Botconf Author Listing

Fodcha is a new DDoS botnet family targeted Linux IoT devices. After it was firstly detected in January 2022, 4 versions of 250+ samples have been observed by us, from which over 140 C&C domains were extracted. Most of the C&C servers have been successfully contacted by our command tracking system, with over 39K unique victims detected from the 114M received attacking commands.

The data we collected includes various interesting information such as botnet scales, operations exploits, and attack methods. Detailed studies have been carried on the collected data in terms of C&C communications, attack methods, and victims. Attempts of estimating the botnet scales were also done by analyzing real attacking traffic from Fodcha. By reading an accidentally obtained copy of Fodcha C&C panel source, we even had the chance to investigate how the botmasters managed their botnets and sold their attacking service to others. We think the analysis we did would help to better detect and mitigate similar threats in the future.

DDoS botnet tracking can be used to watch botnet assisted attacks in real time together with the details including the botnet families, C&C servers, attack types, and attack parameters. Such information helps us to learn current DDoS attacks and improve existing detection and mitigation solutions. To achieve better tracking, we need to figure out: 1) what coverages the tracked attacks have among the real ones; 2) how many active DDoS bot families are still out of our telescope.
To answer those 2 questions, both the real attacks and a method to correlate them with the used botnet families (or attacking tools) are necessary. Our studies show that DDoS bots differ from each other not only in their C&C protocols, but also, in most cases, in their packet generating algorithms (PGA for short) which are used by the bots to generate the enormous number of attacking packets according to the received commands. Therefore, it’s possible to boil the observed attacks down to the bot families by analyzing their PGA’s.
In this presentation, I would talk about how to use honeypots to collect the real DDoS attacks with spoofed source IP’s. The method to break down PGA, as well as the techniques to profile PGA from the collected attacking packets, would be introduced. In the final part, I would present some real examples we have found.

The ever-increasing number of malware/botnet samples demands efficient and scalable classification solution for better detection and prevention. C&C protocol based classification has proved to be effective and accurate. However, it’s not trivial to acquire new samples’ detailed C&C protocol, which decreases the scalability of C&C based classification. In this talk we present a simplified classification solution, which is based on the C&C register message. Similarities in semantics/structure of register messages are studied and used. Because of the easier acquisition of register messages, we think our solution is easy to automate and has better scalability. The implementation details and evaluation result would be talked.