What is a DDoS Botnet?

A new DDoS Botnet called Meris is spreading across the internet. Used to orchestrate extortion campaigns against ISPs and financial services entities across the US, UK, Russia, New Zealand, and so on, Meris is the latest DDoS Botnet plaguing several businesses. Meris is a 250,00-strong network of infected IoT devices that has been behind some of the largest botnet DDoS attacks in 2021.

This DDoS bot broke the record twice in 2021 for the largest volumetric attacks ever, reaching an RPS (Request Per Second) rate of 17.2 million and 21.8 million.

Not sure what DDoS botnets are or how to prevent them? Read on to find out.

What is a DDoS Botnet?

Botnets are groups of internet-connected devices that have been infected with malware and hijacked by threat actors to do their bidding. The malware enables the threat actor to control the device from a remote location without the knowledge of the rightful owner of the device.

Botnets are leveraged by threat actors for multiple malicious purposes such as leveraging DDoS attacks, spreading malware, stealing data, hacktivism, state-sponsored outages, ransomware, click frauds, spamming, and so on. Among these, botnets that are used for DDoS attacks are referred to as DDoS botnets.

DDoS botnet malware is not always visible or has a direct/ immediate impact on the device. In some cases, the malware immediately hijacks or takes over the device, while in other cases it runs in the background, silently executing the attacker’s instructions.

DDoS Attacks Led by Botnets

DDoS (Distributed Denial-of-Service) Attacks are cyber-attacks wherein the threat actor seeks to make websites/ web applications/ networks/ infrastructure unavailable to legitimate users by saturating the services and causing downtimes/ crashes. DDoS attacks are of two kinds –

  1. Application-layer attacks, measured in Requests Per Second (RPS), where seemingly legitimate requests overwhelm the target.
  2. Network-layer attacks, measured in Gbps (Gigabytes per second) or PPS (Packets Per Second), wherein the target’s upward bandwidth is eroded until the network saturates.

DDoS attacks can be orchestrated either by individuals engaging in coordinated activities or through botnets. The latter is known as a botnet DDoS attack.

How Do Botnet DDoS Attacks Work?

  • The person controlling the DDoS botnet is known as the bot herder or botmaster.
  • The botmaster leverages intermediate machines known as the C&C servers to remotely control the bots.
  • They use everything from HTTP websites, IRC protocols, and popular services like Reddit, Twitter, and Facebook to communicate with the C&C servers.
  • Botnet servers can communicate with other botnet servers to create a Peer-to-Peer botnet.
  • This P2P network could be controlled by one or multiple botmasters. So, botnet DDoS attacks could originate from/ be controlled by several people.
  • Sophisticated Botnet DDoS tools and Botnet Services are readily available in the market for hire for as low as USD 5. It becomes easy and cheap to orchestrate DDoS attacks for vandalism, competitive gains, extortion, or any other malicious purpose.

Known DDoS Botnets 

  • Mirai: A self-propagating botnet malware that takes over poorly protected internet-connected devices. It is capable of infecting tens of thousands of devices and coordinating them to overwhelm a chosen target. The Meris DDoS botnet is an augmented and refined version of Mirai.
  • Nitol / IMDDOS / Avzhan / ChinaZ: This evolving and widely used DDoS botnet malware connects through a TCP socket to the Command and Control (C&C) server upon installation to send performance information from the infected device.
  • Cyclone: Created in the US, this IRC-based DDoS malware kills other bots present in the infected host apart from stealing FTP credentials. It is used to orchestrate HTTP floods, Slowloris attacks, and Apache Memory Exhaustion (ARME) attacks.
  • Mr. Black: Also referred to as Trojan.Linux.Spike. The Mr. Black mainly targets Linux platforms. It sends system information to the remote C&C server and executes the control commands received to orchestrate different types of botnet DDoS attacks on the target.
  • Cutwail/ Pushdo: Though typically used for email spamming, this botnet was altered in 2010 to orchestrate DDoS attacks against major websites like PayPal, Twitter, CIA, FBI, and 300+ others. It pushes Trojan components onto the targeted devices to run the Windows OS.

Botnet DDoS Attack Prevention and Protection with Indusface AppTrana

Like any cyber-attack, botnet DDoS attacks are costly and must be prevented proactively. With the help of intelligent and comprehensive cloud-based botnet DDoS protection services like Indusface, you can effectively prevent DDoS botnet attacks without having to install any hardware or software. This next-gen solution is capable of nuanced intrusion detection, traffic monitoring and filtering, and instant bot blocking based on global threat intelligence, real-time insights, and security analytics.

Being a managed botnet DDoS protection service, Indusface ensures that the solution is highly tailored to the unique needs of the organization. AppTrana WAF rules are built with surgical accuracy to prevent a wide range of DDoS botnets and other attacks by default. With Indusface DDoS protection, you can be rest assured that your website/ application/ service is always available to your legitimate users.