(WEB HOST INDUSTRY REVIEW) — Instead of using bot-infected PCs, a new generation of distributed denial of service attacks are leveraging the power of web servers, according to research from security firm Imperva (www.imperva.com). This strategy forms the basis for a botnet that compromised around 300 web servers to launch high-bandwidth DDoS attacks, according to a Techworld news post.
Imperva researchers discovered this hijacking and they believe these servers were accessed using an unspecified security vulnerability that lets the attacker, “Exeman,” infect them with a minuscule 40-line PHP script that includes a simple GUI that the attacker can use to enter an IP, a port and duration numbers to launch a DDoS attack. Once discovering the threat, researchers were able to observe the attacker using a compromised server to launch a real DoS attack on a Dutch ISP, which was likely for an extortion-related purpose.
Imperva CTO, Amachai Shulman told Techworld that web servers are an excellent resource for hackers because they often lack anti-virus software, and offer 10 to 50 times the upload bandwidth of a consumer PC. Shulman estimates that hundreds of web servers have been infected and are being re-purposed to carry out DDoS attacks.
These super-charged DDoS attacks can pose major dangers to web hosts. Yesterday, the second of two men charged in more traditional-style DDoS attacks on web hosting providers The Planet and T35 hosting in 2006 pleaded guilty to building a 22,000 node botnet called “Nettick.”
Shulman told tech blog The Register that DDoS attacks launched via web servers can be harder than traditional attacks to detect. Further, trace backs typically leading to a lone server at a random hosting company. “Companies should regularly monitor their Google presence to look for evidence of being compromised,” he told the The Register.
