A Survey of Bots Used for Distributed Denial of Service Attacks

  • Vrizlynn L. Thing
  • Morris Sloman
  • Naranker Dulay
Part of the IFIP International Federation for Information Processing book series (IFIPAICT, volume 232)


In recent years, we have seen the arrival of Distributed Denial-of-Service (DDoS) open-source bot-based attack tools facilitating easy code enhancement, and so resulting in attack tools becoming more powerful. Developing new techniques for detecting and responding to the latest DDoS attacks often entails using attack traces to determine attack signatures and to test the techniques. However, obtaining actual attack traces is difficult, because the high-profile organizations that are typically attacked will not release monitored data as it may contain sensitive information. In this paper, we present a detailed study of the source code of the popular DDoS attack bots, Agobot, SDBot, RBot and Spybot to provide an in-depth understanding of the attacks in order to facilitate the design of more effective and efficient detection and mitigation techniques.


Mitigation Technique Destination Port Attack Trace Attack Packet Attack Tool 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Diane E. Levine and Gary C. Kessler, “Chapter 11 — Denial of Service Attacks, Computer Security Handbook, 4th Edition”, Editors — Seymour Bosworth, Michel E. Kabay, 2002.Google Scholar
  2. 2.
    K. J. Houle and G. M. Weaver, “Trends in Denial of Service Attack Technology”, Oct. 2001, CERT Coordination Center,
  3. 3.
    Arbor Networks, “Worldwide ISP Security Report”, Sept. 2005.Google Scholar
  4. 4.
    Federal Bureau of Investigation, “The Case of the Hired Hacker: Entrepreneur and Hacker Arrested for Online Sabotage”, Apr. 2005.
  5. 5.
    Dawn Kawamoto, “Blackmailers try to black out Million Dollar Homepage”, CNET News, Jan. 2006.
  6. 6.
    BBC Technology News, “Hacker threats to bookies probed”, Feb. 2004.
  7. 7.
    Ashlee Vance, “Man admits to eBay DDoS attack”,, Dec. 2005.
  8. 8.
    Jan Libbenga, “Dutch hackers sentenced for attack on government sites”, The Register,, Mar. 2005.
  9. 9.
    Basudev Saha and Ashish Gairola, “Botnet: An Overview”, CERT-In White Paper, CIWP-2005-05, Jun. 2005.Google Scholar
  10. 10.
    Laurianne McLaughlin, “Bot Software Spreads, Causes New Worries”, IEEE Distributed Systems Online, Jun. 2004.Google Scholar
  11. 11.
    Drew Cullen, “Dutch smash 100,000-strong zombie army”,, Oct. 2005.
  12. 12.
    Joris Evers, ‘“Bot herders’ may have controlled 1.5 million PCs”, ZDNet News, Oct. 2005.
  13. 13.
    Dawn Kawamoto, “Bots slim down to get tough”, CNET News, Nov. 2005.Google Scholar
  14. 14.
    John Canavan, “The Evolution of Malicious IRC Bots”, Virus Bulletin Conference, Oct. 2005.Google Scholar
  15. 15. Felix C. Freiling, Thorsten Holz, and Georg Wicherski, “Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks”, 10thEuropean Symposium on Research in Computer Security (ESORICS 2005), Sept. 2005.Google Scholar
  16. 16.
    Evan Cooke, Farnam Jahanian, and Danny McPherson, “The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets“, USENIX SRUTI: Steps to Reducing Unwanted Traffic on the Internet Workshop, Jul. 2005.Google Scholar
  17. 17.
    Michael Bailey, et al., “The Internet Motion Sensor: A distributed blackhole monitoring system”, Network and Distributed System Security Symposium (NDSS), Feb. 2005.Google Scholar
  18. 18.
    The Honeynet Project, “Know you enemy: Tracking botnets”,, Mar. 2005.
  19. 19.
    Microsoft, “DCOM RPC vulnerability”, Jul. 2003.
  20. 20.
    Microsoft, “LSASS vulnerability”, Apr. 2004.
  21. 21.
    Paul Barford and Vinod Yegneswaran, “An Inside Look at Botnets”, To appear in Series — Advances in Information Security, Springer, 2006.Google Scholar
  22. 22.
    McAfee Threat Center,
  23. 23.
  24. 24.
  25. 25.
    T. Killalea, “Recommended Internet Service Provider Security Services and Procedures”, IETF BCP 46, RFC 3013, Nov. 2000.Google Scholar
  26. 26.
    P. Ferguson and D. Senie, “Network Ingress Filtering: Defeating Denial of Service Attacks which employ IP Source Address Spoofing”, IETF BCP 38, RFC 2827, May 2000.Google Scholar
  27. 27.
    Cheng Jin, Haining Wang, and Kang G. Shin, “Hop-count filtering: an effective defense against spoofed DDoS traffic”, 10th ACM Conference on Computer and Communications Security, Oct. 2003.Google Scholar
  28. 28.
    David Moore, et al., “Inferring Internet Denial-of-Service Activity”, ACM Transactions on Computer System (TOCS), May 2006, 24(2), pp. 115–139.Google Scholar
  29. 29.
    Robert Beverly and Steven Bauer, “The Spoofer Project: Inferring the Extent of Source Address Filtering on the Internet”, USENIX SRUTI: Steps to Reducing Unwanted Traffic on the Internet Workshop, Jul. 2005.Google Scholar
  30. 30.
    Yu-Shun Wang, Danlu Zhang, and Kang G. Shin, “SYN-dog: Sniffing SYN Flooding Sources”, 22nd IEEE International Conference on Distributed Computing Systems, Jul. 2002.Google Scholar
  31. 31.
    B. E. Brodsky and B. S. Darkhovsky, “Nonparametric Methods in Change-point Problems”. 1993: Kluwer Academic Publishers.Google Scholar

Copyright information

© International Federation for Information Processing 2007

Authors and Affiliations

  • Vrizlynn L. Thing
    • 1
  • Morris Sloman
    • 1
  • Naranker Dulay
    • 1
  1. 1.Department of ComputingImperial College LondonLondonUK

Personalised recommendations