Overwhelmingly, the business of DDoS defence is usually about blocking attacks once they start, or finding a conventional route to access the C&C servers on a case-by-case basis, so Prolexic's discovery of flaws in the code itself counts as noteworthy.
Despite Dirt Jumper's well-developed attack features, Prolexic found holes in the simplest part of the program, namely the GUI control panels used to control bots created by it which turned out to be cobbled together using hastily-coded PHP/MySQL scripts.
In Prolexic's words, these proved open to compromise on a number of levels including "weak authentication mechanisms, file inclusion vulnerabilities, directory traversal vulnerabilities, and SQL injections."
Irony of ironies; a criminal toolkit open to a SQL injection flaw in the front end used to control a botnet. Anyone gaining access to the C&C would be able to control what the DDoS software is doing, right down to the bots it controls and its target list. Game over, potentially.
"DDoS attackers take pride in finding and exploiting weaknesses in the architecture and code of their targets. With this vulnerability report, we've turned the tables and exposed crucial weaknesses in their own tools," said Prolexic's CEO, Scott Hammack.