DDos Botnet Targets Hadoop Enterprise Servers

Big Data

DemonBot is a new netbot that has been a threat to Apache Hadoop servers. / Photo by: Mikko Lemola via 123rf


New issues have stirred up concerns over a new botnet that has been growing steadily in the shadows for more than a month. This botnet has been attacking unsecured Apache Hadoop servers and has been planting bots in these areas, leaving them vulnerable to future distributed denial-of-service (DDoS) attacks. These Hadoop clusters are under threat from this kind of malware, specifically designed to take over these cloud-based servers.

This threat, called the DemonBot, was first seen in the honeypot data by a particular NewSky Security researcher while it was still new. Now, it has become a much greater threat and has expanded its reach. While the botnet was initially composed of just a few command and control servers, Radware, a cybersecurity firm says that the botnet has now grown to more than 70 servers and they have issued a corresponding threat alert regarding this problem. The malware targets misconfigured Hadoop YARN remote command execution to then infect these Hadoop clusters. Radware described the botnet as ‘unsophisticated’, considering it spreads only among the main areas of Hadoop servers. YARN, which stands for Yet Another Resource Negotiator, is a core component of any Apache Hadoop data processing network, and is often used by large companies with regard to cloud computing services. Radware has stated that the DemonBot has grown so large that they have been attempting more than one million YARN exploits per day. Pascal Geenens, a cybersecurity evangelist at Radware, states, “Unfortunately, we have no count on actual bots. Bots are not scanning and exploiting. So they do not generate noise which we can detect and map out.”

Currently, the total botnet count remains unknown and a lot of its mysteries are still up in the air. It is believed that the misconfiguration in Hadoop's YARN component had been known of for at least two years before its servers were attacked.