The Elknot DDoS Botnets We Watched

Friday 7 October 12:00 - 12:30, Green room

Ya Liu (Qihoo 360)
Hui Wang (Qihoo 360)

Elknot, also known as Linux/BillGates, is a notorious DDoS botnet family which runs on both Linux and Windows platforms. We have collected about 9,000 Elknot samples and extracted over 1,600 unique C&C servers. 500 of the servers were successfully contacted by our command tracking system. Over 50,000 unique victims were detected from the 37 million received attacking commands.

The data we collected has given us various interesting pieces of information including details of botnet operations, attack methods and patterns. We observed some serious DDoS attack events, e.g. several DNS root servers being attacked on 30 November 2015 and 1 December 2015. Detailed studies have been carried out on the collected data in terms of C&C communications, botnet scales, attack methods, and victims. Attempts to connect Elknot botnets to other botnet families were also made. With the help of passive DNS and NetFlow data, we got some interesting results, which make us believe that it is possible to depict the big picture of popular Elknot botnets. We think our analysis will help to better detect and mitigate future DDoS threats.

Click here for more details about the conference.

Ya Liu

Ya Liu

Ya Liu has over six years of experience in network security, specializing in honeypot, malware analysis, and botnet detection and tracking. Currently he works in the Network Security Research Lab of Qihoo 360, focusing mainly on botnet tracking. Before joining Qihoo 360 he worked at NSFOCUS on honeypot development and malware analysis.  


Hui Wang

Hui Wang

Hui Wang is a sofware engineer with a passion for honeypot development. He has a wealth of experience in WEB development and data analysis. Now he works in the Network Security Research Lab of Qihoo 360 where he attempts to build large-scale honeypot systems to capture popular attacks on the Internet.



We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.