CatDDoS Botnet and DNSBomb DDoS Attack Technique Alert

Researchers have issued a warning about the CatDDoS malware botnet, which has exploited over 80 known security vulnerabilities in various software over the past three months to infiltrate devices and use them in distributed denial-of-service (DDoS) attacks.

CatDDoS-related samples have leveraged numerous known vulnerabilities. The number of daily targets has exceeded 300.

The vulnerabilities affect routers, networking devices, and other equipment from vendors such as Apache (ActiveMQ, Hadoop, Log4j, RocketMQ), Cacti, Cisco, D-Link, DrayTek, FreePBX, GitLab, Gocloud, Huawei, Jenkins, Linksys, Metabase, NETGEAR, Realtek, Seagate, SonicWall, Tenda, TOTOLINK, TP-Link, ZTE, and Zyxel.

First identified in late 2023, CatDDoS is a Mirai botnet variant capable of executing DDoS attacks using methods such as UDP and TCP. The malware, named after cat-related references in its source code and command-and-control (C2) domains, emerged in August 2023.

Most CatDDoS attack targets are in China, followed by the U.S., Japan, Singapore, France, Canada, the U.K., Bulgaria, Germany, the Netherlands, and India. The botnet uses the ChaCha20 algorithm to encrypt C2 communications and employs an OpenNIC domain to evade detection, a technique used by another Mirai-based botnet, Fodcha. CatDDoS shares the same key/nonce pair for the ChaCha20 algorithm with other DDoS botnets like hailBot, VapeBot, and Woodman.

The attacks mainly target the U.S., France, Germany, Brazil, and China, affecting sectors such as cloud services, education, scientific research, information transmission, public administration, and construction. The original creators of CatDDoS reportedly ceased operations in December 2023 but sold the source code in a Telegram group, leading to new variants like RebirthLTD, Komaru, and Cecilio Network. These variants, while managed by different groups, show little variation in code, communication design, and decryption methods.

Additionally, details have surfaced about a new denial-of-service attack technique called DNSBomb (CVE-2024-33655), which uses Domain Name System (DNS) queries and responses to create an amplification factor of 20,000x. This “pulsing” DDoS attack exploits DNS features such as query rate limits, timeouts, aggregation, and maximum response size settings to generate timed floods of responses.

DNSBomb uses IP-spoofing to send multiple DNS queries to an attacker-controlled domain, withholding responses to accumulate replies. The aim is to overwhelm victims with periodic bursts of amplified traffic that are difficult to detect.

To mitigate the risks posed by the CatDDoS botnet and DNSBomb attack techniques, regularly update all software and firmware on network devices to patch known vulnerabilities. Employ robust network security practices, including the use of firewalls, DDoS protection services, and traffic analysis tools.