Distributed Denial of Service (DDoS) attacks have become an ongoing threat for organisations. Using various techniques, a wide range of threat actors, from lone hackers, criminal gangs and hacktivists to nation-states, are using DDoS attacks to disrupt or disable the performance of target systems.
These targets can be small or large businesses, internet service providers, manufacturers, retailers, healthcare providers, education establishments, or other nation-states. Essentially, any entity with an online presence can become a DDoS target.
This article will analyse how botnets can be used in DDoS attacks, how DDoS attacks work and the most common mechanism for delivering attacks using collections of remotely controlled, compromised services or devices.
What is a Botnet?
The bots that make up a botnet can include computers, smartphones, virtualised machines, and a wide range of Internet of Things (IoT) devices such as IP cameras, smart TVs, routers, and even children’s toys, i.e., anything with an internet connection. In particular, IoT vulnerabilities and misconfigurations are extremely common in the consumer market, making IoT botnets, which can comprise millions of hijacked devices, very easy for hackers to create.
Despite the warnings about IoT vulnerabilities and well-understood fixes to improve their security, basic defences such as requiring effective passwords and not allowing default logins are still ignored. Vendors fail to provide updates to address security problems. When they are provided, device owners fail to apply updates. These failings do nothing to reduce IoT vulnerabilities.
Hijacking devices for a botnet involves identifying devices with security vulnerabilities that allow them to be infected with “botware”. However, infecting these devices is just the first step.
There seems to be confusion about what constitutes a botnet. While the most obvious part of a botnet is the collection of devices it includes, the defining component is the existence of a command and control (C&C) system that controls what the network of bots does. By communicating with the botnet C&C system through the newly installed botware, each compromised device forms a network of bots. These bots are then controlled by commands sent from a “botmaster” or “botherder”.
What Do Botnets Do?
Botnets are used for four main purposes, and generally, a botnet can be switched as a whole or in parts between any of these functions.
1. Spam and Phishing
Bots enable spammers to avoid the problem of their own IP addresses getting blacklisted. And, even if some bots get blacklisted, they can create thousands of backup IPs to use. Targeted botnet spam is often used for phishing, commonly used for identity theft. To achieve this, they generate huge amounts of spam email messages inviting recipients to visit promotional websites, websites impersonating banks and other financial institutions, and fake competitions. Scammers try to harvest personal information such as bank account details, credit card data, and website logins.
2. Pay-per-Click Fraud
To increase website advertising revenues, botnets are used to hijack the pay-per-click advertising model by faking user interaction. Because of the distributed nature of the click sources, it’s hard for advertising networks to identify click fraud.
3. Cryptomining
An IoT botnet is the perfect platform for crypto-mining. By running the algorithms that mine cryptocurrencies on tens of thousands of bots, hackers steal computing power from the device owners, creating significant revenue without the usual costs of mining, like electricity.
4. DDoS Attacks-as-a-Service
DDoS attacks are easily launched using botnets, and, as with botnet-generated spam, the bots’ distributed nature makes it difficult for organisations to filter out DDoS traffic. Botnets can execute any kind of DDoS attack and even launch multiple attack types simultaneously.
A relatively new hacker business is DDoS-as-a-Service. On certain websites across both the Dark Web and regular web, individuals can buy DDoS attacks for as little as £5 per hour, with price scaling based on the attack’s scale and duration.
Botnet Command and Control
The latest botnet command and control communications are based on peer-to-peer (P2P) connections. In this model, compromised devices discover each other by scanning IP address ranges for specific port and protocol services and sharing lists of known peers and commands with any identified botnet members. This type of highly distributed mesh networking is more complicated to create, but also much harder to disrupt.
The Future of Botnet and DDoS Attacks and How to Respond
Botnets are here to stay. Given the exponential growth of poorly secured IoT devices that can be co-opted into an IoT botnet and the growing population of vulnerable devices, botnet attacks have become endemic. They are frequently enacted for financial gain by extortion, to make a point or to change behaviours, or – in the case of nation-state actors, as an espionage or cyber warfare tactic.
As a cyber warfare tool, botnet and DDoS attacks have been observed in use in the Russian/Ukraine conflict.
All IT teams should prepare to deal with a botnet and DDoS attack by following these steps:
- The first step is to realise that no online property or service is too big or too small to be attacked.
- Secondly, organisations should plan for increased bandwidth, ideally on an as-needed basis. The ability to scale up an internet connection will make it harder for a botnet and DDoS attack to saturate access and isolate an organisation from the internet. This elastic provisioning strategy also applies to the adoption of cloud services rather than relying upon on-premises or single data centre services.
- Thirdly, organisations should consider using or expanding their content delivery network (CDN) to increase client-side delivery bandwidth. The use of multiple CDNs also increases resilience to DDoS attacks.
- Finally, businesses should strengthen everything. Strategically deploying hardware and software DDoS mitigation services throughout organisational infrastructure is key to reducing the potential impact of a botnet and DDoS attack.
A10 Networks (NYSE: ATEN) provides Reliable Security Always™, with a range of high-performance application networking solutions that help organisations ensure that their data center applications and networks remain highly available, accelerated and secure. Founded in 2004, A10 Networks is based in San Jose, Calif., and serves customers globally with offices worldwide.
