June 13, 2012

Recursive bot herder attack

DDoS attacks are known as massive attacks that are controlled by the C&C (command & control) center, A.K.A bot herder. These bot herders control thousands of bots, hence I believe that they might be a good attack target for "smarter" attackers.

What is recursive DDoS?
The perspective of infecting endpoints is well known, however I believe that the real targets that should be attacked are the bot herders. The main idea of this attack illustrated in the following image:
The main idea behind the attack is that the "recursive bot herder" infects the "bot herders" in the internet, which leads to control of many bot networks. The scenarios of infection will be explained later in this post.
Moreover, I called this attack "recursive" since not only bot herders can be controlled by the recursive bot herder, but also the recursive bot herders can be controlled by other recursive bot herders, see example below:

On one hand, The C&C centers are mostly distributed to many IP addresses, which most of the times are also changed. In this case, the infection of the bot herders should be accomplished in a specific period of time. On the other hand, if the IP addresses of the bot herders are not changed (too bad), the attack surface is bigger since there is more time to attack the server.

Bot herders attack vectors
There are many ways to infect bot herders, starting from the traditional ways to spread bots and ending with administrative console attacks (part of them are web-based).

In conclusion, this attack is theoretical but not as a science fiction since technically it is possible. In addition, I believe that this attack has been partially (without controlling recursively) executed already without knowing that.

1 comment:

  1. nice idea. perhaps some arbitrary switching of the recursive bot herder ring will add more durability the the system.