After first appearing in April 2022, Fodcha slipped under the radar for a few months. Now, however, it’s back with a number of new capabilities – and a vengeance. The botnet is swiftly becoming defined by its takedown attempts, its DDoSing becoming ever more complex.
What Is A Botnet
The term botnet is simply a mashing of the two terms robot and network. Botnets are usually centered around automation, thanks to the sheer scale of connected devices. They aid in the acceleration of simple repetitive tasks, speeding things up by accessing the resources of all participants. Though botnets have a bad rep, they’re not inherently evil.
For instance, crowdsourced science projects have been helping map out the human immune system response and finding star clusters within the Andromeda Galaxy. Each of these projects sees a central task being solved thanks to the bot herder’s overarching commands.
Distributed Denial of Service (DDoS) attacks, on the other hand, weaponize the millions of connected devices that currently take up cyberspace. Using the connectivity of a device, DDoS botnets direct all the traffic from the distributed devices to a victim’s site or app.
The goal of this excessive traffic is to flood the victim’s services, temporarily bringing it down. This results in legitimate site users not being able to access those resources – resulting in denial of service.
Botnets live and die by the strain of malware infecting them. Mirai was one of the first pioneering strains, focusing almost entirely on the poor security offered to the expanding Internet of Things (IoT) market.
By automatically sniffing devices running on a specific type of processor, Mirai was able to find new victims, which it would then try to bruteforce the password.
This worked primarily thanks to widespread customer and consumer oversight – after all, nobody expects their smart fridge to be infected with malware. Mirai broke onto the scene in 2016 by launching a totally unexpected attack at a security researcher, before its source code was made public.
This automated approach supercharged the growth and development of DDoS botnets. Botnets have now become so big that an entire underground economy has grown around their for-rent structure.
Fodcha’s Back And Bigger Than Ever
Fodcha – initially nicknamed EnemyBot – first popped up earlier this April. The pattern closely followed in Mirai’s footsteps, automating the malware propagation process by seeking out known Android and IoT vulnerabilities.
Weak Telnet passwords were also fed into a brute force password cracker. Supporting 17 different attack methods, the size of its botnet rapidly spiraled.
Since its discovery, Fodcha has evolved into a menacingly large botnet, commanding over 60,000 active nodes throughout 40 different command-and-control (C2) servers.
The large number of C2 servers is a direct answer to Fodcha’s first threat: when a large cloud provider learnt that their services were being used to conduct attacks, they shut down the original C” server.
Much like a biological virus, Fodcha adapted, instead now crisscrossing its bot-herding capabilities among dozens of different servers.
Fodcha worries researchers thanks to more than just its scale: there’s evidence that attacks have made use of amplification techniques such as Connectionless Lightweight Directory Access Protocol (CLDAP) reflection.
This sees malicious requests – on their way to the victim’s server – first be routed via an innocent third party. The aim of this request is to elicit a far bigger response from the reflector.
By sending spoofed IP packets, the third party is tricked into sending this large response to the victim. A typical example of this reflection technique is the online caching service Memcached.
As to be expected from a caching service, commands like Set and Get allow you to store arbitrary chunks of data under a given key. Get, on the other hand, allows that data to be fetched by that key. The key can be super small; the data being stored can be up to 1 MB.
Now, a very small request packet that measures only a few tens of bytes can generate a significantly larger response. In the case of Memcached, the amplification factor measures a staggering 10,000 to 51,000x.
Amplification techniques such as this means that Fodcha can easily generate over 1 terabyte of malicious traffic per second. Though the largest network layer DDoS assaults can spill over into the terabytes, 20 to 40 gigabytes per second are enough to completely shut down most network infrastructures.
This totally prevents access to your servers, whilst also causing operational damages that include account suspension and eye-watering overage charges.
Protecting Against Ddos Botnets
Thankfully, DDoS protection providers are largely able to keep up with the growing scale of botnets. This is thanks to the fact that the scale of a DDoS attack can be fought in two different ways.
The first, and most common, form of DDoS mitigation is via border gateway protocol (BGP) routing. This service works on-demand – meaning the security solution provider will need to automatically recognize when an attack is ramping up.
When on, the BGP routing means that the security solution’s servers act as a proxy. Within this, each packet is analyzed for suspect behavior; known malicious IP addresses; or suspicious geolocation. The suspicious packets are thrown out, while legitimate users are allowed to continue on to your site.
Consequently, if your site or app requires always-on DDoS protection, then integration will also include access to a content delivery network. This solution uses the on-call scalability of CDNs to simply absorb volumetric attacks, while simultaneously minimizing latency and accelerating content delivery.
Thanks to the leaps and bounds made by next-gen security solutions, defending your organization from DDoS attacks has never been simpler. With this, you can keep the malicious actors out, while still offering goods and services to legitimate users.