Botnets are known to be behind the biggest DDoS attacks of the past few years, from the GitHub attack in 2015 to the Dyn attack in 2016 to the Mirai botnet-led attacks on an entertainment platform in 2019.
A botnet is the collection of malware-infected computers and networked devices (IoT, smart devices, etc.) that work together under the control of a single malicious actor or an attack group. Such a network is also known as a zombie army and each infected device is called a bot/ zombie.
How Many Bots Make a Botnet?
The number of bots in a botnet will vary across zombie networks, ranging anywhere between a few thousand to over a million compromised devices.
While the Hide ‘n Seek network has 24000 compromised devices, the Mirai bot network that widely disrupted internet usage in the US East Coast in 2016 is believed to have had 800,000 to 2.5 million infected devices.
Why are Botnets Created?
Botnets are created by attackers for orchestrating a multitude of malicious activities:
- Credential thefts
- Click frauds and adware
- Email Spamming
- Phishing attacks
- DDoS attacks
- State-sponsored disruptions
- Bitcoin mining
It is rather inexpensive and hassle-free to create botnets, especially where regulatory mechanisms and law enforcement are limited. So, it is a lucrative business model for developers and crime syndicates to offer attack-for-hire services.
Zombie armies are preferred by attackers because they are available as attack-for-hire services, which are inexpensive. Even a smaller botnet is extremely effective in causing massive damage. Given that the bots are globally dispersed, and no paper trails are left by them, the appeal in leveraging them to orchestrate attacks is unparalleled.
How Do Botnets Work?
Devices (including computers, tablets, smartphones, smart TVs, soundbars, wireless CCTV, and other connected devices) are scanned using automation to identify common, unpatched, and insecure vulnerabilities, poor security misconfigurations, and hardcoded gaps.
Malware (Trojan horse virus or other malicious payloads) is attempted to be installed on the target devices through different means such as clickjacking, phishing, scams, password hacking, etc. The actual owner of the device may be unaware that their system is even part of such a nefarious network.
Setting Up Control :
Once the desired number of bots are created, control of the bots is taken over by the attacker/ developer remotely using two command approaches:
- Traditional Client-Server Approach: This is a centralized system where commands are sent to the bots by the bot herder from the Command-and-Control (C&C) Center. The bots are dormant until commands are received from the C&C server. Owing to the disruptions caused by single points of failure, this approach is seldom used by attackers.
- Peer-to-Peer Network Approach: This is a decentralized system where a device can serve as the client and command center. Each bot is connected to only a limited number of other devices. P2P filesharing is used for malware updates. In totality, these are harder to track and difficult to mitigate.
The massive network of infected devices is then leveraged by attackers (directly or hired as a service) to fulfill their objectives.
How to Disable an Existing Botnet?
- The command servers must be shut down to stop the zombie network. While this is easier in the traditional command approaches, this is difficult to achieve in the more sophisticated P2P networks.
- In P2P approaches, the malware must be identified and removed from the source devices. P2P communication methods can also be replicated to disable the bot network.
- Individual devices may be reformatted/ undergo a factory reset, backups reinstalled or other strategies from the manufacturer/ system admin be used to eliminate an infection.
Conclusion: How to Protect Devices from Becoming Part of a Botnet?
When devices are infected by malware and become part of the botnet, the impact could vary from increased Internet bills to loss of confidential data. Additionally, the legal costs are high if one’s device is found to be part of a successful attack by the zombie network. It is important to ensure that devices are secured from becoming part of such a malicious network. Here are some ways:
- Creation of strong passwords
- Periodic wiping and restoring of the system
- Provision of third-party code execution permissions only to trusted, whitelisted entities
- Regularly updating and backing up devices
- Use of effective firewalls or WAFs to filter traffic and monitor activities, especially to prevent DDoS attacks.
Pre-emptively, businesses can beef up their security measures to mitigate zombie networks from attacking their networks/ applications with the help of managed DDoS service providers.