exploit the possibilities

Orbit Downloader SYN Flood

Orbit Downloader SYN Flood
Posted Jul 24, 2013
Authored by Bhadresh Patel

Cyberoam is warning the general public that Orbit Downloader is causing massive SYN flooding.

tags | advisory, denial of service
MD5 | ebfc3dc4518a3de3814b626d1128381d

Orbit Downloader SYN Flood

Change Mirror Download
Subject:
========
Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

Brief:
======
Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices into a SYN Flooder. It is found that as soon as orbit downloader launches itself, it starts sending very high amount of SYN traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging in networks and abrupt ceases to respond to commands, especially with gateway devices/network switches. The immediate rise in traffic also leads to severe bandwidth crunch.

The article intends to throw further light on the issue. Read on to know more.

Impact:
=======

Orbit Downloader is creating very high amount of SYN traffic with random source IP addresses to create DDOS attack that immediately hangs Gateway Devices/network switches completely and breaks down the entire network operation along with network security devices exposing networks to higher vulnerabilities. The issue was noticed on various computers with the latest versions of Orbit Downloader, leading to immediate and high bandwidth usage.

Detail:
=======
As per the content on the official website of Orbit Downloader, it is the….

‘most popular YouTube Downloader chosen by millions of people.’
‘most popular Flash video Downloader chosen by millions of people.’
‘most popular Metacafe Downloader chosen by millions of people.’
‘most popular Veoh Downloader chosen by millions of people.’

These comments clearly highlight the large number of users of Orbit Downloader. Apart from this, the official forum of Orbit Downloader states that the ‘Total number of registered users: 1003785’. These figures are alarming. The more the number of users, the wider the range of the impact.
About Orbit Downloader

Orbit Downloader is a leader of download manager revolution, is devoted to new generation web downloading, such as video, music, streaming media from MySpace, YouTube, Imeem, Pandora, Rapidshare, support RTMP and to make general downloading easier and faster.
Technical Details

An attempt to check the latest version of Orbit downloader on ‘Virustotal’ clearly indicates that it is considered as healthy binary by almost all Anti-virus engines.

md5sum: a14d5266da3325bf96e7c73eede18c26
Version: 4.1.1.18
Result: https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/

Behaviour:
==========

As soon as the orbit downloader launches, it starts sending very high amount of SYN traffic (50K-70K PPS) with random source IP addresses along-with forged Source MAC address: 0a:0a:0a:0a:0a:0a.

This program has more than 1300 connections open at any given time – opening over 40 connections per second. Effectively it is launching a SYN flood attack against a set of servers, but has an adverse effect on every piece of hardware from this computer to the servers at the destination addresses. Mostly observed on 118.69.172.122, 118.69.169.103, 118.69.169.95, 118.69.172.247 IPs.

While checking the TCP SYNC packets in depth, it’s been observed that the packet comes with some dummy public IP, which is new in the network. Also the Source IP changes after each THREE Sync Packets that causes this DDOS flooding. Such a flooding will remarkably increase CPU/memory resources on Gateway Devices/network switches performing continuous stateful inspection, leading to a state of system experiencing a complete hang or unresponsiveness to legitimate traffic.

Apart from this, this tool intelligently changes the source MAC Address in Packets which makes impossible to identify the source of this flooder by looking at the MAC Address in packets. All the packets has source MAC set as 0a:0a:0a:0a:0a:0a. The main issue is that one cannot directly pin point the culprit machine until and unless one has a manageable switch, where you can locate the hardware port you have this MAC address, making detection a tedious process.

About SYN flooding:
===================

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

A SYN flood attack works by not sending an expected ACK code to the server. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic.

Solution:
=========

Cyberoam customers should follow the below steps to help them prevent the menace:

Enable Spoof Prevention in firewall and select IP Spoofing zone LAN or DMZ.


About Cyberoam’s Spoof Prevention feature:
==========================================

When IP Spoofing is enabled, Cyberoam examines all incoming packets and discards all such packets that do not carry a confirmable Source IP Address. In other words, if the source IP address of a packet does not match with any entry on Cyberoam’s routing table, or if the packet is not from a direct subnet, then Cyberoam drops that packet.

For more information on Cyberoam and its exhaustive Next Generation security features visit www.cyberoam.com. For similar updates on network threats, attacks or alerts, subscribe to Cyberoam Blogs.

Comments

RSS Feed Subscribe to this comment feed

No comments yet, be the first!

Login or Register to post a comment

File Archive:

January 2020

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Jan 1st
    8 Files
  • 2
    Jan 2nd
    11 Files
  • 3
    Jan 3rd
    11 Files
  • 4
    Jan 4th
    2 Files
  • 5
    Jan 5th
    2 Files
  • 6
    Jan 6th
    18 Files
  • 7
    Jan 7th
    15 Files
  • 8
    Jan 8th
    16 Files
  • 9
    Jan 9th
    10 Files
  • 10
    Jan 10th
    13 Files
  • 11
    Jan 11th
    2 Files
  • 12
    Jan 12th
    4 Files
  • 13
    Jan 13th
    21 Files
  • 14
    Jan 14th
    18 Files
  • 15
    Jan 15th
    12 Files
  • 16
    Jan 16th
    18 Files
  • 17
    Jan 17th
    11 Files
  • 18
    Jan 18th
    3 Files
  • 19
    Jan 19th
    2 Files
  • 20
    Jan 20th
    15 Files
  • 21
    Jan 21st
    22 Files
  • 22
    Jan 22nd
    19 Files
  • 23
    Jan 23rd
    4 Files
  • 24
    Jan 24th
    0 Files
  • 25
    Jan 25th
    0 Files
  • 26
    Jan 26th
    0 Files
  • 27
    Jan 27th
    0 Files
  • 28
    Jan 28th
    0 Files
  • 29
    Jan 29th
    0 Files
  • 30
    Jan 30th
    0 Files
  • 31
    Jan 31st
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close