The evolution of botnets and DDoS attacks
Distributed Denial of Service (DDoS) attacks have become an ongoing threat for organizations. Using a variety of techniques, a wide range of threat actors from lone hackers, criminal gangs and hacktivists to nation-states are using DDoS attacks to disrupt or disable the performance of target systems. These targets can be small or large businesses, internet service providers, manufacturers, retailers, healthcare providers, schools and universities, or other nation-states. Essentially, any entity with an online presence can become a DDoS target.
Now, here is the why. There are three main reasons why people create botnets: For financial gain by extortion -- 'pay up or we keep attacking’; to make a point -- 'stop (or start) doing something or we continue’; or, in the case of nation-state actors, as an espionage or cyber warfare tactic.
This article will analyze how these botnet and DDoS attacks work and the most common mechanism for delivering attacks using collections of remotely controlled, compromised services or devices.
What is a Botnet?
The bots that make up a botnet can include computers, smartphones, virtualized machines, and a wide range of Internet of Things (IoT) devices such as IP cameras, smart TVs, routers, and even children’s toys i.e., anything with an internet connection. In particular, IoT vulnerabilities and misconfigurations are extremely common in the consumer market, making IoT botnets, which can comprise millions of hijacked devices, very easy for hackers to create.
Despite the warnings about IoT vulnerabilities and well-understood fixes to improve their security, basic defenses such as requiring effective passwords and not allowing default logins are still ignored. Vendors failing to provide updates to address security problems, or device owners failing to apply updates, also creates another source of IoT vulnerabilities.
Hijacking devices for a botnet involves identifying devices with security vulnerabilities that allow them to be infected with "botware". But these infected devices are just the first step.
There seems to be confusion about what constitutes a botnet. While the most obvious part of a botnet is the collection of devices it includes, the defining component is the existence of a command and control (C&C) system that controls what the network of bots does. By communicating with the botnet C&C system through the newly installed botware, each compromised device forms a network of bots. These bots are then controlled by commands sent from a "botmaster" or "botherder".
What Do Botnets Do?
Botnets are used for four main purposes and, generally, a botnet can be switched as a whole or in parts between any of these functions.
- Spam and Phishing
Bots enable spammers to avoid the problem of their own IP addresses getting blacklisted and, even if some bots get blacklisted, they can create thousands of backup IPs to use. Targeted botnet spam is used for phishing for identity theft. By generating huge amounts of spam email messages inviting recipients to visit promotional websites, websites impersonating banks and other financial institutions, and fake competitions, scammers try to harvest personal information such as bank account details, credit card data, and website logins.
- Pay-per-Click Fraud
To increase website advertising revenues, botnets are used to hijack the pay-per-click advertising model by faking user interaction. Because of the distributed nature of the click sources, it’s hard for advertising networks to identify click fraud.
An IoT botnet is the perfect platform for cryptomining. By running the algorithms that mine cryptocurrencies on tens of thousands of bots, hackers steal computer power from the device owners, creating significant revenue without the usual costs of mining, like electricity.
- DDoS Attacks-as-a-Service
DDoS attacks are easily launched using botnets and, as with botnet-generated spam, the bots’ distributed nature makes it difficult for organizations to filter out DDoS traffic. Botnets can execute any kind of DDoS attack and even launch multiple attack types simultaneously.
A relatively new hacker business is DDoS-as-a-Service. On certain websites across both the Dark Web and regular web, individuals can buy DDoS attacks for as little as $5 per hour, with price scaling based on the attack’s scale and duration.
Botnet Command and Control
The latest botnet command and control communications are based on peer-to-peer (P2P) connections. In this model, compromised devices discover each other by scanning IP address ranges for specific port and protocol services and sharing lists of known peers and commands with any identified botnet members. This type of highly distributed mesh networking is more complicated to create but also much harder to disrupt.
The Future of Botnet and DDoS Attacks and How to Respond
Botnets are here to stay. Given the exponential growth of poorly-secured IoT devices that can be co-opted into an IoT botnet, as well as the growing population of vulnerable computers, botnet attacks have become endemic. As a cyber warfare tool, botnet and DDoS attacks have been observed in use in the Russian/Ukraine conflict.
All IT teams should prepare to deal with a botnet and DDoS attack. The first step is to realize that no online property or service is too big, or too small, to be attacked.
Secondly, organizations should plan for increased bandwidth ideally on an as-needed basis. The ability to scale up an internet connection will make it harder for a botnet and DDoS attack to saturate access and isolate an organization from the internet. This elastic provisioning strategy also applies to the adoption of cloud services, rather than relying than on-premises or single data center services.
Thirdly, organizations should consider using or expanding their content delivery network (CDN) to increase client-side delivery bandwidth. The use of multiple CDNs also increases resilience to DDoS attacks.
Finally, businesses should strengthen everything. Strategically deploying hardware and software DDoS mitigation services throughout organizational infrastructure is key to reducing the potential impact of a botnet and DDoS attack.
Adrian Taylor is VP of EMEA at A10 Networks