[dns-operations] Slow Drip DDOS Attack Research

Renee Burton rburton at infoblox.com
Fri Nov 2 13:38:32 UTC 2018


I’m a longtime lurker of the mailing list and appreciate the wisdom and occasional debates in these exchanges. I wanted to share with the group a paper a colleague and I released some months ago on Slow Drip DDOS attacks.  I had been waiting for the paper to be hung off of the National Security Agency website, but that hasn’t yet happened, so I’ve decided to just go ahead and send to the mailing list.

This paper shares the findings of a slow drip attack system we called ExploderBot, which is the largest and longest running such system, and a single actor. At this point, it might be OBE as the actor has been quiet since May 18, 2018, but they might yet pop up again.  I wanted to share this because:

  *   We heavily leveraged the mailing list archives and learnt a great deal from the DNS operating community during this research – thank you
  *   We do provide packet signatures that provide over 40 bits of check (over 60 if fully done) so that network operators who can do packet filtering could drop and thwart this actor.

There remain a lot of open questions for this actor, but we can leverage what we learnt here to identify and protect against other systems.

Here’s the link to ExploderBot: A Slow Drip System


Renée Burton
 Sr. Staff Threat Researcher, Cyber Intelligence
rburton at infoblox.com<mailto:rburton at infoblox.com> | www.infoblox.com<http://www.infoblox.com>

DNS is like Othello: “five minutes to learn, a lifetime to master.”

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20181102/4fedec57/attachment.html>

More information about the dns-operations mailing list