How to Defend Against Botnet Attacks
Big surf, high powered motorbikes, and live ammo all demand the utmost respect. In the world of CyberSecurity, botnets have the same fearsome reputation. Botnet attacks are some of the most difficult and challenging bot attacks to stop. The legendary botnet ZeuS, which specialises in banking Trojans has infected over 13 million computers in 196 countries, with an estimated financial impact of $120 million.
Recently, new Bots as a Service (BaaS) providers have sprung up, offering botnet-like capabilities that are now commercially available to anyone with a credit card. This new challenge represents a major shift in the escalation of the bot wars. IP reputation services painstakingly build up databases of botnet compromised IP addresses, that were then used in WAF services to block potential botnets. Although far from perfect, this was somewhat effective, as it takes time and effort to create a botnet such as ZeuS, and each infected client was used in repeated attacks. Now the new opt-in botnets use millions of IP addresses and mobile proxies, and are next to impossible to trace from the IP address alone.
Unveiling the World of Botnets
What is a Botnet?
To grasp the concept of botnet attacks, we must first understand what a bot is. A bot, short for "robot," is an automated software program designed for specific internet-related tasks. For example, a content scraping bot specializes in extracting content from various web pages. For a full database of bots, please see our bot database resource here.
A botnet, on the other hand, comprises a network of such bots. These bots are typically computers or devices infected by malware and controlled by hackers. Botnets serve as instruments for a range of cyber threats, including data theft, account takeover, web content scraping, ticket scalping, and more.
How are Traditional Botnets Created?
Creating a botnet used to begin with hackers crafting malware or modifying existing malware to remotely control an infected host computer or device. Notably, a botnet's insidious nature lies in its ability to propagate. Once a computer falls victim, it can infect other devices it interacts with, often by sending spam emails or other means. This exponential growth can lead to hackers controlling hundreds, thousands, or even millions of devices.
Botnet malware is frequently disguised as innocuous files, tricking users into triggering the installation. These deceptions can include seemingly harmless email attachments, downloads from untrustworthy sources, or clickable pop-up ads.
Importantly, botnet malware targets not only personal computers and laptops but also smartphones and Internet of Things (IoT) devices like surveillance cameras and gaming consoles. Botnets can propagate actively, by autonomously finding vulnerable hosts, or passively, through human intervention such as phishing or social engineering. IP camera networks have been particularly vulnerable to botnet takeovers. They have relatively poor security, and can be targeted in very large numbers for DDos and other bot attack types.
The unwitting device owners have no idea that their machines have been compromised. This allows the hackers to build a large network of domestic IP, in a wide-range of geolocations. Old-school bot detection fingerprinting relies on finding differences between the stated bot platform and its real one. In the case of the botnet, there is no need to fake a fingerprint, it can just supply the real fingerprint from the device it is using.
How are the new Botnets created?
Instead of tricking the user into accepting malware or other surreptitious methods of installing the botnet controls, Bots as a Service providers, take advantage of thousands or even millions of residential IP addresses. The services can allow individual home PC or laptop users to install the botnet software, in return for a small bounty payment, or use an ISP proxy to achieve the same thing with the added benefit of data centre quality and performance. The botnet service works in the background, sending out its requests, and is just one of a huge amount of fully distributed agents, used by the Bots As a Service (BaaS) providers to avoid detection.
Again, just like the old botnets, these new opt-in botnets use domestic IPs, and will probably pass a fingerprint test. Bot detection services that rely on IP reputation alone won’t work. Not only do these new botnet have millions of IPs, they also use mobile proxies, that serve many thousands or millions of legitimate customers and can't be blocked.
Understanding Botnet Attacks
What is a Botnet Attack?
In essence, a botnet attack refers to any malicious activity orchestrated by a hacker or cybercriminal using a botnet. The most common form of botnet attack is the Distributed Denial of Service (DDoS) attack. In a DDoS attack, hackers utilize a botnet to inundate a website or web server with a massive volume of requests and traffic, overwhelming it and denying service to legitimate users.
However, botnets are versatile tools for various malicious activities, including:
- Spam attacks: Botnets can send spam and fraudulent emails using compromised servers.
- Cryptocurrency mining: Hijacked botnets can mine cryptocurrency for financial gain.
- Fraudulent traffic: Generating fake web traffic or fraud-clicking ads to generate revenue.
- Ransom attacks: Infecting devices with ransomware and demanding payment for their release.
- Spyware: Spying on user activities, harvesting sensitive data, and selling it on the black market.
Moreover, botnets are often sold or leased out to other hackers, amplifying their threat potential.
Varieties of Botnets
Botnets come in various forms, categorized by how they are controlled by attackers. Larger botnets often have a central "herder" or owner who controls the entire network from a central server. Smaller botnets may have multiple herders managing segments of the botnet. Common types of botnets include:
- Opt-in Bots as a Service (BaaS): Commercially available services that resell a peer-to-peer botnet network, as dometic IP based proxies. Extremely hard to detect using normal fingerprinting methods. The service is controlled by the BaaS provider, often as a P2P service.
- Command and Control (C&C): All devices in the botnet communicate with a central herder or server.
- IRC (Internet Relay Chat): These botnets employ low bandwidth and simple communication methods like mIRC to evade detection.
- Telnet: Devices connect to a central command server, but new computers are infected through a scanning script.
- Domains: Infected devices access web pages or domains to receive commands.
- P2P (Peer-to-Peer): Botnets operate without a central server, with infected devices acting as both servers and clients.
Challenges in Botnet Defense
Effectively countering botnet attacks is a formidable challenge. Botnets continually evolve to exploit vulnerabilities and security weaknesses, making each botnet distinct. The proliferation of Internet of Things (IoT) devices has further exacerbated the issue, as these devices often lack robust security measures, enabling low and slow attacks that are challenging to detect.
Botnet operators understand that using a multitude of IP addresses and devices makes it difficult for bot defense systems to distinguish between legitimate and malicious requests. The new opt-in botnet services make extensive use of mobile devices and residential PCs, which pass fingerprint, accelerometer and any device specific tests. They also rotate IP and user agents very quickly, using the entire peer-to-peer network to distribute the attack amongst millions of clients.
Traditional Strategies to Halt and Prevent Botnet Attacks aren’t Effective
- Keep Software Updated: Although regularly update your software and operating systems to patch vulnerabilities that botnet attacks may exploit is absolutely necessary, this isn’t going to prevent a determined botnet attack.
- IP Reputation: Vigilantly monitor your network for unusual activity and deploying an IP reputation service again is necessary, but hard to do in practice.. Understanding your network's typical behavior is essential for detecting anomalies that may signal a botnet attack, but to understand the true visitor behaviour, you have to stop all bots from hitting your platform. Real-time analytics and data collection can help in this regard, but not if they are compromised by bots.The IP reputation services often give out false positives. Yesterday’s infected botnet machine, may be today’s cleaned up legitimate client.
- Track Failed Login Attempts: Account takeover (ATO) is a significant threat. Monitor failed login attempts to establish a baseline and set up alerts for spikes, which could indicate a botnet attack. Keep in mind that "low and slow" attacks from numerous IP addresses may not trigger typical botnet attack alerts.
Implement AI based Bot Detection: VerifiedVisitors take all the hard work out of the identification of Botnets using our bot detection platform. Our zero tolerance at the edge of network bot detection platform, detects bots in the hybrid cloud before they do any damage. To check our services, please register for a free-trial.