The Saphyra DDOS tool which has been used in a lot of notable takedowns this year, including the NASA site, has been analyzed by security experts.
More About Saphyra
In the last few months, we have witnessed several large-scale DDOS attacks against major targets. According to security experts, the Saphyra hacking tool is responsible for some of them, including the famous NASA takedown.
These types of criminal attacks are usually carried out in two ways:
- Attackers send floods of SYN packets to the target host. The large amount of responses that the machine has to render makes it unresponsive in the end
- UDP/DNS attacks on the network and transport layers which are also known as reflection attacks
The HTTP flood attack is a type of an application layer attack that uses the standard HTTP GET and POST requests. It does not use spoofing, reflective techniques or malformed packets which are an easy and clean way of disabling web servers.
Saphyra itself is a Python script that can be used on almost all devices – mobile phones, laptops, desktop computers, network appliances and others. The program is a collection of-of over 3200 unique user agent strings and over 300 unique referrer field strings. This accounts for more than a million combinations of user agent referrer instances. Upon execution, the tool crafts a unique combination of these variables that are sent to the target server as HTTP requests. The attack mechanism uses the unique requests to avoid or bypass caching engines and directly impacts the servers. This results in effective DDOS takedowns due to the large amount of HTTP requests.
The Saphyra Attack
The program has the potential to use different techniques depending on the user configuration. Some of the methods that it employs include the following:
- Source Client Obfuscation – the user agent is constructed randomly from a list of known agents
- Referer Spoofing – Prevents the website from obtaining identity information when incorrect referer information is sent through the HTTP request
- Persistence – Saphyra uses standard HTTP commands to make the server maintain open connections using keep-alive sessions with definable time duration
- No Cache – The server is requested to send a unique page for each request sent by the malicious tool
The HTTP flood attacks are some of the most advanced cyber security threats that attack web servers. The major difficulty that prevents network administrators and vendors is the distinguishment between legitimate and malicious traffic. The high number of false positives prohibits the creation of quality active counter measures that can be effective against them. In additional, the rate-based detection solutions cannot detect these types of attack when the volume of traffic is under the designated threshold.
Saphyra also prevents the server defences from recognising patterns and setting up filters.
Saphyra iDDoS Tool Command Line Interface, © Security Intelligence