Botnet DDoS Attacks

What is a Botnet?

Sometimes referred to as a “zombie army,” a Botnet is a group of Internet-connected computers, each of which has been maliciously taken over, usually with the assistance of malware like Trojan Horses. Generally without the knowledge of the computers’ rightful owners, these machines are remotely controlled by an external source via standard network protocols, and often used for malicious purposes, most commonly for DDoS attacks.

"We have a Botnet army ready to take down your site. You have 48 hours to pay us 1200$. Merry Xmas!”

DDoS Ransom Note

What is a DDoS Attack?

DDoS stands for “Distributed Denial of Service.” A DDoS attack is a malicious attempt to make a server or a network resource unavailable to users, usually by temporarily interrupting or suspending the services of a host connected to the Internet. Unlike a Denial of Service (DoS) attack, in which one computer and one internet connection is used to flood targeted resource with packets, a DDoS attack uses many computers and many Internet connections.

DDoS attacks can be broadly divided into three different types. The first, Application Layer DDoS Attacks include Slowloris, Zero-day DDoS attacks, DDoS attacks that target Apache, Windows or OpenBSD vulnerabilities and more. Comprised of seemingly legitimate and innocent requests, the goal of these attacks is to crash the web server, and the magnitude is measured in Requests per second.

The second type of DDoS attack, Protocol DDoS Attacks, including SYN floods, fragmented packet attacks, Ping of Death, Smurf DDoS and more. This type of attack consumes actual server resources, or those of intermediate communication equipment, such as firewalls and load balancers, and is measured in Packets per second.

The third type of DDoS attack is generally considered to most dangerous. Volume-based DDoS Attacks include UDP floods, ICMP floods, and other spoofed-packet floods. The volume-based attack’s goal is to saturate the bandwidth of the attacked site, and magnitude is measured in Bits per second.

Botnet DDoS Tools

The originator of a Botnet is commonly referred to as a "bot herder" or "bot master." This individual controls the Botnet remotely, often through an IRC server or a channel on a public IRC server – known as the command and control (C&C) server. To communicate with the C&C server, the bot master uses various hidden channels, including seemingly innocuous tools like Twitter or IM. More advanced bots automatically seek out more resources to exploit, joining more systems to the Botnet in a process known as “scrumping.”

Botnet servers may always communicate and cooperate with other Botnet servers, creating entire communities of Botnet’s, with individual or multiple bot masters. This means that any given Botnet DDoS attack may actually have multiple origins, or be controlled by multiple individuals, sometimes working in coordination, sometimes working individually.

Botnets are available for rent or lease from various sources, and use of Botnet’s are auctioned and traded among attackers. Actual marketplaces have sprung up - platforms that enable trading in huge numbers of malware-infected PCs, which can be rented and used in Botnet DDoS or other attacks. These platforms provide Botnet DDoS attack perpetrators with a complete and richly-featured toolkit, and a distribution network as well.

Even for non-technical users, Botnet DDoS attacking is a viable (if criminal) and cost-effective option to “take out” a competitor’s web site. Full-service DDoS attacks are available for as little as $5 per hour, or $40 for a 24 hours. Within the cybercrime ecosystem, Botnet DDoS attacks are a mainstream commodity, with prices going down, and efficacy and sophistication going up.

Some of the most common tools for initiating a Botnet DDoS attack are easily downloaded from multiple online sources, and include:


Especially dangerous to hosts running Apache, dhttpd, Tomcat and GoAhead WebServer, Slowloris is a highly-targeted attack, enabling one web server to take down another server, without affecting other services or ports on the target network.


Uses Qt libraries to execute the methods used by Slowloris, offering a graphical user interface that makes the program highly easy to use.

Apache Killer

Utilizes an exploit in the Apache OS first discovered by a Google security engineer. Apache Killer pings a server, tells the server to break up whatever file is transferred into a vast number of tiny chunks, using the "range" variable. When the server tries to comply with this request, it runs out of memory, or encounters other errors, and crashes.

There are also many tools for testing server readiness to withstand Botnet DDoS attacks, such as:


Which can be used in a laboratory environment to simulate a DDoS attack, and helps measure the capacity of a given server to handle application-specific DDOS attacks, by simulating multiple zombie hosts with random IP addresses that create TCP connections.


Is a scriptable tool for testing a service's level of vulnerability to a particular class of Denial of Service (DoS) attack.

Tor's Hammer

Is a slow post dos testing tool written in Python. It can also be run through the Tor network to be anonymized.

Botnet DDoS Attacks – In Numbers

Botnet DDoS attacks are quickly becoming the most prevalent type of DDoS threat, growing rapidly in the past year in both number and volume, according to recent market research. The trend is towards shorter attack duration, but bigger packet-per-second attack volume, and the overall number of attacks reported has grown markedly, as well.

During Q4-2011, one survey found 45% more DDoS attacks compared to the parallel period of 2010, and over double the number of attacks observed during Q3-2011. The average attack bandwidth observed during this period was 5.2G bps, which is 148% higher than the previous quarter.

Another survey of DDoS attacks found that more than 40% of respondents experienced attacks that exceeded 1G bps in bandwidth in 2011, and 13% were targeted by at least one attack that exceeded 10G bps.

From a motivational perspective, more recent research found that ideologically motivated DDoS attacks are on the rise, supplanting financial motivation as the most frequent motivator such attacks.

DDoS Attack: Sample Price ListDDoS Attack price list sample: No boot limit. Pricing starts at 4.99$...

Mitigating Botnet DDoS Damage with Incapsula

Without either software or hardware installation, web sites can enjoy Incapsula’s comprehensive cloud-based Botnet DDoS protection service in only minutes.

Incapsula provides protection against any type of DDoS attack – scaling on-demand to absorb even multi-gigabyte attacks. For volume-based attacks, protocol attacks, or application layer attacks - Incapsula seamlessly protects web sites with a toolset and defense strategy tailored to each attack type:

Volume Based Attacks

Incapsula counters these attacks by absorbing them with a global network of scrubbing centres that scale, on demand, to counter multi-gigabyte DDoS attacks.

Protocol Attacks

Incapsula blocks "bad" traffic before it reaches the web site by effectively differentiating between legitimate website visitors and malicious or automated clients.

Application Layer Attacks

by monitoring visitor behavior, blocking known bad bots, and challenging suspicious entities with JS test, Cookie challenge, or CAPTCHAs, Incapsula effectively mitigates these dangerous attacks.

Incapsula DDoS protection, DDoS attack mitigatedIncapsula mitigates 100GBps DDoS attack. One of Internet's largest.

Most importantly, for each of the above attack scenarios, Incapsula DDoS mitigation operates outside of your network. This means that only filtered traffic reaches your hosts. Beyond this, Incapsula’s extensive DDoS threat knowledge base includes all new and emerging attack methods. This information is constantly-updated, and aggregated across our entire network – enabling Incapsula to identify threats as they emerge, detect malicious users, and apply remedies in real-time across all protected websites.