Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!

[SnakeMasteR]

Orbit Downloader versions causing massive SYN flooding. Cyberoam cautions!



Cyberoam cautions all Orbit Downloader users, as the latest version of the Orbit Downloader is turning computers, devices
into a SYN Flooder. It is found that as soon as orbit downloader launches itself, it starts sending very high amount of SYN
traffic at rate of 50-70 KPPS (around 5-7 Mbps) causing clogging in networks and abrupt ceases to respond to commands,
especially with gateway devices/network switches. The immediate rise in traffic also leads to severe bandwidth crunch.
The article intends to throw further light on the issue. Read on to know more.

Technical Details
An attempt to check the latest version of Orbit downloader on ‘Virustotal’ clearly indicates that it is considered as healthy

binary by almost all Anti-virus engines.

md5sum: a14d5266da3325bf96e7c73eede18c26
Version: 4.1.1.18
Virustotal Result:

Behaviour
As soon as the orbit downloader launches, it starts sending very high amount of SYN traffic (50K-70K PPS) with random
source IP addresses along-with forged Source MAC address: 0a:0a:0a:0a:0a:0a.

This program has more than 1300 connections open at any given time – opening over 40 connections per second. Effectively
it is launching a SYN flood attack against a set of servers, but has an adverse effect on every piece of hardware from this
computer to the servers at the destination addresses. Mostly observed on 118.69.172.122, 118.69.169.103, 118.69.169.95,
118.69.172.247 IPs.



While checking the TCP SYNC packets in depth, it’s been observed that the packet comes with some dummy public IP,
which is new in the network. Also the Source IP changes after each THREE Sync Packets that causes this DDOS flooding.
Such a flooding will remarkably increase CPU/memory resources on Gateway Devices/network switches performing
continuous stateful inspection, leading to a state of system experiencing a complete hang or unresponsiveness to
legitimate traffic.

Apart from this, this tool intelligently changes the source MAC Address in Packets which makes impossible to identify the
source of this flooder by looking at the MAC Address in packets. All the packets has source MAC set as 0a:0a:0a:0a:0a:0a.
The main issue is that one cannot directly pin point the culprit machine until and unless one has a manageable switch,
where you can locate the hardware port you have this MAC address, making detection a tedious process.

Rakesh Patel, from Cyberoam GSMC has already reported the issue to the vendor ‘Orbit’, at their official Forum, as
shown in the image below.

As per the latest information available, the vendor ‘Orbit’ has not yet officially declared a fix for the issue.

About SYN flooding
A SYN flood is a form of denial-of-service attack in which an attacker sends a succession of SYN requests to a target’s
system in an attempt to consume enough server resources to make the system unresponsive to legitimate traffic.

A SYN flood attack works by not sending an expected ACK code to the server. The malicious client can either simply not
send the expected ACK, or by spoofing the source IP address in the SYN, causing the server to send the SYN-ACK to a
falsified IP address – which will not send an ACK because it “knows” that it never sent a SYN.

The server will wait for the acknowledgement for some time, as simple network congestion could also be the cause of the
missing ACK, but in an attack increasingly large numbers of half-open connections will bind resources on the server until
no new connections can be made, resulting in a denial of service to legitimate traffic.

This isn't the full article, follow the Source link to read more. Thanks to BBs for the notification. :)

Source

[Mr Orus]

thanks for reporting news. :)

[Reefa]

Interesting thx :)

[SPECTRUM]

somebody has made orbit to work like a botnet for strange reasons, making syn flood to Vietnam country :s

[princenarwal]

Using Orbit Downloader 4.1.1.18.

Nothing Suspicious. Net working fine. Not making any single connection unless i start any download.

[Ambrocious]

I noticed a while back that every time I would attempt to use Orbit, the download would freeze, my network would stop and I would have to completely close it down and reboot to make things better. My guess is that this problem has been around for a while, it's just now being recognized. I haven't used Orbit for about 6 months now because it ONCE was a great downloader...not any more.

Edited July 30, 2013 by Ambrocious

[Guinness]

I noticed a while back that every time I would attempt to use Orbit, thew download would freeze, my network would stop and I would have to completely close it down and reboot to make things better. My guess is that this problem has been around for a while, it's just now being recognized. I haven't used Orbit for about 6 months now because it ONCE was a great downloader...not any more.

I´ll have to agree on that one. It WAS a great download manager, very fast and reliable. Now it´s loaded with bloatware (not to mention the hideous "Software Updater"), full of bugs (specially on the Grab+ Tool), it freezes/crashes... and so on. :frusty: