How to perform a DDoS attack through a Botnet

Distributed denial of service (DDoS) attacks are a subclass of denial of service (DoS) attacks. DDoS attacks are launched from multiple connected devices that are distributed across the Internet, collectively known as a botnet, which are used to overwhelm a target website with fake traffic in an attempt to make a system unavailable to the intended user(s).

Botnet means an organized automated army of zombies/bots which can be used for creating a DDoS attack, this army consists of a large number of computers. The attacker/Botlord uses this army to send a DoS attack without the zombies even knowing they’re being used for malicious purposes.

On this guide I’ll try to keep the coding part minimal but not to worry I’ll have the GitHub repository linked so you can reference that.

Languages, Frameworks and Tools we’re going to be using include:

• Python
• JavaScript
• Node.js
• React
• Inno Setup

Now Let’s get started.

Step 1 — Building the Bot

On this guide we’re going to implement three types of DDoS attacks named ICMP flood, SYN Flood and UDP flood. I’ll try and explain them here but you can always read more about them from here.

We’ll use python to build our bot and use a package called Scapy to perform our DoS attack. Scapy is a packet manipulation tool for computer networks.

ICMP Flood

An Internet Control Message Protocol (ICMP) flood DDoS attack, also known as a Ping flood attack, is a common Denial-of-Service (DoS) attack in which an attacker attempts to overwhelm a targeted device with ICMP echo-requests (pings).

What we’re doing here is creating the ICMP packets and sending them to a target IP. Since ICMP packets are on layer 3 of the OSI model we don’t need to worry about ports so the only parameter we need is just the destination/target IP. We’re utilizing a thread pool here to maximize the number of packets we’re sending per second which in turn magnifies our attack. The rest of the code is for keeping progress of the attack (how many packets were sent).

SYN Flood

A SYN flood is a form of denial-of-service attack in which an attacker rapidly initiates a connection to a server without finalizing the connection. The server has to spend resources waiting for half-opened connections, which can consume enough resources to make the system unresponsive to legitimate traffic.

What we are doing here is sending SYN (synchronization) packets to a specific port using fake IP addresses as source addresses. Which leaves the server in a half opened state which will consume resources.

UDP flood

UDP flood is an attack in which the attacker overwhelms a port or a set of random ports on the targeted host with IP packets containing UDP datagrams.

The receiving host checks for applications associated with these datagrams and — finding none — sends back a “Destination Unreachable” packet. As more and more UDP packets are received and answered, the system becomes overwhelmed and unresponsive to other clients.

What’s happening here is that we’re sending multiple UDP packets to our victim in this case to a given port but this can be improved by a lot if we’re sending the packets to random ports.

Now that our program can perform these attacks we need to make it into a virus to infect the host computer. But first we need make it able to connect it to our botnet. We’ll use Web Sockets to connect to the server so the program can receive commands. more on this client - server model latter.

We will use a python library called socketio to connect to the server then receive commands or send progress updates on a dedicated namespace.

The malware we made will try to connect to the server every second so the moment the host computer becomes online it’ll be ready to receive commands from the botlord.

Building the malware into an executable

Now since we’re done building the malware we’re going to have to package it into an executable since we want it to run on PCs that don’t have python installed. We’re going to use py2exe a package which allows to build standalone Windows executable programs (32-bit and 64-bit) from Python scripts. This package also has an option to run the program without the default console window which helps in hiding the malware. We’re building the malware for Windows computers only.

Step 2 — Building the Trojan Horse

Since we now have the executable virus/malware we need a way to sneak it into our victims computers to turn them into zombies. That’s where a Trojan horse comes in. A Trojan horse is a program that purports to perform some obvious function, yet upon execution it compromises the user’s security which in our case is installing the malware to turn the victim’s PC into a Bot/Zombie. For this we’re going to use a tool called Inno Setup. Inno Setup is used to build program installers but we’re going to use that functionality to conceal our virus inside a legitimate installer for this case Telegram which is a popular social media app.

Inno Setup has a GUI for setting this up but since we want more functionality like put our malware inside the computers startup upon installation so it starts along with the system we’re going to modify the default script generated by Inno Setup.

This is the Inno setup compiler script, don’t let it overwhelm you since most of it is auto generated and you won’t have to worry about it. The one we talked about is line 47 where the command says to copy the malware into the computer startup folder. After compiling the Trojan horse now upon installation it will install the standard Telegram application along with the virus.

Step 3 — Building the Bot Net

Now since we have the Bots ready it’s time to build the botnet. As mentioned in step 1 we’re going to use a client-server model in which the bots/zombies are the clients and there is a central server controlling them which is operated by the botlord. We’re going to build a Node.js server which will communicate with the botlord(attacker’s) web dashboard and the bots with Web Sockets.

This is the entry file to the server where both requests from the attacker’s web dashboard and the bots from the botnets are forwarded to but we’re using separate namespaces. We are using a Node.js library called Socket.io to handle the web socket requests.

Here is how a bot connects to the botnet in a chronological order

1. A bot is live and tries to connect with the server
2. The server requests the bot to send it’s host name and version number
3. The servers accepts the server and adds it to it’s live bots list if it’s in the accepted versions list otherwise it rejects the connection

Here is how an attack is performed by the botnet in a chronological order

1. The web dashboard requests an attack by calling “on_attack_requested” on the server along with information required to perform the attack like target IP, target port and number of packets to send.
2. The server then processes the request and divides the task to the bots equally for example if the request says send 10000 packets and there are 4 bots live on the botnet they each are commanded to send 2500 packets.
3. The bots send progress update each and then the total progress of the attack is calculated and then sent into the web dashboard.

Step 3 —The Web Dashboard

The web dashboard is the place where the attacker can check the status of the bot net (whether it’s live or not ) and also command attacks. It’s a simple React.js website that’s built with Ant design for styling. The attacker chooses the type of attack along with properties like the target IP, number of packets and target port then once the attack is started a live update of the attack progress is displayed.

Demo

This demo is an example of an ICMP flood attack taking place from the web dashboard. As you can see here the Botnet has two live zombies in this demo so the attacker sends the attack command and then the server orders the bots in the bot net to do DoS attacks which makes this a DDoS(Distributed denial of service) attack.

Beautiful isn’t it ? :)

Well this it, Hope you’ve enjoyed this and found it more useful than boring! If you have any suggestions on something I might have missed or how to make it better I’d really appreciate it if you gave a comment or submit a pull request.

Before I say bye, I’ll leave here some links:

• GitHub repository for the complete project: https://github.com/Maruf-S/DDoS-Botnet
• Guide to DDoS Attacks: https://its.fsu.edu/sites/g/files/imported/storage/original/application/dfd40f8b7415faa8fc306afa529520da.pdf

Disclaimer: This blog is for educational purposes only. It’s illegal distribute viruses or to DDoS anyone without their permission so please be responsible.

Cheers!

Maruf