← All stories

F5 Labs

perlb0t: Still in the Wild with UDP Flood DDoS Attacks

2014-07-24 · Read original ↗

ATT&CK techniques detected

6 predictions

T1095Non-Application Layer Protocol

88%

“sockets for the three types of packets, with different protocol numbers as the third argument, and one datagram socket for simple udp. using a raw socket enables the attacker to control more fields in the packet itself, however the bot writer needs to manually construct all the p…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1498.001Direct Network Flood

59%

“shell commands on the server and more. however, it seems that the main business model of this bot is a ddos service. the bot supports http and tcp floods, by sending “ get ” requests or just opening ( 3 - way handshake ) and closing tcp connections respectively. figure 2 : straig…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1498Network Denial of Service

46%

“shell commands on the server and more. however, it seems that the main business model of this bot is a ddos service. the bot supports http and tcp floods, by sending “ get ” requests or just opening ( 3 - way handshake ) and closing tcp connections respectively. figure 2 : straig…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1584.005Botnet

43%

“shell commands on the server and more. however, it seems that the main business model of this bot is a ddos service. the bot supports http and tcp floods, by sending “ get ” requests or just opening ( 3 - way handshake ) and closing tcp connections respectively. figure 2 : straig…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1584.005Botnet

32%

“example, an ancient bot first detected back around 2005 is still in the wild. having the same basic structure, with edited nuances and sometimes functionality, it still spreads by exploiting recently discovered web vulnerabilities, making your web server part of a botnet.”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

T1584.005Botnet

32%

“perlb0t : still in the wild with udp flood ddos attacks this ancient bot, also known as the “ mambo ” bot ( due to an old vulnerability in the mambo cms it tried to exploit ) has been around for a very long time, and many variations of it have been seen. however, from our observa…”

Which technique(s) should be tagged here? Pick zero or more — leaving blank just records that the original was wrong.

No matches for .

Loading techniques…

Summary

Despite being around since 2005, perlb0t is still being used against unpatched servers.