Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
The DDoS functionality of BillGates originates within the CManager::DoAtkStartCommand<br />
function. CManager::DoAtkStartCommand reads the CTask object from the CCmdMsg. The CTask<br />
object is used to set the current CConfigDoing task before generating a new CThreadAtkCtrl<br />
object. CThreadAtkCtrl contains the DDoS engine as defined by the various subtasks within<br />
the CTask. For each CSubTask within the CTask object, CThreadAtkCtrl::ProcessMain will<br />
determine if the class of attack is a “kernel” or “normal” attack. Kernel attacks (type 1) result in<br />
a call to CThreadAtkCtrl::DoKernelSubTask while normal attacks (type 0) result in a call to<br />
CThreadAtkCtrl::DoNormalSubTask.<br />
3.2.1 BILLGATE’S “KERNEL” DOS ATTACK MODE<br />
The CThreadAtkCtrl::DoKernelSubTask function calls CThreadAtkCtrl::StartKernalSubTask,<br />
which in turn generates a new CThreadKernelAtkExcutor object. When activated, the<br />
CThreadKernelAtkExcutor object calls CThreadKernelAtkExcutor::ProcessMain in order to<br />
initiate a DDoS attack using a kernel driver. The first step in generating a DoS attack using a<br />
kernel driver is to fork the current process by means of the fork function. Following the fork,<br />
CThreadKernelAtkExcutor::ProcessMain begins calling CThreadKernelAtkExcutor::KCfgDev<br />
for each CPU available on the victim’s server. The CThreadKernelAtkExcutor::KCfgDev function<br />
configures the pktgen (packet generator) device 11 , located at /proc/net/pktgen/kpktgend_X<br />
where X represents the enumeration of the number of CPUs in the system, by issuing the following<br />
commands:<br />
rem_device_all<br />
add_device ethY<br />
max_before_softirq<br />
The rem_device_all command effectively removes any attached device currently using the CPU’s<br />
packet generator. add_device attaches the specified ethY device (where Y is 0, 1, 2, and so on<br />
depending on the desired NIC). The command max_before_softirq is a threshold change that<br />
specifies how many packets may be generated before being interrupted by the kernel. The authors<br />
of BillGates made a mistake in their understanding of what the meaning of the X is in the name of<br />
the kpktgend_X devices: while X indicates the CPU associated with the particular packet generator,<br />
the authors of BillGates are using the NIC number instead. Therefore, if the attack specifies the use of<br />
eth1, then kpktgend_1 is configured and attached to eth1. The result of this mistake is that instead of<br />
utilizing multiple CPU cores to generate packets, BillGates is limited to using a single CPU core. While<br />
the pktgen driver is still capable of producing a significant number of packets on a single CPU core, the<br />
performance could be significantly enhanced had the authors properly utilized the pktgen device.<br />
After performing the initial configuration of the pktgen device,<br />
CThreadKernelAtkExcutor::ProcessMain calls CThreadKernelAtkExcutor::KCfgCfg<br />
to configure each packet generator through the /proc/net/pktgen/ethY interface.<br />
CThreadKernelAtkExcutor::KCfgCfg issues the following commands in the order presented below:<br />
11<br />
“Linux Foundation. “pktgen” http://www.linuxfoundation.org/collaborate/workgroups/networking/pktgen 19 November 2009<br />
THE ELASTIC BOTNET REPORT<br />
34