Researchers at security firm Imperva have discovered a botnet consisting of web servers, rather than individual PCs, that is being used to launch more devastating denial-of-service (DDoS) attacks.
An attacker by the name of 'Exeman' has infected around 400 web servers with a simple 40-line PHP script, which includes a malicious application that can be used to launch DDoS attacks, according to Imperva CTO Amichai Shulman.
The application provides a dashboard and control panel that can be used to input the URL of an intended target and configure the IP, port and duration of the attack, Shulman said. The attacker may have leveraged a common flaw, called a remote file inclusion vulnerability, to compromise the servers.
The infected servers have already been used to launch a DDoS attack against a Dutch internet service provider, Shulman said. In addition, the botnet may be rented out to other cyber criminals.
Traditional DDoS attacks utilise large numbers of compromised PCs to flood a target with traffic, he explained. Servers, on the other hand, are generally more difficult to compromise than PCs, but utilising them to launch a DDoS attack could provide a multitude of advantages.
Servers provide a greater amount of bandwidth power to launch an attack than PCs, for example, Shulman said. Attackers also have the ability to more easily multiply the volume of the ambush by adding more compromised web servers.
“A lot of targets would suffer greatly being targeted by ten servers,” Shulman said. “The numbers you need to create an effective attack are much smaller than with personal computer botnets.”