Face to face with Cutwail botnet – Combating a DDOS attack

Face to face with Cutwail botnet – Combating a DDOS attack

Relevant topics: DDOS protection, DDOS prevention, DDOS Security
One of our clients recently reported heavy resource usage on their server. After some investigation it was established that the website was undergoing a DDOS attack. DDOS attacks are very easy to execute and there are several software available on the internet that allow you to emulate or launch this attack making this form of attack one of the easiest to initiate yet one of the hardest to stop.

I will broadly classify DDOS attacks into two categories:

Voluntary Attack

The attacking party is well aware of the fact that they are launching an attack in order to consume the server resources. Multinational companies like Paypal, Sony and organisations like banks, political parties have all undergone such attacks. This attack requires a group to convince a certain amount of individuals to simultaneously launch a flood of requests using hyper text transfer protocol or any other protocol supported by the server.

Involuntary Attack

The attacking party is not aware of the fact that their computational resources are being utilised by a bot/trojan. This form of attack comprises of mass distribution of a malicious software (often known as malware) that flood the website specified by the party that issued (or continues to issue) instructions to the malware.

Case Study

In this case, it was most certainly an involuntary attack as we had a unique IP address for every new request. The website was being flooded with over 100 requests every minute which was overwhelming the server causing frequent CPU spikes. Each spike showing a 503 Service Unavailable message. As a result, the hosting company had temporarily suspended the account.

Further investigation showed that the website had been under attack for about two weeks without a break and it was the Cutwail botnet causing this issue. Cutwail botnet installs a trojan called Pushdo on the victim’s computer. Here’s a diagram that shows the installation flow of Pushdo.

pushdo Installation flow diagram - ddos attack protection

Pushdo Installation flow Diagram. Image Credit: Fortiguard

You can find more details on the working of Cutwail botnet here.

The solution — DDOS attack protection

Despite an elaborate distribution of the IP addresses, all requests were coming from a single user agent. Blocking that user agent did the trick & stopped the flood of requests.

I can not provide you with the specific details of the code as a part of client confidentiality & given the intentions of attackers executing an attack like this, it is most likely to become obsolete after some time if made public but you are more than welcome to contact us if you believe you are under an attack of this form.

No Comments

Leave a Reply

Cross Compatibility

With production and the sales of a variety of devices rising, at Oziti, we are committed to make your website look great on all browsers & Devices.

Optimised Code

Your website comes optimised for the Search Engine Bots. We support Schema.org code, which allows you to output microdata in your site’s code.


Your website is automatically backed up on the server after a specified period of time. If you have made a mistake, we can restore it for you.


Let's get the project started. Just fill in the details below and we'll be in touch with you shortly. Please include any queries and your deadline (if any) in the message.

Please leave this field empty.


Perth's leading website design services provider for the small businesses, professionals and entrepreneurs. We make you look like a million bucks so that you have a strong online identity and can focus on delivering excellence to your clients.
Oziti Web Design, 62 Molonglo Crescent, Baldivis, WA 6171 Phone: (08) 9523 6998

© Oziti Web Design ~ All Rights Reserved