New Botnet called DemonBot targeting Hadoop Clusters in order to perform DDOS attack using powerful cloud infrastructure.
Hadoop is an open source distributed processing framework that manages storage and data processing for big data applications running in clustered systems.
Unlike Mirai based Botnet, DemonBot botnet spreading via centralized server and its rapidly exploiting the various servers around the world.
Researcher from Radware is tracking over 70 active exploit servers with an aggregated rate of over 1 Million exploits per day.
Its a kind of unsophisticated Botnet and it was uncovered by monitorng the malicious agent that leveraging a Hadoop YARN unauthenticated remote command execution in order to infect Hadoop clusters.
There is another similar attack discovered before that leveraging the same Hadoop Yarn bug in a Sora botnet variant.
Compare to IoT devices, Hadoop Clusters is much more capable of handling the heavy DDOS Attack and UDP and TCP floods are supported attack vector for DemonBot Attack.
Also Read: You can Take DDoS Protection Bootcamp – Free Training Course to Improve Your DDoS Protection Skills.
Hadoop YARN Exploits
Cluster resource management provide YARN(Yet Another Resource Negotiator) prerequisite for Enterprise Hadoop and provides cluster resource management allowing multiple data processing engines to handle data stored in a single platform.
In this case YARN exposed REST API which allows remote applications to submit new applications to the cluster.
DemonBot repeatedly attempt since september and reached almost 1 million attempts per day for most of October and the attempt that made by unqiue IP count reaching upto 70 servers.
According to radware,The DemonBot Command and Control service is a self-contained C program that is supposed to run on a central command and control server and it provides two services:
- A bot command and control listener service – allowing bots to register and listen for new commands form the C2
- A remote access CLI allowing botnet admins and potential ‘customers’ to control the activity of the botnet
Finally DemonBot running infected severs connect to the C2 server to listen the new commands. here C2 Server hardcoded with post and IP address.
After the successful connection DemonBot sends information about the infected device to the C2 server.
An organization should always ensure and focus on maximum Protection level for enterprise networks and you can try a free trial to Stop DDoS Attack in 10 Seconds. Also, Check Your Company’s DDOS Attack Downtime Cost.