11.06.2015 Views

NTRG_ElasticBotnetReport_06102015

NTRG_ElasticBotnetReport_06102015

NTRG_ElasticBotnetReport_06102015

SHOW MORE
SHOW LESS

Create successful ePaper yourself

Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.

Based on IP addresses, the Elknot botnet only targeted IPs in 5 different countries while under<br />

observation. The bulk of the attacks were against Chinese IPs followed by US IP addresses.<br />

TARGET COUNTRY<br />

# OF ATTACK<br />

COMMANDS ISSUED<br />

UNIQUE IP’s<br />

DURATION OF ATTACKS<br />

(IN SECONDS)<br />

China 384 95 26045<br />

United States 133 45 9510<br />

South Korea 19 6 7920<br />

Hong Kong 8 5 450<br />

Canada 5 1 600<br />

When viewed from an ASN perspective, the observed attacks targeted only 32 ASNs belonging to<br />

only 28 unique companies. The ASNs span a range of interests from ISPs (such as Chinanet, China<br />

Unicom, Korea Telecom), to DDoS protection providers (such as CloudDDOS Technologies, SharkTech<br />

and ClearDDoS Technologies), VPS providers (Krypt Technologies and VpsQuan), and CDNs<br />

(CloudFlare, Alibaba Advertising).<br />

Novetta observed three different attack methods being issued by the Elknot C2 servers:<br />

ATTACK TYPE<br />

# OF ATTACK<br />

COMMANDS ISSUED<br />

SYN Flood (0x80) 394<br />

UDP Flood (0x81) 153<br />

Ping Flood (0x82) 2<br />

THE ELASTIC BOTNET REPORT<br />

56

Hooray! Your file is uploaded and ready to be published.

Saved successfully!

Ooh no, something went wrong!