What Is A Botnet?
In many cases, criminals attempt to create botnets in order to carry out cybercrime on their behalf. You’re probably wondering, what is a botnet, how are they formed, who controls them and what kind of attacks can be launched using a botnet?
Let’s take a closer look at modern-day botnets and how your network can avoid either becoming a node in a botnet, or how your network can be protected from malicious botnet traffic.
A botnet is comprised of devices that are connected to the internet that can be exploited by cybercriminals in a uniform manner. Cybercriminals typically use malware, leaked credentials or some sort of system vulnerability in order to compromise the device and assign it as a member of their botnet.
When botnets started to become a reality a few decades ago, mainly servers and desktops PCs were targeted. Now that the internet is rapidly growing and device connectivity is becoming ubiquitous, the attack surface for hackers has become exponentially larger.
Even devices such as refrigerators, vehicles, and music players are now directly connected to the internet. While servers and PC's can be protected by antivirus protection, devices that fall under the Internet of Things (IoT) umbrella are being targeted more frequently because consumers tend to forget about the information security aspect of connecting these devices to their public internet connection.
How are Botnets Operated?
There are a few different types of methods in which botnets are controlled. The most popular is called the Command and Control method, which essentially means that all of the exploited hosts report back to a single point of command and the botnet awaits instructions from the attacker.
There are different ways that the infected clients will report back to the commander of the botnet. Some will use regular HTTP traffic; others will utilize peer-to-peer mechanisms and more sophisticated botnets use IRC or even open source social networking protocols such as XMPP.
On the surface, a single hacker that has singular control over a device that can essentially ping and perform a few other command line operations may not seem like a very powerful thing. However, when you have hundreds or even thousands of infected devices working on your behalf, you can begin to scale their botnets for criminal purposes.
What Kind of Attacks Are Perpetrated by Botnets?
The most popular attack launched by botnets is a distributed denial of service attack, DDoS for short. Other types of attacks commonly launched by botnets include:
- Cryptocurrency Mining Attacks – Compromised machines will have their idle CPU cycles hijacked in order to mine cryptocurrency, which can be anonymously exchanged for real currency.
- Spam Attacks – If a web server is part of a botnet, it probably has SMTP or POP3 services running on it. Botnets are commonly used to blast spam or malicious emails to innocent bystanders.
- Denial of Service Attacks – We touched on this above but a botnet can be used to simultaneously ping a website or network service until the service stops responding. If you had 50,000 devices who are simultaneously sending junk packets to a single host, the host would likely be unable to handle the excess traffic and stop responding to legitimate requests.
These are the three most common types of botnet attacks found today. Some cybercriminals will go through the trouble of building a botnet, only to sell to it other hackers on the dark web.
Recent Botnet Attacks in the News
Widespread cybercrime often makes international headlines. In 2016, the Mirai Botnet made news by being one of the biggest botnets to ever be discovered. This botnet impacted internet-connected devices such as security cameras, DVRs and other types of peripherals that you wouldn’t think a botnet would target.
Infosec researchers estimate that over 500,000 devices worldwide were part of the Mirai botnet and attackers used the botnet to cripple access to popular web services like GitHub, Xbox Live and others.
In 2019, Palo Alto networks discovered a new version of Mirai operating in the wild and various other cyberthreat organizations say that this botnet could be more powerful than the original Mirai botnet.
Avoiding Botnet Infections and Attacks
Decision makers must be cognizant of botnets and how they are used to target people, businesses and organizations. The best way to mitigate against devices on your network joining a botnet is to ensure that the following action items are performed on your network regularly.
- Internal and External Penetration Testing – These tests will identify misconfigurations or vulnerabilities that hackers will try to exploit. This test will provide you with a threat assessment and a remediation plan, should any vulnerabilities be detected during the test.
- Firewall Protection – If the devices on your network are communicating with a malicious host, a firewall would be able to detect this and block it. Most firewalls come with subscription services that are designed to protect ingress and egress traffic that could be malicious.
- User Education – Did you know that the weakest link in your organization continues to be your end users? If users are clicking on links from unknown senders or performing risky clicks on their devices, they can inadvertently infect devices on your network or give away credentialed access via social engineering tactics.
Mitigating a DDoS Attack
One of the most common scams employed by cybercriminals today is to demand a ransom payment in exchange for not launching a DDoS attack with their botnet. 99% of the time, these threats are a hoax that is designed to get you to buy a cryptocurrency and send it to a scammer. The other remaining 1% of the time, the scammer is actually serious about launching the attack.
You should take all threats against your network seriously and if you believe your network is at risk for a DDoS attack, you should be proactive in putting up a defense.
Ready for the next step?
Spot user behaviors and device information that’s suspicious, and stop those fraudsters in real time. We track billions of devices and our fraud analysts add evidence to make this intelligence even more effective.