This analysis enables
us to detect 35 live C&C servers for our study, which
we observed for a period of four months between October
2011 and January 2012. In total, we observed 1,968
different DDoS attacks performed by these botnets. We
focus our evaluation on the commands that were sent by
the botmasters to infected machines. This enables us to
obtain insights into typical attacks such as for example
the attacked server port (e.g., 85.7% of the attacks targeted
port 80 / HTTP) and the temporal distribution of
attacks (e.g., about one third of the DDoS attacks only
last for up to one hour).