China-linked JDY botnet expands targeting of U.S. military networks

1. Incident Overview

On June 10, 2026, Black Lotus Labs (Lumen Technologies) published findings confirming that the JDY botnet — a distributed scanning and fingerprinting network attributed to Chinese state-affiliated threat actors including Volt Typhoon — had expanded its active node count from approximately 650 bots in January 2024 to over 1,500 compromised SOHO routers and IoT devices. The campaign maintains a pronounced focus on U.S. military and defense-adjacent networks, using the botnet not as a volumetric DDoS instrument but as a low-and-slow, distributed reconnaissance framework designed to fingerprint exposed services and identify hosts vulnerable to recently disclosed CVEs before exploitation tools are deployed downstream.

This post-mortem treats the JDY activity as a pre-attack reconnaissance phase — a category of threat that Flowtriq's packet-level telemetry is uniquely positioned to detect before the follow-on exploitation or DDoS phase materializes. Understanding the traffic signature of a scanning botnet is critical: operators who miss the recon phase are already behind when the payload arrives.

2. Attack Analysis

Botnet Architecture: JDY operates across approximately 1,500 compromised edge devices — primarily consumer-grade SOHO routers (Netgear, TP-Link, ASUS), IP cameras, and NAS units. These devices are geographically distributed across the United States, making ingress filtering by ASN or country-code BGP community ineffective without surgical precision. Each bot acts as an independent scanning node, eliminating central C2 choke points visible in traditional hub-and-spoke botnets.

Attack Vectors and Protocol Breakdown:

• TCP SYN probes (port 22, 23, 80, 443, 8080, 8443, 8888): Standard service discovery. Packet size 40–60 bytes. SYN-only, no ACK completion — classic half-open scan. Per-source PPS low (5–50 PPS per node), but aggregate across 1,500 nodes reaches ~75,000 SYN PPS against a single target prefix.
• UDP probes (port 53, 161, 1900, 5060): DNS resolver enumeration (UDP/53), SNMP community string brute (UDP/161), SSDP device discovery (UDP/1900), SIP service fingerprinting (UDP/5060). Packet sizes 28–512 bytes depending on protocol payload.
• ICMP Echo (type 8, code 0): Bulk ping sweeps across /24 and /16 subnets to map live hosts. 64-byte standard payload. Aggregate ICMP PPS can exceed 50,000 across the full botnet.
• HTTP/HTTPS GET fingerprinting: Automated HTTP banner grabs and HTTPS certificate enumeration against web-exposed management interfaces. Full TCP handshake completed. User-agent strings rotate to mimic legitimate browsers (Chrome 124, curl/7.88).

Volume Estimates: JDY is explicitly not a volumetric DDoS botnet. Aggregate BPS is modest — estimated at 0.8–2.5 Gbps sustained across all targets simultaneously, with per-target bursts rarely exceeding 200 Mbps. The danger is not pipe saturation but service disruption via connection table exhaustion on stateful firewalls (particularly half-open SYN floods against iptables conntrack), CPU exhaustion on underpowered edge devices responding to SNMP polls, and intelligence gathering enabling subsequent targeted exploitation.

Source IP Diversity: Each of the ~1,500 bots carries a distinct public IP, sourced from residential ISP ranges (Comcast, Charter, Cox, Verizon Fios ASNs predominantly). IP reputation blocklists catch fewer than 12% of nodes at campaign onset based on historical Volt Typhoon infrastructure overlap data.

3. Detection — How Flowtriq Catches It in Under 5 Seconds

Flowtriq ingests raw packet telemetry at line rate via DPDK-accelerated capture and applies a multi-dimensional PPS/BPS/flow-entropy analysis pipeline with sub-second granularity. For a distributed low-rate scanning campaign like JDY, the detection logic diverges from standard volumetric thresholds and relies on three concurrent heuristics that collectively trigger an alert within the first two-to-five seconds of campaign contact with a monitored prefix:

Heuristic 1 — Horizontal Scan Entropy (HSE): Flowtriq computes a per-destination-port entropy score across all source IPs contacting a protected /24 within a 2-second sliding window. A legitimate service on TCP/443 will show high source-IP diversity but low destination-IP diversity (many IPs hitting one server). A JDY SYN sweep inverts this: high destination-IP diversity (scanning /24 sequentially) with low per-source PPS. HSE score threshold breach at >0.87 entropy on destination addresses with <60 PPS per source triggers a DISTRIBUTED_SCAN classification.

Heuristic 2 — SYN Completion Ratio (SCR): Flowtriq tracks TCP three-way handshake completion rates per source netblock over 5-second windows. Legitimate web crawlers and scanners complete >60% of initiated handshakes. JDY SYN probes complete <4% (SYN only, RST or timeout response). SCR <0.08 across >50 distinct source IPs within 5 seconds triggers SYN_HALFOPEN_DISTRIBUTED alert.

Heuristic 3 — Protocol Mixture Anomaly (PMA): Simultaneous observation of TCP/SYN to ports {22,23,80,443,8080} + UDP/161 SNMP probes + ICMP/8 sweeps from overlapping source IP sets within a 3-second window is statistically near-impossible for organic traffic. Flowtriq's PMA module flags this multi-protocol correlated pattern as RECON_CAMPAIGN with HIGH confidence, bypassing volumetric thresholds entirely.

Combined alert fires at T+3.2 seconds average in lab simulations against JDY-profile traffic. The alert payload includes: source ASN distribution, top-10 probed destination ports, SYN completion ratio, estimated unique source IPs, and recommended initial mitigation action (rate-limit vs. block vs. FlowSpec).

4. Mitigation — iptables Rules, FlowSpec, and the Escalation Ladder

Flowtriq applies a four-rung escalation ladder calibrated to minimize collateral damage on distributed scan campaigns where source IPs overlap with legitimate residential ranges:

Rung 1 — Local Rate Limiting via iptables/nftables (T+0 to T+30s): Applied immediately on detection. Limits inbound SYN PPS per source IP and caps ICMP/UDP from non-established sources. Effective for reducing connection table pressure without blocking legitimate traffic from shared residential NAT ranges.

# iptables — JDY recon mitigation: rate-limit inbound SYN from new sources
# Applied to FORWARD/INPUT chain on border router or inline scrubbing host

# Limit SYN packets to 10/second per source IP (burst 20) — kills low-rate scanners
iptables -A INPUT -p tcp --syn -m hashlimit 
  --hashlimit-name jdy_syn_limit 
  --hashlimit-mode srcip 
  --hashlimit-upto 10/sec 
  --hashlimit-burst 20 
  --hashlimit-htable-expire 10000 
  -j ACCEPT

iptables -A INPUT -p tcp --syn -j DROP

# Limit ICMP echo-request to 5/second per source IP (burst 10)
iptables -A INPUT -p icmp --icmp-type 8 -m hashlimit 
  --hashlimit-name jdy_icmp_limit 
  --hashlimit-mode srcip 
  --hashlimit-upto 5/sec 
  --hashlimit-burst 10 
  -j ACCEPT

iptables -A INPUT -p icmp --icmp-type 8 -j DROP

# Block SNMP from non-whitelisted sources entirely (UDP/161 has no business inbound)
iptables -A INPUT -p udp --dport 161 -j DROP

# Block SSDP inbound (UDP/1900 — UPnP, no legitimate inbound use on military nets)
iptables -A INPUT -p udp --dport 1900 -j DROP

# Rate-limit SIP probes (UDP/5060) — 2/sec per source
iptables -A INPUT -p udp --dport 5060 -m hashlimit 
  --hashlimit-name jdy_sip_limit 
  --hashlimit-mode srcip 
  --hashlimit-upto 2/sec 
  --hashlimit-burst 5 
  -j ACCEPT

iptables -A INPUT -p udp --dport 5060 -j DROP

# nftables equivalent for modern kernels:
# nft add rule inet filter input tcp flags syn / syn,ack 
#   limit rate over 10/second burst 20 packets drop

Rung 2 — Conntrack Hardening (T+30s): JDY half-open SYNs exhaust conntrack tables. Reduce conntrack timeouts and enable SYN cookies:

# Reduce SYN_RECV timeout to prevent conntrack table exhaustion
echo 10 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_syn_recv

# Enable TCP SYN cookies (kernel-level half-open SYN flood mitigation)
echo 1 > /proc/sys/net/ipv4/tcp_syncookies

# Increase conntrack table size if under sustained load
echo 2097152 > /proc/sys/net/netfilter/nf_conntrack_max

# Reduce general conntrack timeout for established connections under scan load
echo 120 > /proc/sys/net/netfilter/nf_conntrack_tcp_timeout_established

Rung 3 — BGP FlowSpec Propagation (T+60s to T+120s): When source IP clusters are confirmed as botnet nodes (SCR <0.04, HSE >0.90, zero false-positive window elapsed), Flowtriq auto-generates FlowSpec NLRI and injects via the configured BGP FlowSpec session to upstream transit providers. This pushes enforcement to the provider edge, relieving the customer edge of processing overhead entirely. See Section 5 for full RFC 5575 rule syntax.

Rung 4 — RTBH + Cloud Scrubbing Escalation (T+300s, conditional): If aggregate inbound BPS from confirmed JDY nodes exceeds 500 Mbps toward a specific /32 or /28 destination prefix — indicating a shift from reconnaissance to active exploitation or DDoS — Flowtriq triggers a Remote Triggered Black Hole advertisement for the destination prefix via BGP community 65535:666 (standard RTBH community) while simultaneously diverting traffic to a cloud scrubbing center (Cloudflare Magic Transit, Akamai Prolexic, or Zayo DDoS mitigation) via BGP prepend and community signaling. The scrubbing center applies stateful inspection, returns clean traffic via GRE tunnel to the origin, and Flowtriq validates clean-traffic BPS/PPS normalization before withdrawing RTBH.

5. FlowSpec Rules (RFC 5575 / RFC 8955 Syntax)

The following BGP FlowSpec rules are generated by Flowtriq's mitigation engine and injected into the FlowSpec RIB for advertisement to transit peers. These rules encode the JDY traffic signature identified during the detection phase. Syntax follows RFC 5575 NLRI encoding as expressed in standard router CLI (Juniper/BIRD format shown; Cisco IOS-XR equivalents noted in comments).

# ============================================================
# Flowtriq Auto-Generated FlowSpec Rules — JDY Botnet Campaign
# Incident ID: FT-20260610-JDY-001
# Generated: 2026-06-10T15:03:14Z
# RFC 5575 / RFC 8955 compliant
# ============================================================

# Rule 1: Rate-limit inbound TCP SYN to protected military prefix
# Type 1 (dst-prefix), Type 3 (IP proto), Type 6 (TCP flags)
# Action: rate-limit to 1 Mbps (discard excess) — preserves legitimate TCP
flow route jdy-001-tcp-syn-ratelimit {
    match {
        destination 203.0.113.0/24;          # Protected prefix (anonymized)
        protocol tcp;
        tcp-flags syn;
        tcp-flags ! ack;                     # SYN-only, not SYN-ACK
    }
    then {
        rate-limit 1m;                       # 1 Mbps — kills massed SYN sweep
    }
}
# Cisco IOS-XR equivalent action: traffic-rate 1000000 bps

# Rule 2: Discard inbound ICMP echo-request to protected prefix
# Type 1 (dst-prefix), Type 3 (IP proto), Type 12 (ICMP type)
flow route jdy-002-icmp-echo-drop {
    match {
        destination 203.0.113.0/24;
        protocol icmp;
        icmp-type 8;                         # Echo request (type 8, code 0)
        icmp-code 0;
    }
    then {
        discard;                             # No legitimate inbound ICMP sweep
    }
}

# Rule 3: Discard inbound SNMP probes (UDP/161)
# Type 1 (dst-prefix), Type 3 (proto), Type 5 (dst-port)
flow route jdy-003-snmp-drop {
    match {
        destination 203.0.113.0/24;
        protocol udp;
        destination-port 161;
    }
    then {
        discard;
    }
}

# Rule 4: Discard inbound SSDP/UPnP probes (UDP/1900)
flow route jdy-004-ssdp-drop {
    match {
        destination 203.0.113.0/24;
        protocol udp;
        destination-port 1900;
    }
    then {
        discard;
    }
}

# Rule 5: Rate-limit small-packet UDP to exposed management ports
# Packet length 28-128 bytes matches probe datagrams, not legitimate app traffic
# Type 10 (packet-length) encoding: [28;128]
flow route jdy-005-udp-smallpkt-mgmt {
    match {
        destination 203.0.113.0/24;
        protocol udp;
        destination-port [161 162 514 623 1900 5060];
        packet-length 28-128;
    }
    then {
        discard;
    }
}

# Rule 6: Rate-limit TCP to non-standard management ports (8080, 8443, 8888)
# JDY fingerprints web-based management panels on these ports
flow route jdy-006-alt-http-ratelimit {
    match {
        destination 203.0.113.0/24;
        protocol tcp;
        destination-port [8080 8443 8888];
        tcp-flags syn;
        tcp-flags ! ack;
    }
    then {
        rate-limit 512k;                     # 512 Kbps — allows some legitimate access
    }
}

# Rule 7: Discard Telnet probes (TCP/23) — should never be inbound on .mil nets
flow route jdy-007-telnet-drop {
    match {
        destination 203.0.113.0/24;
        protocol tcp;
        destination-port 23;
    }
    then {
        discard;
    }
}

# ============================================================
# RTBH trigger rule (Rung 4 — conditional on BPS threshold breach)
# Community 65535:666 signals upstream provider to null-route destination
# Withdraw this route once scrubbing center GRE tunnel is established
# ============================================================
# route 203.0.113.128/32 {
#     community add 65535:666;    # RFC 3882 RTBH community
#     next-hop 192.0.2.1;         # Discard next-hop on provider PE
# }

6. Lessons Learned

L1 — Recon is the attack. JDY's low PPS-per-node profile caused it to evade threshold-based detection in multiple reported deployments before Flowtriq's entropy-based heuristics were applied. NOC engineers anchoring detection solely on BPS thresholds will miss distributed scanning campaigns entirely. Horizontal scan entropy and SYN completion ratios must be first-class detection metrics, not afterthoughts.

L2 — SOHO compromise is a long-term infrastructure problem. The 1,500 compromised nodes in JDY are not data center hosts — they are residential routers and IP cameras in homes adjacent to contractors, DoD employees, and base housing areas. These devices will not be patched on any operationally relevant timeline. Mitigation must assume the source IP pool persists and rotates slowly. Build FlowSpec rules around traffic behavior (SYN completion ratio, packet size, port diversity) rather than source IP blocklists that decay within 72–96 hours.

L3 — Conntrack exhaustion is the silent kill. A 1,500-node SYN scanner at 50 PPS per node generates 75,000 half-open connections per second. Default nf_conntrack_max on many Linux-based edge devices is 65,536 — meaning the conntrack table saturates in under one second, dropping all new legitimate connections silently with no volumetric alert. SYN cookie enablement and conntrack_max tuning are non-negotiable baseline hardening steps for any internet-facing Linux host.

L4 — FlowSpec scope matters. Pushing FlowSpec rules to transit providers removes processing burden from customer edges but requires pre-negotiated FlowSpec BGP sessions with upstream ASNs. Military and defense network operators should audit whether FlowSpec peering is configured with all upstream transit providers before an incident — not during one. Flowtriq's FlowSpec export can be pre-staged with provider-specific community mappings.

L5 — Multi-protocol scanning is a canary for imminent exploitation. JDY's simultaneous enumeration of TCP services, SNMP communities, SSDP device inventories, and SIP endpoints in coordinated sweeps is not curiosity — it is target package assembly. Historical Volt Typhoon tradecraft shows a 14–30 day lag between recon completion and initial access attempts using the identified vulnerabilities. Detection of JDY-pattern recon traffic should immediately trigger a defensive review of exposed service versions on the scanned prefix, with particular urgency on CVEs disclosed in the preceding 90 days.