Prolific Botnet Powers Pay-for-DDoS Service

Security researchers from security vendor Damballa, warn that a new botnet powering a commercial DDoS service has significantly grown to affect ISPs worldwide.

The operation, named "IM DDOS" or "I'M DDOS" began at the end of March and consists of an online website where people can register and order Distributed Denial of Service (DDoS) attacks against any target.

The botnet powering the service has been dubbed "IMDDOS" by the Damballa researchers, who claim that it is one of the largest and most active ones at the moment.

"The public website hosting the DDoS service offering, with various ‘plans’ and attack options, speaks to the ease with which anyone can leverage criminal infrastructure. The malware used is simplistic, yet it was successful in spreading rapidly.

"And while it appears to be primarily a DDoS delivery platform, the size of the botnet reached impressive proportions, certainly large enough to wreak major havoc on any victim organization should it be pointed in the right direction," Gunter Ollmann, vice president of research for Damballa, said.

The majority of infected hosts are located in Asia, with China in particular, where the entire operation appears to be based.

However, the United States is amongst the top ten affected countries. At the botnet's peak over 10,000 additional computers were being infected with this malware on a daily basis.

IP addresses corresponding to corporate networks have also been observed inside the botnet according to Damballa, which published a 16-page report [PDF] on the threat.

Pay-for-DDoS services are not new on the underground market, but the IMDDOS botnet's "rapid growth and ultimate size are what make this discovery interesting," concluded Mr. Ollmann.

Denial of Service attacks involve flooding an Internet-facing server with bogus requests or packets in order to consume all of its resources and make it inaccessible to others.

According to Arbor Networks, the largest DDoS attack to date was registered in 2008 and peaked at 49 Gbps. However, a more recent attack against DNS Made Easy might have surpassed that.