DDoS attacks can have an amplification factor of 26.5
An independent security researcher that goes by the name of MalwareTech has discovered a way in which he could abuse the ZeroAccess malware’s botnet to launch reflection DDoS attacks with an above-average amplification factor.
ZeroAccess is a trojan that infects Windows computers and then starts communication with a C&C (command and control), which in turn tells the trojan to download various types of other, more dangerous malware, usually clickfraud bots or Bitcoin mining software, operating hidden from the user’s view.
The ZeroAccess botnet appeared in 2011, and because of an effective rootkit component and P2P-like structure, it even managed to survive a takedown attempt orchestrated by Microsoft in December 2013.
ZeroAccess botnet used for amplifying DDoS attacks
MalwareTech discovered that ZeroAccess allowed its bots to relay messages from one to another, some acting like smaller servers (supernodes) while the rest were just end-points (workers). To relay orders from the C&C server to supernodes and workers, ZeroAccess used simple UDP packets.
Because of its complex mesh structure, when a UDP packet arrived at a supernode, the bot would add more information to the packet, containing various details about the network’s structure.
The supernode would add 408 bytes on top of the original 16, for a total of 242 bytes.
Since UDP packets can have their destination address spoofed, an attacker that managed to map ZeroAccess’ bot network would be able to send UDP packets to its bots, some of which would then amplify the traffic by 26.5, sending it back to the spoofed destination (the victim’s IP).
This scenario is your typical reflection DDoS attack, carrying a 26.5 amplification factor, which is more than double the typical 2-10 amplification factor seen in other types of reflection DDoS attacks.
DDoS attacks worked even if bots were behind NATs
Theoretically, this wouldn’t have been a problem, since most bots infect users that are sitting behind NATs (Network Address Translation), software programs that translate public IPs to private IP addresses, in order to maximize IPv4 address space usage.
That meant that a vast majority of the ZeroAccess botnet wouldn’t have been accessible to a person carrying DDoS attacks via this technique.
Unfortunately, MalwareTech found a way around this issue as well, allowing him to involve ZeroAccess supernode bots into DDoS attacks even if sitting behind a router. All of this is only theoretical since the researcher did not want to commit a crime just to test out his theory.