Botnets today are pervasive, giving cybercriminals a massive advantage of scale to conduct all sorts of malicious activities. With this leverage, cybercriminals have challenged the order of our society, financial systems, commerce, devices, “users,” and more.
What is a Botnet?
Botnets are networks of hijacked computer devices, which are used to carry out scams and cyberattacks. The term “botnet” is formed from the words “robot” and “network” and is short for “robot network.“
While each bot is simply an internet-connected device, each has similar malware, which ultimately allows cybercriminals to control the infected devices or bots in a coordinated manner, creating a network.
A botnet is comprised of 3 main components:
A bot, sometimes called a zombie machine, is usually infected with malware or spyware. A bot is designed as it’s first mission, to automatically scan systems and devices for common vulnerabilities that haven’t been patched in hopes of replicating and infecting as many devices as possible, inside each network it finds a home.
The term “botnet” is formed from the words “robot” and “network.” A botnet is also sometimes referred to as a zombie army, as it is built to grow, automate, and speed up a hacker’s ability to carry out more significant attacks.
The number of bots will vary from botnet to botnet, depending on the ability the botnet owner uses to infect other unprotected devices.
The bot herder
The cybercriminal controlling the botnet is referred to as a bot herder or botmaster. One person or even a small team of hackers can only carry out many actions on their local devices, with little cost and a bit of time invested.
What is a botnet attack?
The hot-herder can control every computer in a botnet to act simultaneously. This allows them to carry out coordinated actions in an attack from their single location. The scale of some botnets, estimated at millions of machines, allows some attackers to perform large-scale, previously impossible actions with single machines infected by lone malware. Since botnets remain controlled by a remote bot herder, over time the infected machines can receive updates and thus, can change their behavior on the fly. This means that bot-herders often rent access to different segments of their botnet on the black market, for different purposes, making it a very lucrative business.
Botnets send spam emails (spam botnet), engage in click fraud campaigns, and generate malicious traffic for distributed denial-of-service (DDoS) attacks. A botnet attack can have different machines acting in a coordinated manner to eventually trick and steal either personal information or business-sensitive information from a victim.
How do botnets spread?
The assembly of a botnet is the infiltration stage of a multi-layer scheme. Early in their life cycle, the bots are typically used to automate the spread of their botnet. They first do network reconnaissance; next, they gather sensitive information and quietly begin attacking in mass, attempting to steal data or credentials, crashing servers, and distributing malware.
A botnet’s primary aim is always to keep infecting as many internet-connected devices as possible, to give the bot herder the large-scale computing power and functionality for automated tasks, which remain hidden to the users of the infected devices.
For example, an “ad fraud” botnet infects a PC with malicious software, often browser extensions, which uses the user’s web browser to divert traffic for click fraud, or worse, divert the user to phishing sites. Staying concealed, the botnet won’t wholly control the operating system or the web browser. The infected devices in a botnet, carry out commands provided by the bot herder. Using only a tiny fraction of bandwidth taken from an in won’t offer much, doesn’t alone, cybercriminals running the ad fraud campaign. That said, combining tens of thousands of botnet infected devices will steal tiny amounts of processing power for click fraud traffic, adding up to millions of transactions.
Nearly any computer-based internet device is vulnerable to a botnet, growing the threat constantly. Some common devices hijacked into botnets include
- Traditional computers like desktops and laptops that run on Windows OS or MacOS have long been popular targets for botnet construction.
- Internet infrastructure hardware used to enable and support internet connections may also be co-opted into botnets. Network routers and web servers are known to be targets.
- Mobile devices have become another target for recruitment. Smartphones and tablets have been included in botnet attacks of the past.
- Internet of Things (IoT) devices are hot targets, as their numbers are growing. These include many other connected devices that share data via the internet like: smart home devices (thermometers, security cameras, televisions, speakers, etc.), in vehicle infotainment (IVI), wearable devices (smartwatches, fitness trackers, scales, etc.)
What types of botnet attacks are typical?
Volumetric Attacks are the most common form of DDoS attacks today. These attacks use a botnet to flood the victim’s network or server with traffic to overwhelm the network’s or server’s processing capabilities. Separately from this, botnets commonly send spam, probe machines, send phishing campaigns, cryptojack, snoop, and more. Botnets simply shapeshift continually, under the control of their bot herder.
What have been the most famous botnet attacks?
While we have seen attacks on both Cloudflare and Akamai this last year, in 2020 two of the largest DDoS attacks ever recorded were against Amazon and Google.
No target network is too large, everyone is vulnerable.
How do you stop a botnet DDoS attack?
If you operate your organization’s systems, you first need to identify when you are under attack. Next, knowing how to apply DDoS mitigation efforts quickly could be the difference between your organization thriving and going out of business, as successful DDoS attacks can be devastating.
- Hopefully, you already use a VPN regularly. If not, do so now. Cloak your IP address, so the bad actor can’t track you! This is very important if you are a home user.
- Now, update the server being attacked, location by changing its IP address.
- Start capturing as much information as possible, such as the following:
- Time the event started
- Complete list of resources under attack
- Traffic statistics, if possible, to show traffic throughput
- Server logs
- Identifying the nature of the threat, detecting digital traces
- Recognizing the methods and means of the attack
- Notifying your company management team and stakeholders about the incident
- Localize the threat and prevent its spread
- Changes that occurred during the DDoS event
- If you manage your website, put it into maintenance mode to prevent loss of website data.
- Notify your ISP, so they can help by diverting traffic.
Prevention is better than scrambling mid-attack, so you should start thinking about your best strategy and consider the following.
Pre configure your firewalls and routers too
- Control of outgoing traffic and data leakage prevention
- Firewalls and routers should be configured to reject bogus traffic, and you should keep your routers and firewalls updated with the latest security patches. These remain your initial line of defense.
A few technical measures can be taken to partially mitigate the effect of an attack, especially in the first minutes. Some of these measures are straightforward; take a peek.
You should have a firewall already in place
- The firewall would rate-limiting the number of requests a server will accept over a specific time window to mitigate denial-of-service attacks
- Rate limiting helps slow email and web scraper attacks, reducing stealing content and mitigating brute force login attempts. It alone will likely be insufficient to handle complex DDoS attacks effectively.
Rate limits your router to prevent your webserver from being overwhelmed.
- Regex Filtering
filtering packets that contain regex in the payload
adding authorized player IP addresses to a allow list lies in telling the real customers apart from the attack traffic.
- Blackhole routing
creates a black hole route and funnels traffic into that route. Black hole filtering is implemented without specific restriction criteria; legitimate and malicious network traffic is routed to a null route, or black hole, and dropped. While not ideal, it effectively gives the attacker their desired goal: it makes the network inaccessible.
adding unauthorized user IP addresses to a blocklist
- If you identify suspicious IP addresses accessing your email, website, or web application, you should blocklist them. This is easy if you continuously monitor your access logs for unusual activity. Just make sure you’re not too aggressive, as you do not want to blocklist prospective customers.
- add filters to tell your router to drop packets from obvious sources of attack.
- You can also use a geolocation IP filter and block-based upon geolocation.
- timeout half-open connections more aggressively
- drop spoofed or malformed packages
- set lower SYN, ICMP, and UDP flood drop thresholds
While these steps may help you hinder an attack, some attacks are too massive for these measures to stop DDoS attacks completely. Practice all of them as best practices, but also use a tried-and-tested CDN solution and firewalls for continuous DDoS protection. If you are an Internet Service Provider or Hosting Provider and would like to find out more about preventing botnet attacks from occurring from your network please get in touch with our team.