Distributed Denial of Service (DDoS) attacks have become an everyday or, some might argue, an hourly problem. Using a variety of techniques, a wide range of threat actors from lone hackers, criminal gangs and hacktivists, to nation-states have and are using DDoS attacks.
These attacks are carried out to degrade or disable the performance and network communications of target systems. These targets can be small or large businesses, internet service providers, manufacturers, retailers, healthcare providers, schools and universities, or other nation-states. Essentially, any entity with an online presence can become a DDoS target.
Now, here is the why. There are three main reasons why people create botnets: For financial gain by extortion—pay up or we keep attacking; to make a point—stop (or start) doing something or we continue; or, in the case of nation-state actors, as an espionage or cyber warfare tactic.
In our previous blog post we covered the history of DDoS attacks and our A10 Networks DDoS Threat Report, which reviewed the techniques used in DDoS attacks. In this article we’re going to cover the how of botnet and DDoS attacks, the most common mechanism for delivering attacks using collections of remotely controlled, compromised services or devices.
What is a Botnet?
The bots of a botnet can include computers, smartphones, virtualized machines, and/or a wide range of Internet of Things (IoT) devices such as IP cameras, smart TVs, routers, anything that has internet connectivity and can be compromised. In particular, IoT vulnerabilities and misconfigurations are extremely common in the consumer market making it very easy for hackers to create an IoT botnet. Moreover, botnets, particularly when they become part of an IoT botnet, can be enormous; a single botnet can be comprised of hundreds of thousands or even millions of hijacked devices.
Hijacking devices for a botnet involves finding devices that have security vulnerabilities to make it possible to be infected with “botware,” malware to be installed on the device. But the devices infected with botware aren’t the only thing a botnet needs.
Many sources—including as of writing Wikipedia—appear to be confused about what constitutes a botnet. While the most obvious part of a botnet is the collection of devices it includes, the defining component is the existence of a command and control (C&C) system that controls what the network of bots does.
The botware on each compromised device communicates with the botnet command and control system and becomes part of a network of bots. Driven by commands from a “botmaster” or “botherder”—the person or group controlling the bots—some or all of the devices in the botnet do whatever they are asked to do.
Botnet Command and Control
The early communications between botnet command and control systems and botware on compromised devices were based on the client-server model using, for example, Internet Relay Chat (IRC). The botware connected to an IRC channel and waited for commands. Each bot can also respond on the same channel with status updates or remotely acquired data. Alternatives to IRC include the use of Telnet connections and HTTP requests for webpages or custom services. It’s worth noting that some botnets have used a hierarchical C&C system where layers of bots communicate in a client-server fashion with the bots in the layer above and relay commands to the layer below them.
The latest botnet command and control communications for botnets are based on peer-to-peer (P2P) connections. In this model, compromised devices discover each other by scanning IP address ranges to find specific port and protocol services and, when another botnet member is identified, sharing lists of known peers and relayed commands. This type of highly distributed mesh networking is obviously more complicated to create but also much harder to disrupt.
The Rise of the IoT Botnet
IoT devices include a huge range of commercial and consumer devices such as temperature measurement systems, smart TVs, IP cameras, smart door bells, security systems, network routers and switches, and even children’s toys. Despite a huge amount of commentary and warnings about IoT vulnerabilities and well-understood fixes to improve their security, basic defenses such as requiring effective passwords and not allowing default logins and user accounts are still ignored. Another source of IoT vulnerabilities comes from vendors not providing updates to address security problems and or the device owners failing to apply updates.
What Do Botnets Do?
Botnets are used for four main purposes and, generally, a botnet can be switched as a whole or in parts between any of these functions.
Spam and Phishing
One of the earliest uses of botnets was for generating spam, unsolicited commercial or fraudulent email. By using bots for this purpose, spammers avoid the problem of getting their bulk sending IP addresses blacklisted and even if some bots get blacklisted, there’ll always be more bots to use.
A more targeted use of botnet spam is for phishing for identity theft. By generating huge amounts of spam email messages inviting recipients to visit promotional websites, websites that appear to be banks or other financial institutions, enter competitions, etc., scammers try to harvest personal information such as bank account details, credit card data, and website logins.
To increase website ad revenues—advertising networks such as Google pay-per-click on adverts the websites serve—botnets are used to fake user interaction. Because of the distributed nature of the sources of the clicks, it’s hard for the ad networks to identify click fraud.
By running the algorithms that mine cryptocurrencies such as Bitcoin and Ether on tens of thousands of bots—an IoT botnet is the perfect platform. It thereby steals computer power from the device’s owner, and allows significant revenue without the usual costs of mining, mostly importantly, the cost of electricity.
DDoS Attacks as a Service
Distributed Denial of Service attacks are easily launched using botnets and, as with botnet generated spam, the distributed nature of the bots makes it difficult to filter out DDoS traffic. Botnets can execute any kind of DDoS attack and even launch multiple attack types simultaneously.
A relatively new hacker business is DDoS-as-a-Service. On the Dark Web and now, even on the regular web, you can buy DDoS attacks for as little as $5 per hour; the pricing depends on the required scale and duration of the attack.
A Very Brief History of Botnets
Arguably, the first true internet botnet was Bagle, first discovered in 2004. Bagle was a Windows worm that relayed spam sent from a botmaster. While the first version, called Bagle.A, was of limited success, the second version, Bagle.B infected something like 230,000 computers. On New Year’s Day 2010, the malware was responsible for roughly 14 percent of all spam. By April 2010, Bagle was sending approximately 5.7 billion spam messages per day. As with most malware, other hackers copied and improved the code with over 100 variants found in the wild by 2005.
Since then, arguably the first botnet to launch a DDoS attack was Akbot in 2007. The Akbot botnet was created by an 18-year-old in New Zealand. It used a C&C system based on IRC and at its peak involved 1.3 million computers.
Over time, botnet attacks have become commonplace and the biggest botnet known to date, the Russian BredoLab botnet, consisted of 30,000,000 devices.
The Future of Botnet and DDoS Attacks
Botnets are here to stay. Given the exponential growth of poorly secured IoT devices that can be co-opted into an IoT botnet as well as the growing population of vulnerable computers, botnet attacks have become endemic. As a cyber warfare tool, botnet and DDoS attacks have been observed on both sides of the Russian operation against Ukraine.
Whether you’re a government organization or a private company, you should be planning how you’re going to deal with a botnet and DDoS attack. Your first step is to realize that no online property or service is too big or too small to be attacked.
Second, plan for increased bandwidth ideally on an as needed basis. The ability to scale up your internet connection will make it harder for a botnet and DDoS attack to saturate your access and cut you off from the internet. The same elastic provisioning strategy applies to using cloud services rather relying than on-prem or single data center services.
Next, consider using or expanding your use of a content delivery network to increase your client-side delivery bandwidth. Using multiple CDNs also increases your resistance to DDoS attacks.
Finally, harden everything. Strategically deploying hardware and software DDoS mitigation services throughout your infrastructure is key to making botnet and DDoS attacks have minimal impact.
(The author is Mr. Sanjai Gangadharan, Area Vice President – South ASEAN at A10 Networks, Inc and the views expressed in this article are his own)