Botnet with tactics: DNS amplification hits critical backend port

Friday, 10:14 a.m. – A routine day for the IT crew of an international financial company. A steady stream of data is flowing across the monitoring console at just under fifty megabits per second. Two minutes later, the needle jumps to 1.7 gigabits. Another minute passes, then the needle shoots up to 60 gigabits and shortly after peaks at 83 gigabits.

The traffic spike lasts less than nine minutes in total, then subsides as abruptly as it began. What looks like a heart line on an ECG on the screen is actually a distributed denial-of-service (DDoS) attack: technically simple, yet astonishingly powerful. 

How the attack unfolded

The attackers started cautiously with the data stream. In the first two minutes, it grew from 50 Mbit/s to 1.7 Gbit/s. This delay shows that the botnet is switching on gradually: first a few hundred, shortly followed by thousands of compromised devices. As soon as the attack reaches the next level, the data stream increases to 60 Gbit/s within a minute and shortly thereafter to 83 Gbit/s – enough to bring many company lines to their knees, as Internet connections often fall short of this capacity. 

The digital flood consists of three streams: 

• UDP packets with no specific purpose act as pure ballast. They are designed to fill lines and cause systems that have to check every packet to work overtime. This is particularly effective with fragmented UDP packets. These generate additional work for firewall and deep packet inspection systems, as each fragment has to be stored and reconstructed individually. 

• DNS response packets are at the heart of the attack. The attacker misuses publicly accessible DNS resolvers and uses fake source addresses to trick them into thinking that the financial company has made a DNS request. The DNS servers respond – not to the attacker, but directly to the victim. This creates the typical amplification effect: a small packet (often only 60–80 bytes) triggers a response that is 30 to 70 times larger. What is particularly insidious is that distributed open resolvers, which are systematically misconfigured or maliciously operated, were exploited – with source addresses from over 182 countries. 

• IP fragments form the third building block. Large DNS response packets are deliberately broken down into many smaller parts, which are then sent individually. This forces network components to reassemble them. This is the process by which several small, fragmented data packets are reassembled into a complete packet at the destination computer. This ties up CPU and RAM resources and quickly pushes overloaded devices to their limits. The distribution of packet sizes speaks for itself: almost 40% of packets were over 1050 bytes, with a peak between 1351 and 1500 bytes, which corresponds to the technical maximum value in the Ethernet standard. This deliberate choice maximizes the load on switches, routers, and firewalls. 

Port 8080: Convenient, popular, and dangerous 

All three strands converge on port 8080, which appears unremarkable but is popular among administrators: If port 80 (classic HTTP) and port 443 (HTTPS) are already in use or heavily regulated, many developers and manufacturers of management interfaces switch to 8080. The port is located above the “privileged zone” of operating systems. Services can start it without requiring administrator rights. It is also easy to remember. 

Because of this convenience, port 8080 is now the de facto standard for test environments, proxy servers, and web-based maintenance consoles. This is precisely what makes it an attractive target for attack, as internal services are often forgotten there, while it is frequently open to the outside world. 

Dispersion instead of assignment

The port statistics also show a high degree of dispersion among the source ports: Over 551 different source ports were used – an indication that the source packets were either generated from random ports or routed through NAT/gateway systems. This makes attribution even more difficult. 

Around 50,000 different IP addresses from 182 countries are involved in the attack. The enormous dispersion is striking: even the largest source network, the Russian provider Rostelecom, accounts for less than three percent of the total volume. Data centers in industrialized nations provide the attack with high bandwidth, while countless compromised home routers in Asia inflate the total number of senders. 

Attack from the second row

It is also interesting to note who does not appear: there is no significant traffic from typical cloud or CDN providers such as Amazon, Microsoft Azure, Akamai, Fastly, or Cloudflare, nor from telecommunications giants such as Deutsche Telekom, Vodafone, or Telefónica. The attackers are deliberately targeting resources outside the major providers. This could be an indication of careful planning or an intention not to compromise “good” networks in order to avoid detection. 

Why was the attack so short?

The stopwatch shows nine minutes, but from the attackers’ point of view, that was already an extensive test. They were testing whether the investment in computing time is worthwhile. There are three plausible motives for this: 

1. Proof of Concept (PoC): The masterminds wanted to test whether the selected internal system was actually vulnerable and how quickly the defenses would respond. Once it was clear that the target was holding up, the resources were withdrawn and saved. 
2. Cost control: A botnet of this size means fees for rented data centers or the risk of losing hijacked servers due to abuse reports (notifications of the misuse of compromised systems). A quick strike secures their own resources for more lucrative operations. 
3. Diversionary tactic: Because it was not the public website that was attacked, but a little-noticed backend service, it seems likely that the DDoS attack was merely a diversionary tactic. While the security teams are busy dealing with the attack, attempts could be made in parallel to install or extract ransomware. 

All three scenarios point to a professionally organized, commercially motivated group that soberly weighs the costs and benefits – unlike politically motivated hacktivists, who tend to focus on media-effective staging. 

What companies can learn from this

1. Multi-layered defense: Cloud-based “scrubbing” that filters traffic well before it reaches the data center is a must.
2. Hygiene for secondary ports: Anyone using port 8080 (or 8000, 8443) should treat it like port 80/443. Enforce TLS, secure login, set rate limits.
3. Don’t view attacks in isolation: An internal service as a target can be a diversionary tactic. SOC teams should simultaneously watch for suspicious logins, malware drops, or lateral movements.
4. Keep an eye on traffic patterns: Short, highly scaled DDoS attacks with fragmented packets and unusual ports can be indicators of targeted reconnaissance – in other words, they are not just noise, but digital information gathering.

Don’t want your company to be the next headline?

Whether proof-of-concept or fully executed, DDoS attacks like this are no longer the exception for financial institutions, e-commerce platforms, and media companies worldwide, but rather the norm. 

Protect your company proactively with DDoS protection that detects attacks before they cause damage. Talk to our experts and find out how you can permanently secure your critical services from Layer 3 to Layer 7. 

Contact us now >>

Share this post