Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

[bhadresh.k.patel@xxxxxxxxxxxx]

Subject:
========
Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

Brief:
======
Cyberoam cautions all Orbit Downloader users, as the latest version of the 
Orbit Downloader is turning computers, devices into a SYN Flooder. It is found 
that as soon as orbit downloader launches itself, it starts sending very high 
amount of SYN traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging 
in networks and abrupt ceases to respond to commands, especially with gateway 
devices/network switches. The immediate rise in traffic also leads to severe 
bandwidth crunch.

The article intends to throw further light on the issue. Read on to know more.

Impact:
=======

Orbit Downloader is creating very high amount of SYN traffic with random source 
IP addresses to create DDOS attack that immediately hangs Gateway 
Devices/network switches completely and breaks down the entire network 
operation along with network security devices exposing networks to higher 
vulnerabilities. The issue was noticed on various computers with the latest 
versions of Orbit Downloader, leading to immediate and high bandwidth usage.

Detail:
=======
As per the content on the official website of Orbit Downloader, it is the?.

?most popular YouTube Downloader chosen by millions of people.?
?most popular Flash video Downloader chosen by millions of people.?
?most popular Metacafe Downloader chosen by millions of people.?
?most popular Veoh Downloader chosen by millions of people.?

These comments clearly highlight the large number of users of Orbit Downloader. 
Apart from this, the official forum of Orbit Downloader states that the ?Total 
number of registered users: 1003785?. These figures are alarming. The more the 
number of users, the wider the range of the impact.
About Orbit Downloader

Orbit Downloader is a leader of download manager revolution, is devoted to new 
generation web downloading, such as video, music, streaming media from MySpace, 
YouTube, Imeem, Pandora, Rapidshare, support RTMP and to make general 
downloading easier and faster.
Technical Details

An attempt to check the latest version of Orbit downloader on ?Virustotal? 
clearly indicates that it is considered as healthy binary by almost all 
Anti-virus engines.

md5sum: a14d5266da3325bf96e7c73eede18c26
Version: 4.1.1.18
Result: 
https://www.virustotal.com/en/file/18756d11b3c62654e2409d1340a8114fbd471f114420e5ba7735a7363cf23ec6/analysis/

Behaviour:
==========

As soon as the orbit downloader launches, it starts sending very high amount of 
SYN traffic (50K-70K PPS) with random source IP addresses along-with forged 
Source MAC address: 0a:0a:0a:0a:0a:0a.

This program has more than 1300 connections open at any given time ? opening 
over 40 connections per second. Effectively it is launching a SYN flood attack 
against a set of servers, but has an adverse effect on every piece of hardware 
from this computer to the servers at the destination addresses. Mostly observed 
on 118.69.172.122, 118.69.169.103, 118.69.169.95, 118.69.172.247 IPs.

While checking the TCP SYNC packets in depth, it?s been observed that the 
packet comes with some dummy public IP, which is new in the network. Also the 
Source IP changes after each THREE Sync Packets that causes this DDOS flooding. 
Such a flooding will remarkably increase CPU/memory resources on Gateway 
Devices/network switches performing continuous stateful inspection, leading to 
a state of system experiencing a complete hang or unresponsiveness to 
legitimate traffic.

Apart from this, this tool intelligently changes the source MAC Address in 
Packets which makes impossible to identify the source of this flooder by 
looking at the MAC Address in packets. All the packets has source MAC set as 
0a:0a:0a:0a:0a:0a. The main issue is that one cannot directly pin point the 
culprit machine until and unless one has a manageable switch, where you can 
locate the hardware port you have this MAC address, making detection a tedious 
process.

About SYN flooding:
===================

A SYN flood is a form of denial-of-service attack in which an attacker sends a 
succession of SYN requests to a target?s system in an attempt to consume enough 
server resources to make the system unresponsive to legitimate traffic.

A SYN flood attack works by not sending an expected ACK code to the server. The 
malicious client can either simply not send the expected ACK, or by spoofing 
the source IP address in the SYN, causing the server to send the SYN-ACK to a 
falsified IP address ? which will not send an ACK because it ?knows? that it 
never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network 
congestion could also be the cause of the missing ACK, but in an attack 
increasingly large numbers of half-open connections will bind resources on the 
server until no new connections can be made, resulting in a denial of service 
to legitimate traffic.

Solution:
=========

Cyberoam customers should follow the below steps to help them prevent the 
menace:

Enable Spoof Prevention in firewall and select IP Spoofing zone LAN or DMZ.


About Cyberoam?s Spoof Prevention feature:
==========================================

When IP Spoofing is enabled, Cyberoam examines all incoming packets and 
discards all such packets that do not carry a confirmable Source IP Address. In 
other words, if the source IP address of a packet does not match with any entry 
on Cyberoam?s routing table, or if the packet is not from a direct subnet, then 
Cyberoam drops that packet.

For more information on Cyberoam and its exhaustive Next Generation security 
features visit www.cyberoam.com. For similar updates on network threats, 
attacks or alerts, subscribe to Cyberoam Blogs.