'itsoknoproblembro' Toolkit - The Beast that Beat Banks

Large scale, sophisticated distributed denial of service attacks - which have plagued the banking industry for months now - are finally subsiding. These attacks, which for the most part have been politically and socially motivated, have been cause for concern for security experts, government officials, and banks.







How It Started

Beginning in September 2012, large banking institutions; including Wells Fargo, Bank of America, PNC and JPMorgan Chase were at the receiving end of high level DDoS attacks - at times peaking between 60Gbps - 100Gbps. Comparatively speaking, most attacks are below 1Gbps. Thus, the cause for concern. Why were banks attacked? For some, the reason seems to be a little flimsy. Rumors circled that it was an Iran sponsored attack due to its sophistication and size, but an Iran hacker collective quelled these rumors by claiming full responsibility for the DDoS attacks and citing the Innocence of Muslims video as their motivation.

If you didn’t catch the headlines, the Innocence of Muslims video incensed the Muslim world because of its negative depiction of the Prophet Mohammad. Soon after clips of the video were released on YouTube, the hacker group Izz ad-din Al Qassam Cyber Fighters posted on Pastebin:


We, Cyber fighters of Izz ad-din Al qassam will attack the Bank of America and New York Stock Exchange for the first step. These Targets are properties of American-Zionist Capitalists. This attack will be started today at 2 pm. GMT. This attack will continue till the Erasing of that nasty movie. Beware this attack can vary in type.

And then the attacks started. The attacks lasted for months and are still a potential threat to banks. Here’s an infographic timeline of the series of DDoS attacks that took place.

How the ‘itsoknoproblembro’ Toolkit Works


The ‘itsoknoproblembro’ toolkit was the weapon of choice for the hackers that launched repeated attacks against banks. The tool is a hybrid DDoS attack tool that operates as a PHP-based suite. “itsoknoproblembro can launch multi-layered attack vectors by leveraging already compromised commercial machines, while at the same time, injecting malicious PHP scripts into popular content management systems - like WordPress and Joomla. This gives attackers the ability to scale up the size of an attack by converting machines into brobots,” says Todd Reagor, Chief Executive Officer of Rivalhost. Once compromised machines are under control of the attackers, it’s simply a matter of launching the attack.

Here’s how the itsoknoproblembro toolkit works:
  • The toolkit attacks infrastructure and application layers simultaneously
  • SYN floods are used to attack multiple network entry points on the target machine
  • ICMP, UDP, and SSL encrypted attacks are implemented as well
  • UDP packet floods are used to overwhelm the target DNS infrastructure
  • Legitimate IP addresses are used that make detection difficult


How DDoS Protection Stops Attacks


DDoS protection is a combination of sophisticated anti-ddos tools, human knowledge, and experience in mitigation. At its simplest level, it can be divided into three distinct steps:
  • Monitor: Flow data from edge routers is pulled and analyzed. Potential attack patterns trigger an alert that notifies the team monitoring your server.
  • Detection: Attacks are detected from dynamic profiling by comparing traffic deviations against an organizations normal patterns. Signature analysis is also used to compare known attack triggers with the traffic on your site.
  • Mitigation: Typically, malicious traffic is rerouted away from the victim and “scrubbed” by the mitigation company. Then, legitimate traffic is forwarded back to its original destination.

About Bio
Rob Lons is the Director of Digital at Rivalhost, a DDoS Protection company specializing in mitigation and protected web hosting. Follow on Twitter @rivalhost



Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription  or become our Facebook fan! You will get all the latest updates at both the places.