What is a Botnet Attack and How to Identify It?
By Kanishk Tagade
These days, organizations are becoming a desirable target for attackers just because their networks
are not properly patched and secured behind their firewall, leaving them easily vulnerable to various
direct and indirect attacks. In addition to these direct and indirect attacks against networks, the
number of victims is also steadily increasing. Examples of these indirect attacks include HTML exploit
vulnerabilities or the attacks using malware in Peer-to-Peer networks.
Networks with a broadband connection that are always-on are a valuable target for the attackers.
Due to the always -on connection, attackers take an advantage of it and use several automated
techniques to scan out their specific network ranges and easily find out vulnerable systems
with known weaknesses. Once these attackers have compromised a machine, they simply install
a bot (also called a zombie) on it to establish a communication medium between those machines.
After successful exploitation, a bot uses FTP, TFTP, HTTP or CSend to transfer itself to the
compromised host and forms a botnet. For the purpose of defining a botnet, it doesn't matter
how exactly these machines are controlled, as long as the control is performed by the same attacker.
The botnet is controlled by an attacker through a dedicated computer or group of computers
running a CnC server (Command and Control server). The attacker can perform certain tasks through
CnC by instructing these malware bots using commands. The CnC server typically performs a number
of functions, including but not limited to:
• Instructing the installed bots to execute or schedule a certain task;
• Updating the installed bots by replacing them with a new type of malware;
• Keeping track of the number of installed bots and distribution in an organization.
A typical size of a botnet is immense, they can consist of several million compromised
devices with capabilities to damage any size of the organization very easily. Distributed Denial
of Service (DDoS) attacks is one such threat. Even a relatively smaller botnet with only 500
bots can cause a great deal of damage. These 500 bots have a combined bandwidth (500 infected
devices with an average upstream of 128kbps can offer more than 50 mbps) that is probably higher
than an Internet connection of the most organizations.
There are many types of bots structured in a very modular way by the attackers. Some
of these widely spread and well-known bots include Agobot, Kaiten, Mirai, DSNX Bots, etc.
Uses of a botnet
A botnet can be used criminally for the many different motives. The most common uses
were political motivation or just for fun. These botnets are used for following possibilities:
1. To launch Distributed Denial-of-Service (DDoS) Attacks
2. Spamming
3. Sniffing the network traffic
4. Keylogging
5. Spreading new malware within the same network.
6. Data breach
Another use of botnets is to steal sensitive information or identity theft: Searching
thousand home PCs for password.txt, or to sniff into their network traffic. The above list
demonstrates that attackers can cause a great deal of harm with the help of botnets. Many of
these attacks pose severe threats and are hard to detect and prevent, especially the DDoS attacks.
Identifying the Botnet Traffic
There are a growing number of network security technologies designed to detect and mitigate
compromised network resources. This technology is designed by the expert security engineers
to identify the botnet traffic and restrict it effectively. Basically, there are two primary
methods for identifying botnet traffic:
1. Deep Packet Inspection (DPI): It is a packet filtering technique that examines the
data part of a packet and searches for viruses, spam, intrusions and decides whether the packet
may pass or if it needs to be dropped or routed to the different destination. There are multiple
headers for IP packets: IP header and TCP or UDP header.
2. DNS lookup: It is used to identify the DNS traffic of the communication service providers
(CSP) and their network configuration. Observing the DNS traffic gives a number of distinct
advantages, including providing the specific IP address of the device making the DNS lookup,
visibility of all raw and non-cached DNS requests and an ability to analyze the frequency of
botnet DNS lookups.
Conclusion
It is undeniable that the predicted rate of organized crime is growing and the organizations
are facing these challenges. With the number of botnet infections is increasing, it is important
that every organization should monitor their networks periodically, in the context of defending
against the bot attacks.
Protect your website against DDoS attacks. Sign up at at HaltDos
and Start a 30 Days Free Trial.
More Network Security Articles: • What's the Difference Between Sniffing, Snooping, and Spoofing? • How to Use the Open Source Intrusion Detection System SNORT • Nessus Network Vulnerability Scanner • Denial of Service Attack (DoS) Detection and Mitigation • Types of DoS (Denial of Service) Attacks • NMAP (Network Mapper) Port Scanner • Network Security Model - Defining an Enterprise Security Strategy • Domain Name System (DNS) Vulnerabilities • Design a Network Security Policy • How to Tell if Someone is Lurking on Your Wireless Network
|