CatDDoS Botnet and DNSBomb are significant cybersecurity threats. Both exploit a number of major vulnerabilities in popular software, routers, and servers, effectively cutting targeted users off from the internet.
In this guide, you’ll learn more about both these threats, as well as the consequences for internet users around the world.
What is the CatDDoS Botnet?
CatDDos seems to be a variant of the Mirai botnet, which in 2016 launched a devastating DDoS (Distributed Denial of Service) attack using IoT devices that had been infected with malware. Many popular websites like Twitter, Reddit, and Netflix were inaccessible throughout the attack.
The CatDDos botnet first emerged in August 2023. Its malware exploits over 80 known security flaws in various software to infect devices, then adds them to the botnet.
Why’s it called CatDDos?
The name comes from a number of feline references in the malware source code ‘samples’ and domain names. For instance, the developer(s) used names like “catddos.pirate” and “password_meow”.
Which devices are affected by CatDDos?
This malware affects a wide range of networking devices, with an estimated number of over 300 daily targets.
It can infect routers and networking devices by numerous big-name vendors like Apache, Cisco, Gitlab, and Huawei.
Origins and spread of CatDDoS
As we’ve learned, CatDDoS seems to be based on Mirai, whose source code leaked in 2016.
Despite the malware sophistication, it seems the group behind CatDDoS wasn’t actively trying to target organizations themselves. In December 2023, individuals claiming to be the developers posted in a Telegram group offering to sell the source code. Ultimately, the code leaked online, which allowed security researchers to analyze how it works.
There are various ‘gangs’ implementing different versions of CatDDoS. These can be identified fairly easily due to the similar way in which they implement the ChaCha20 encryption algorithm. Differing versions of the malware also use OpenNIC domain names for its command and control (C2) server.
Who is being targeted by CatDDoS?
According to internet security company NSFOCUS, most CatDDos attacks are launched between 08:00 – 21:00. 58% of all targets are based in China. The USA accounts for 25% of DOS attacks, while Japan, Singapore, France, and other countries have also been targeted.
How does CatDDos carry out attacks?
In simplest terms, DOS (Denial of Service) attacks work by flooding a target computer or network device so that it’s unable to process other traffic. When deployed successfully against a website server, this effectively makes the domain inaccessible to other users.
According to NSFOCUS, CatDDoS uses a variety of DDoS attack methods, mostly ack_flood and grip_flood, which account for 63% and 29% of attacks, respectively.
Is CatDDos potentially more dangerous than Mirai?
Yes. Unlike Mirai, CatDDos malware encrypts communications with the C2 server. Using OpenNIC domains for C2 can also help to avoid monitoring software designed to detect and block Denial of Service attacks.
What is DNSBomb?
DNSBomb is a type of “pulsing” denial of service attack discovered by Xiang Li from Tsinghua University NISL Lab and others. The vulnerability has been designated CVE-2024-33655.
How does DNSBomb work?
In theory, DNSBomb allows remote attackers to carry out DoS attacks by arranging for DNS queries to be accumulated over seconds. Responses are later sent in a pulsing burst, hence the name.
There are three key steps to carrying out a DNSBomb attack successfully:
- Accumulating DNS queries. This is done by extending the timeout window to delay responses artificially.
- Amplifying responses. This involves using query aggregation on the authoritative server and domains specially crafted to return larger responses.
- Collecting and “pulsing” responses to the target resolver in large batches.
Who is affected by DNSBomb?
According to a white paper published by the original researchers, DNSBomb is a serious vulnerability. They carried out an “extensive evaluation” of 10 mainstream DNS software programs, 46 public DNS services, and roughly 1.8M open DNS resolvers.
The researchers found that all of the DNS resolvers could be exploited to conduct more practical and powerful DNSBomb attacks than previous pulsing DoS attacks.
The attacks they carried out in a controlled environment caused complete packet loss or service degradation on both stateless and stateful connections (TCP, UDP, and QUIC).
Defensive mechanisms
Upon discovering the vulnerability, Xiang Li and his fellow researchers contacted the top 24 affected vendors to advise them on how to protect against DNSBomb.
The problem is that the attack exploits legitimate DNS features such as query rate limits, query-response timeouts, query aggregation, and maximum response size settings.
Target devices can then be overwhelmed with periodic bursts of amplified traffic that are challenging to detect.
However, as the Internet Services Consortium points out on its blog, DNSBomb relies on spreading out queries over time, then tricking the resolver into responding within a short time window.
This means that software like ISC’s BIND Suite isn’t affected, as it already has built-in safeguards to prevent this kind of attack.
Impact metrics
The ISC has also pointed out that DNSBomb attacks are difficult to scale. They illustrate this by way of an example of a ‘worst case scenario,’ whereby a DNSBomb attack is carried out on a DNS resolver with the default configuration:
- The attacker spoofs the victim’s IP address to send, say, 1000 packets over a certain length of time, e.g., up to 10 seconds. In the meantime, the authoritative server ( which must be under the attacker’s control) also withholds any responses for that same amount of time.
- Once the attacker-controlled authoritative server eventually responds, the resolver then answers any outstanding queries for the attacker’s domain.
- Assuming these answers utilize the maximum possible packet size that can be transmitted over UDP, each answer could be 1232 bytes long. This means for 1000 outstanding queries, the total amount of data sent could be around 12 MB over a short timeframe.
According to the white paper outlining DNSBomb, this would result in a significant bandwidth amplification factor, overwhelming target devices.
However, in software like BIND-9, the default ‘recursive-clients’ limit is 1000. In other words, if there are over 1000 requests, the old ones will be dropped, limiting the data burst to just 12 MB at any one time. This remains true no matter how many data packets the attacker sends.
Are VPN servers vulnerable to CatDDos/DNSBomb attacks?
If you’re using a reliable VPN service like hide.me VPN then DNS queries will be processed server side. This protects your device from DNS leaks.
In theory, if your VPN server is targeted, it could become unable to process your DNS requests, so your device wouldn’t be able to resolve domains. However, you can fix this simply by connecting to a different VPN server that’s not under attack.
We love bringing you this content and hope it helps keep you safe and secure online. Feel free to share it with your friends, too.
Here at hide.me we are all about internet freedom, and we are happy to be in a position to bring that to everyone. That is why we give you a 30-day money-back guarantee on our Premium plan. No questions asked and no logs recorded.
Get hide.me VPN!
If you have any questions, please feel to contact our24/7 supportteam either atsupport@hide.meor via live chat.
Share it on:
