Threat Advisory

DoS and DDoS Attack Threat Advisory

How to detect and stop DDoS attacks from the DNS Flooder toolkit

Malicious actors set up their own DNS servers to use in reflection attacks with the DNS Flooder DDoS toolkit

In a new twist on distributed reflection denial of service (DrDoS) attacks, a type of DDoS attack, malicious actors are purchasing, setting up and using their own domain name system (DNS) servers in reflection attacks, avoiding the need to find open and vulnerable DNS servers on the Internet. This DDoS botnet development method expedites the availability of the DNS botnet for use and profit in the DDoS-for-hire market.

With access to the roots of these DNS servers, the malicious actors can configure the servers to maximize the damage induced by the denial of service attacks. Deploying the DNS Flooder toolkit in this manner has resulted in powerful floods of amplified and reflected traffic at the attackers’ targets.

This DDoS threat advisory includes:

  • Indicators of the use of the DNS Flooder toolkit
  • Analysis of the source code
  • Example query created by the toolkit
  • Sample payload
  • Who is believed to be behind these attacks
  • The SNORT rule and target mitigation using ACL entries
  • Statistics and payloads from two observed DNS Flooder campaigns against Prolexic clients
  • The full source code of DNS Flooder

Register to download the full DDoS threat advisory >>>

Want PLXsert to protect you?

By identifying the sources and associated attributes of individual attacks, the PLXsert team helps organizations like yours adopt best practices and make more informed, proactive decisions about DDoS threats. PLXsert offers a subscription service that provides current threat intelligence, infrastructure and defense evaluation, as well as post-attack forensics.

Download the DNS Flooder DDoS Threat Advisory

* Required field