DNS amplification botnet available in the underground

Security expert Dancho Danchev profiled a recently released DNS amplification DDoS service available for sale in the underground.

Recently the cyber security expert Dancho Danchev profiled new DNS amplification DDoS bot available in the underground, a privileged attack tool for the criminal ecosystem.

DDoS attacks observed last year were characterized by an increased magnitude because attackers adopted new techniques in their arsenal, including NTP and DNS amplification methods.

The botnet discovered by Danchev was recently released and offer a Web-based DNS amplification enabled DDoS bot that abuse of a publicly accessible open DNS resolver which has been set up for research purposes.

“Opportunistic cybercriminals continue ‘innovating’ through the systematic release of DIY (do-it-yourself), Web-based, botnet/malware generating tools, seeking to monetize their coding ‘know-how’ and overall understanding of abusive/fraudulent/malicious TTPs (tactics, techniques and procedures) – all for the purpose of achieving a positive ROI with each new release.” commented Danchev in his blog post.

The criminals behind the botnet abuse of a series of resources for educational purposes, some of them managed as testing tool for performing stress testing scenarios.

Let’s give a closer look to the service through the images proposed by the security expert. As usual attackers can choose the target and the method of attack, they have also complete visibility of the DNS servers to involve in the attack.

The attackers can completely manage these servers and the console gives the user the possibility to configure various parameters including DNS request type and DNS server list.

The DNS amplification DDoS malware is written in C, the bot agent has a small binary’s size and relies on its own obfuscation and packing algorithm, all the communication to the C&C are encrypted making more resilient the botnet.

The service includes a built-in DNS scanner, the feature allows the scanning for mis-configured DNS servers to recruit for the attacks.

The price for the DNS amplification DDoS service is $2,500, the vendor also offers further options including bulletproof hosting for control server and the option to host the actual archive, encrypted, on a server of choice based on the customer’s preferences.

The package includes the access to a pre-configured VPN server to be exclusively used when accessing the bot’s interface, but very interesting is the availability of a live demo included a live demonstration of the abuse of a publicly accessibly open DNS resolver.

Danchev has no doubts, this botnet is poised to quickly gain market share thanks the above features … and new actor will propose similar offers able to satisfy every criminal need.

Pierluigi Paganini

(Security Affairs – DNS amplification, Botnet)

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.