Subject:
========
Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

Brief:
======
Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices into a SYN Flooder. It is found that as soon as orbit downloader launches itself, it starts sending very high amount of SYN traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging in networks and abrupt ceases to respond to commands, especially with gateway devices/network switches. The immediate rise in traffic also leads to severe bandwidth crunch.

The article intends to throw further light on the issue. Read on to know more.

Impact:
=======

Orbit Downloader is creating very high amount of SYN traffic with random source IP addresses to create DDOS attack that immediately hangs Gateway Devices/network switches completely and breaks down the entire network operation along with network security devices exposing networks to higher vulnerabilities. The issue was noticed on various computers with the latest versions of Orbit Downloader, leading to immediate and high bandwidth usage.

Detail:
=======
As per the content on the official website of Orbit Downloader, it is the….

‘most popular YouTube Downloader chosen by millions of people.’
‘most popular Flash video Downloader chosen by millions of people.’
‘most popular Metacafe Downloader chosen by millions of people.’
‘most popular Veoh Downloader chosen by millions of people.’

These comments clearly highlight the large number of users of Orbit Downloader. Apart from this, the official forum of Orbit Downloader states that the ‘Total number of registered users: 1003785’. These figures are alarming. The more the number of users, the wider the range of the impact.
About Orbit Downloader

Orbit Downloader is a leader of download manager revolution, is devoted to new generation web downloading, such as video, music, streaming media from MySpace, YouTube, Imeem, Pandora, Rapidshare, support RTMP and to make general downloading easier and faster.
Technical Details

An attempt to check the latest version of Orbit downloader on ‘Virustotal’ clearly indicates that it is considered as healthy binary by almost all Anti-virus engines.

md5sum: a14d5266da3325bf96e7c73eede18c26
Version: 4.1.1.18
Result: https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/

Behaviour:
==========

As soon as the orbit downloader launches, it starts sending very high amount of SYN traffic (50K-70K PPS) with random source IP addresses along-with forged Source MAC address: 0a:0a:0a:0a:0a:0a.

This program has more than 1300 connections open at any given time – opening over 40 connections per second. Effectively it is launching a SYN flood attack against a set of servers, but has an adverse effect on every piece of hardware from this computer to the servers at the destination addresses. Mostly observed on 118.69.172.122, 118.69.169.103, 118.69.169.95, 118.69.172.247 IPs.

While checking the TCP SYNC packets in depth, it’s been observed that the packet comes with some dummy public IP, which is new in the network. Also the Source IP changes after each THREE Sync Packets that causes this DDOS flooding. Such a flooding will remarkably increase CPU/memory resources on Gateway Devices/network switches performing continuous stateful inspection, leading to a state of system experiencing a complete hang or unresponsiveness to legitimate traffic.

Apart from this, this tool intelligently changes the source MAC Address in Packets which makes impossible to identify the source of this flooder by looking at the MAC Address in packets. All the packets has source MAC set as 0a:0a:0a:0a:0a:0a. The main issue is that one cannot directly pin point the culprit machine until and unless one has a manageable switch, where you can locate the hardware port you have this MAC address, making detection a tedious process.

About SYN flooding:
===================

A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

A SYN flood attack works by not sending an expected ACK code to the server. The malicious client can either simply not send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until no new connections can be made, resulting in a denial of service to legitimate traffic.

Solution:
=========

Cyberoam customers should follow the below steps to help them prevent the menace:

Enable Spoof Prevention in firewall and select IP Spoofing zone LAN or DMZ.


About Cyberoam’s Spoof Prevention feature:
==========================================

When IP Spoofing is enabled, Cyberoam examines all incoming packets and discards all such packets that do not carry a confirmable Source IP Address. In other words, if the source IP address of a packet does not match with any entry on Cyberoam’s routing table, or if the packet is not from a direct subnet, then Cyberoam drops that packet.

For more information on Cyberoam and its exhaustive Next Generation security features visit www.cyberoam.com. For similar updates on network threats, attacks or alerts, subscribe to Cyberoam Blogs.