Botnets are a progressing method of delivering attacks alongside DDoS. Amr Alashaal, Regional Vice President, Middle East at A10 Networks, talks to us about what they are, how they function and effective ways for businesses to respond.
Distributed-Denial-of-Service (DDoS) attacks have become an ongoing threat to organisations. Using a variety of techniques, a wide range of threat actors from lone hackers, criminal gangs and hacktivists to nation-states are using DDoS attacks to disrupt or disable the performance of target systems.
These targets can be small or large businesses, Internet Service Providers, manufacturers, retailers, healthcare providers, schools and universities or other nation-states. Essentially, any entity with an online presence can become a DDoS target.
Now, here is the why. There are three main reasons why people create botnets: for financial gain by extortion – ’pay up or we keep attacking’; ‘to make a point’; ‘stop (or start) doing something or we continue’; or, in the case of nation-state actors, as an espionage or cyberwarfare tactic.
This article will analyse how these botnet and DDoS attacks work and the most common mechanism for delivering attacks using collections of remotely controlled, compromised services or devices.
What is a botnet?
The bots that make up a botnet can include computers, smartphones, virtualised machines and a wide range of Internet of Things (IoT) devices such as IP cameras, smart TVs, routers and even children’s toys – anything with an Internet connection. IoT vulnerabilities and misconfigurations are extremely common in the consumer market, making IoT botnets, which can comprise millions of hijacked devices, very easy for hackers to create.
Despite the warnings about IoT vulnerabilities and well-understood fixes to improve their security, basic defences such as requiring effective passwords or not allowing default logins are still ignored. Vendors failing to provide updates to address security problems, or device owners failing to apply updates, also creates another source of IoT vulnerabilities.
Hijacking devices for a botnet involve identifying devices with security vulnerabilities that allow them to be infected with ‘botware’. But these infected devices are just the first step.
There seems to be confusion about what constitutes a botnet. While the most obvious part of a botnet is the collection of devices it includes, the defining component is the existence of a command and control (C&C) system that controls what the network of bots does. By communicating with the botnet C&C system through the newly installed botware, each compromised device forms a network of bots. These bots are then controlled by commands sent from a ‘botmaster’ or ‘botherder’.
What do botnets do?
Botnets are used for four main purposes and, generally, a botnet can be switched as a whole or in parts between any of these functions.
- Spam and phishing: Bots enable spammers to avoid the problem of their own IP addresses getting blacklisted and even if some bots get blacklisted they can create thousands of backup IPs to use. Targeted botnet spam is used for phishing for identity theft. By generating huge amounts of spam email messages inviting recipients to visit promotional websites, sites impersonating banks and other financial institutions and fake competitions, scammers try to harvest personal information such as bank account details, credit card data and website logins
- Pay-per-click fraud: To increase website advertising revenues, botnets are used to hijack the pay-per-click advertising model by faking user interaction. Because of the distributed nature of the click sources, it’s hard for advertising networks to identify click fraud
- Cryptomining: An IoT botnet is the perfect platform for cryptomining. By running the algorithms that mine cryptocurrencies on tens of thousands of bots, hackers steal computer power from the device owners, creating significant revenue without the usual costs of mining, like electricity
- DDoS Attacks-as-a-Service: DDoS attacks are easily launched using botnets and, as with botnet-generated spam, the bots’ distributed nature makes it difficult for organisations to filter out DDoS traffic. Botnets can execute any kind of DDoS attack and even launch multiple attack types simultaneously. A relatively new hacker business is DDoS-as-a-Service. On certain websites across both the Dark Web and regular web, individuals can buy DDoS attacks for as little as US$5 per hour, with price scaling based on the attack’s scale and duration
Botnet command and control
The latest botnet command and control communications are based on peer-to-peer (P2P) connections. In this model, compromised devices discover each other by scanning IP address ranges for specific port and protocol services and sharing lists of known peers and commands with any identified botnet members. This type of highly distributed mesh networking is more complicated to create but also much harder to disrupt.
The future of botnet and DDoS attacks and how to respond
Botnets are here to stay. Given the exponential growth of poorly secured IoT devices that can be co-opted into an IoT botnet, as well as the growing population of vulnerable computers, botnet attacks have become endemic. As a cyberwarfare tool, botnet and DDoS attacks have been observed in use in the Russian-Ukraine conflict.
All IT teams should prepare to deal with a botnet and DDoS attack. The first step is to realise that no online property or service is too big or too small to be attacked.
Secondly, organisations should plan for increased bandwidth ideally on an as-needed basis. The ability to scale up an Internet connection will make it harder for a botnet and DDoS attack to saturate access and isolate an organisation from the Internet. This elastic provisioning strategy also applies to the adoption of cloud services, rather than relying on on-premises or single data centre services.
Thirdly, organisations should consider using or expanding their content delivery network (CDN) to increase client-side delivery bandwidth. The use of multiple CDNs also increases resilience to DDoS attacks.
Finally, businesses should strengthen everything. Strategically deploying hardware and software DDoS mitigation services throughout organisational infrastructure is key to reducing the potential impact of a botnet and DDoS attack.Click below to share this article