Cisco Blogs

A New Twist on Denial of Service: DDoS as a Service

September 28, 2010 - 0 Comments

At Cisco, we are fortunate to be at the vanguard of many exciting developments in networking and IT technology. Borderless Networks — where we connect anyone, anywhere, any device, and enable voice, video, and data — is a prime example. Enabling secure access to the cloud, powering SaaS for the enterprise, and helping IT successfully cope with the consumerization of enterprise IT are core elements of this effort.

Trends can sometimes run in surprising directions. While the white hat side of the house is enabling services and applications (, and even core IT functions such as email and office productivity (Google Docs) are available in hosted or web delivered forms, the black hat side of the house is also not letting technology pass them by. For instance, take IMDDOS, a Chinese company with a name that should perhaps be read “I’m DDoS.”


Traditional denial of service (DoS) attacks usually involved a single host or a small number of hosts doing something bad to a target in order to prevent it from being used as intended. Distributed denial of service (DDoS) attacks, in contrast, leverage large numbers of hosts that are often zombies or botnets composed of compromised hosts operating under command-and-control from some central point. One PC hammering on your box may not bring it to its knees, but a botnet 10,000 hosts strong doing the same thing has a far better chance of success.

Of course, eventually some members of the hacker community realized that there were people who would pay for such attacks and started launching them for hire. In other cases, DDoS attacks have been politically motivated, such as with the attacks on Estonia a few years back. However, neither of these approaches scaled well. Each new customer required some additional work on the part of the black hats.

IMDDOS’s approach, with DDoS available as a commercial service, is new. Keep in mind you are not supposed to do anything bad or illegal with the service, it is just for testing firewalls or taking cyberdefence to the offense in retaliation. The company does ask you (presumably with a straight face) not to abuse the service in a malicious manner.

The technical details are interesting, with the IMDDOS infrastructure being highly distributed. There is a client (malware) running on infected PCs. Not horribly sophisticated, the client could be described as “jugaad,” a Hindi term that could be translated as something between “good enough” and “kludged.” The client communicates with a distributed command-and-control plane with one set of domains housing target lists and the other sending commands to the infected hosts.

Support is available via what may be the most widely used service you have never heard of. Tencent’s QQ is a popular chat service in China that claims 612.5 million active accounts, which is roughly twice the population of the US and a hundred million more accounts than Facebook claims globally. QQ’s site also claims an all-time peak concurrent user load of 118 million. If you need support making your SaaS DDoS work you can fire up your QQ client and ping QQ:97519585 and help will be on its way.

For those wanting to do a deep dive on IMDDOS, Damballa has a nice piece on the topic.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.