Under Attack?
Search
Menu

Reverse Engineering a Sophisticated DDoS Attack Bot

By Yotam Ben-EzraAugust 5, 2015

Not long ago, the Radware Emergency Response Team (ERT) noticed significant and increased usage of the Tsunami SYN Flood attack against a large customer. This activity strongly indicated the presence of a service related robot and Radware security researchers managed to obtain a sample of the malware binary used to generate these DDoS attacks. The malware was then isolated and used in a controlled environment to study its behavior and its different attack vectors.

Analysis revealed that more than 50,000 sources were involved in the attack.  A closer look, however, led to a more interesting discovery – More than 80% of the traffic bandwidth was generated by a mere handful of the sources. This indicated that the bot involved is targeting machines with some serious fire power. Indeed, those were routers and servers generating the high traffic loads. This malware targeted Linux machines to infect, ones which are likely to be servers with high bandwidth upload capabilities.

During a period of 10 days (June 14-23, 2015), the team monitored more than 2000 attacks against more than 60 different targets in 7 different countries.

The Malware We Saw

  • Three different attack types: SYN Attack, HTTP Attack and DNS Attack. Each attack could also be set with different attacking options such as the destination port, IP and also the attack sub type.
  • The use of a XOR encrypted communication channel to the command and control servers.
  • A standard Linux machine could generate a 100K packet-per-second attack.
  • Self-testing was performed by infected machines to ensure it was able to generate spoofed IP attacks. This was an indication that many of the 50,000 IPs we saw earlier had been actually spoofed.
  • Self-replication was used in order to maintain persistence. It continuously created slightly modified copies of its binary such that detection of the file itself becomes even more difficult.
  • Process names were hidden behind common process names such as bash, grep, pwd, sleep and more. These command strings were hidden in the file in an obfuscated format.

While these techniques are not news in general, they demonstrate that DDoS malware authors now have a financial incentive to become more and more professional. They continue to infect servers and routers by leveraging high end machines and offering them for rent at reasonable prices.

Whether it’s financial gain, espionage, cyber war or hacktivism, attackers are finding reasons to uncover and exploit security vulnerabilities in servers and applications. The abundance of publicly exposed servers and routers with weak password and protection policies enables malware herders to quickly and inexpensively assemble a robot army.
The DDoS-for-hire products are maturing into platforms that offer sophisticated financial fraud and spam capabilities, while providing customers with a cheap, high-quality service.

Organizations should now, more than ever, deploy protection and mitigation technologies…and watch out whose wrath their activities awaken. Anybody who’s angry enough can easily rent themselves a vicious botnet for the low price of a coffee and sandwich.

Read the full case study and an analysis on the malware and incident.

Posted in: Attack Types & Vectors DDoS SecurityTags:

Yotam Ben-Ezra

Yotam started with Radware as head of the ERT DDoS research lab where he led security research activities and new mitigation technology development. Following that, he transitioned to a product management role as a product manager for DefensePro. Presently, he leads the Radware Security Product Management team and handles Radware’s security portfolio.

Contact Radware Sales

Our experts will answer your questions, assess your needs, and help you understand which products are best for your business.

Contact Us Now

Already a Customer?

We’re ready to help, whether you need support, additional services, or answers to your questions about our products and solutions.

Locations
Get Answers Now from KnowledgeBase
Get Free Online Product Training
Engage with Radware Technical Support
Join the Radware Customer Program

CyberPedia

An Online Encyclopedia Of Cyberattack and Cybersecurity Terms

CyberPedia
What is WAF?
What is DDoS?
Bot Detection
ARP Spoofing

Get Social

Connect with experts and join the conversation about Radware technologies.

Blog
Security Research Center
Close

What are you looking for?