> Technique · raw-socket-ddos-flooder_

~/packetpursuit $ cat /intel/techniques/raw-socket-ddos-flooder.md

familygenericconfidencehighcreated2026-05-27

raw-socket-ddos-flooder

Technique where malware opens SOCK_RAW (or SOCK_PACKET) sockets with IP_HDRINCL to craft Layer-3/Layer-2 packets directly. Used to generate high-volume DoS traffic with spoofed or randomised source fields, bypassing kernel TCP stack rate limits and firewall rules that rely on connection state.

Variants

  • TCP SYN flood: sets SYN flag only, randomises source IP/port, floods target with half-open connections.
  • UDP flood: builds large UDP datagrams targeting open ports (DNS, NTP, Memcached) for amplification.
  • GRE flood: encapsulates traffic inside Generic Routing Encapsulation headers to abuse tunnel endpoints.
  • HTTP abuse: opens legitimate HTTP sessions but requests large resources or uses keep-alive to exhaust worker threads.

Detection

  • High rate of outbound SOCK_RAW socket creation.
  • Encapsulated packets with malformed checksums or TTL values.
  • Traffic from embedded devices (cameras, routers) destined for external IPs at high volume.

References

  • ebceb9dbc06f — ARM32 Mirai variant with raw-socket SYN flood module (FUN_0000c058, FUN_00009030).