real-time info from the IMDDOS helpdesk

As you’ve likely already heard, a commercial service for launching distributed denial of service (DDoS) attacks, called IMDDOS, was discovered by Damballa, a company that identifies zombie computers (botnets).

an innovative commercial endeavor in this sector

In itself, this service is not new. What’s striking is that this service is now all over the web (no need to scour for some obscure forum or Internet relay chat) and intended to appeal to everyone. Well, everyone who speaks Chinese… and wants to attack a website!

a direct line to IMDDOS customer service

To learn a little more, we contacted Damballa’s customer service team. Communicating with the team is done through QQ chat, a hugely popular chat service in China. We immediately received a polite response. Our contact (for simplicity’s sake, let’s say “he”) introduced himself as a member of the customer service team.

no questions about our identity or our plans

Not once were we asked about who we were, where we were, or why we were interested in this kind of service. When you head to the gas station with a gas can, no one asks you if it’s for your lawnmower or if it’s to burn your neighbor’s house down. Well, the same goes here! Just remember to stop at the checkout counter on your way out.

service levels

Three service levels are offered, including one free “trial” version: prices are based on the length of your service subscription. We were quoted the following prices:

  • €35 for 1 month
  • €130 for one year
  • €200 for permanent "unlimited" access

The free trial version lasts seven days.

classic attack features

Each pack lets you launch a variety of different attacks, including classic attacks like SYN Flood, TCP/UDP Flood, RAW packets, and other more obscure kinds, such as DK and NB.

An online dashboard is also available to help you manage your attack by tracking its progress. You just have to install a bit of software on your computer to configure the attack (target IP address, port number, etc).

attack strength: how full is your henhouse?

As for the rate of the attack (bits per second or packets per second), the customer service guy told us it would depend on how many chickens we have. At first, we thought, “we didn’t quite hear you right.”

But yes, you did read correctly: they use the term “chicken” to refer to each machine used to launch an attack. And, we have to admit, it sounds a heck of a lot friendlier than “zombies” and “bots.” These guys didn’t forget to do their marketing research!

If you sign up for one of their packs, then you automatically receive 2,000 of these chickens to launch your attack. As for the free trial, you’ll have to settle for only 100 chickens. Anyway, a 2,000-machine botnet might seem relatively small, but remember, it is still enough to do a lot of damage. The botnet I mapped out had about 2,300 and I assure you they pulled their weight and then some.

complete with farming tools

What’s really “original” about this service is that, in addition to the guaranteed number of “chickens,” its standard features also include everything you need to put together your own network of machines! And indeed, among the products delivered are:

  • a tool for creating a virus (called a “small Trojan") to get “chickens”
  • a tool (updated every week) to make your small Trojan invisible to antiviruses
  • another tool to hide the virus in a file (jpg, txt, etc.)

With these tools, all you need to do is send out your virus to as many people as possible to infect their machines and create a regular poultry farm. All in all, it’s a good turnkey kit for building and managing your own botnet from home.

Chinese websites excluded from the service contract

Our contact let us know that we could attack any website we wanted, except for Chinese government websites and some other Chinese sites. Are we witnessing an underlying passive attitude by local authorities? Or well-placed “alliances”? You be the judge.

Another possibility: companies that sign up for a special protection service are put on a list of sites that cannot be attacked.

no references, but advice available

Among other questions, we asked the agent how many “chickens” were needed to launch an attack.
He told us 100 “chickens” were enough for a small website, 1,000 for a medium-sized site, and 10,000 for a really big site.

When we asked for “references” (from past attacks), he said no. You don’t mess around with the privacy of commercial exchanges. ;-)

the last word

The DDoS market is undergoing massive changes: after years on the black market, it now seems to be moving, at least in part, to a point where commerce makes the law. It seems like a new chapter has begun with the arrival of IMDDOS.

Fortunately, commercial offers are still rather scarce at the moment, but they could increase very quickly over the next few years. The cards are changing hands and anyone involved in Web security will have to keep track of the game and play along!

Jean-François

This blog post was originally published in French here.

Jean-François Audenard

Au sein de la direction sécurité du Groupe Orange, je suis en charge de la veille sécurité et de la sensibilisation à la sécurité. Franchise, optimisme et bonne-humeur sont mes moteurs quotidiens