DNS amplification botnet available in the underground

Pierluigi Paganini March 09, 2014

Security expert Dancho Danchev profiled a recently released DNS amplification DDoS service available for sale in the underground.

Recently the cyber security expert Dancho Danchev profiled new DNS amplification DDoS bot available in the underground, a privileged attack tool for the criminal ecosystem.

DDoS attacks observed last year were characterized by an increased magnitude because attackers adopted new techniques in their arsenal, including NTP and DNS amplification methods.

The botnet discovered by Danchev was recently released and offer a Web-based DNS amplification enabled DDoS bot that abuse of a publicly accessible open DNS resolver which has been set up for research purposes.

“Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) – all for the purpose of achieving a positive ROI with each new release.” commented Danchev in his blog post.

The criminals behind the botnet abuse of a series of resources for educational purposes, some of them managed as testing tool for performing stress testing scenarios.

Let’s give a closer look to the service through the images proposed by the security expert. As usual attackers can choose the target and the method of attack, they have also complete visibility of the DNS servers to involve in the attack.

DNS aplification botnet admin console

The attackers can completely manage these servers and the console gives the user the possibility to configure various parameters including DNS request type and DNS server list.

DNS aplification botnet admin console 2


The DNS amplification DDoS malware is written in C, the bot agent has a small binary’s size and relies on its own obfuscation and packing algorithm, all the communication to the C&C are encrypted making more resilient the botnet.

The service includes a built-in DNS scanner, the feature allows the scanning for mis-configured DNS servers to recruit for the attacks.

The price for the DNS amplification DDoS service is $2,500,  the vendor also offers further options including bulletproof hosting for control server and the option to host the actual archive, encrypted, on a server of choice based on the customer’s preferences.

The package includes the access to a pre-configured VPN server to be exclusively used when accessing the bot’s interface, but very interesting is the availability of a live demo included a live demonstration of the abuse of a publicly accessibly open DNS resolver.

Danchev has no doubts, this botnet is poised to quickly gain market share thanks the above features and new actor will propose similar offers able to satisfy every criminal need.

Pierluigi Paganini

(Security Affairs –  DNS amplification, Botnet)

you might also like

leave a comment