora, Rapidshare, support RTMP and to make general downloading easier and faster.
Technical Details

An attempt to check the latest version of Orbit downloader on ‘Virustotal’ clearly indicates that it is considered as healthy binary by almost all Anti-virus engines.

md5sum: a14d5266da3325bf96e7c73eede18c26
Result: https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/


As soon as the orbit downloader launches, it starts sending very high amount of SYN traffic (50K-70K PPS) with random source IP addresses along-with forged Source MAC address: 0a:0a:0a:0a:0a:0a.

This program has more than 1300 connections open at any given time – opening over 40 connections per second. Effectively it is launching a SYN flood attack against a set of servers, but has an adverse effect on every piece of hardware from this computer to the servers at the destination addresses. Mostly observed on,,, IPs.

While checking the TCP SYNC packets in depth, it’s been observed that the packet comes with some dummy public IP, which is new in the network. Also the Source IP changes after each THREE Sync Packets that causes this DDOS flooding. Such a flooding will remarkably increase CPU/memory resources on Gateway Devices/network switches performing continuous stateful inspection, leading to a state of system experiencing a complete hang or unresponsiveness to legitimate traffic.

Apart from this, this tool intelligently changes the source MAC Address in Packets which makes impossible to identify the source of this flooder by looking at the MAC Address in packets. All the packets has source MAC set as 0a:0a:0a:0a:0a:0a. The main issue is that one cannot directly pin point the culprit machine until and unless one has a manageable switch, where you can locate the hardware port you have this MAC address, making detection a tedious process.

About SYN flooding:

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

A SYN flood attack works by not sending an expected ACK code to the server. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic.


Cyberoam customers should follow the below steps to help them prevent the menace:

Enable Spoof Prevention in firewall and select IP Spoofing zone LAN or DMZ.

About Cyberoam’s Spoof Prevention feature:

When IP Spoofing is enabled, Cyberoam examines all incoming packets and discards all such packets that do not carry a confirmable Source IP Address. In other words, if the source IP address of a packet does not match with any entry on Cyberoam’s routing table, or if the packet is not from a direct subnet, then Cyberoam drops that packet.

For more information on Cyberoam and its exhaustive Next Generation security features visit www.cyberoam.com. For similar updates on network threats, attacks or alerts, subscribe to Cyberoam Blogs.
Login or Register to add favorites

File Archive:

September 2022

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Sep 1st
    23 Files
  • 2
    Sep 2nd
    12 Files
  • 3
    Sep 3rd
    0 Files
  • 4
    Sep 4th
    0 Files
  • 5
    Sep 5th
    10 Files
  • 6
    Sep 6th
    8 Files
  • 7
    Sep 7th
    30 Files
  • 8
    Sep 8th
    14 Files
  • 9
    Sep 9th
    26 Files
  • 10
    Sep 10th
    0 Files
  • 11
    Sep 11th
    0 Files
  • 12
    Sep 12th
    5 Files
  • 13
    Sep 13th
    28 Files
  • 14
    Sep 14th
    15 Files
  • 15
    Sep 15th
    17 Files
  • 16
    Sep 16th
    9 Files
  • 17
    Sep 17th
    0 Files
  • 18
    Sep 18th
    0 Files
  • 19
    Sep 19th
    12 Files
  • 20
    Sep 20th
    15 Files
  • 21
    Sep 21st
    20 Files
  • 22
    Sep 22nd
    13 Files
  • 23
    Sep 23rd
    12 Files
  • 24
    Sep 24th
    0 Files
  • 25
    Sep 25th
    0 Files
  • 26
    Sep 26th
    30 Files
  • 27
    Sep 27th
    27 Files
  • 28
    Sep 28th
    8 Files
  • 29
    Sep 29th
    14 Files
  • 30
    Sep 30th
    19 Files

Top Authors In Last 30 Days

File Tags


packet storm

© 2022 Packet Storm. All rights reserved.

Hosting By