What is a Botnet Attack & How To Prevent Them

If you’ve paid any attention to information security news over the past decade or so, you’ve probably heard of botnets. Botnets are networks of hijacked internet-connected devices that work together to accomplish an attacker’s goals, with larger botnets consisting of tens of millions of compromised devices. Botnets can be used to accomplish anything a human attacker can accomplish, only on a scale that would be impossible for a single human alone to accomplish.

From the viewpoint of the victim, the outcome of a botnet attack is rarely different than if they had been more directly attacked by a human attacker. One of the only signs that a botnet was involved at all is often the sheer number of different devices on the internet participating in the attack. “Accuracy by volume” is typically the name of the game with botnets, and so they are deployed by attackers where subtlety is not a prerequisite for success.

What is a Botnet Attack?

A botnet attack can be virtually any kind of attack that a human opponent could perform. Ultimately, bots do what humans tell them to, so if a human attacker can codify their attack into a script, there’s a botnet somewhere that will perform said attack. Not all botnets are created equally, however, and some botnets are restricted in the kinds of attacks they can perform based upon the types of devices that participate in the botnet, and/or the method of compromise.

If an attacker manages to compromise a bunch of web servers then chances are good that these servers are running a general-purpose Operating System (OS) such as Linux, Windows, or BSD. Servers tend to have significant computer resources, and thus can be used for complicated tasks. Other devices – for example, internet-connected thermostats – may have highly restricted OSes, as well as limited resources, making them poor choices for certain use cases.

Some botnets are far more dangerous. Truly dangerous botnets typically involve compromising devices that form the underlying infrastructure of the internet itself. These botnets can alter data flows on a national or even international scale, potentially allowing for anything from the bulk interception of web traffic to cutting off internet access to specific groups of people.

Types of Botnet Attacks

The nature of botnets as being very specifically about attack amplification, means that in the real world, botnets tend to be used for the same limited set of attacks on a regular basis.

Distributed Denial-of-Service (DDoS) attacks are the classic botnet attack. In a botnet DDoS attack an attacker compromises as many devices as possible, then sends them after a victim like a swarm of angry digital bees. The bots bombard the victim with internet traffic with the ultimate goal of making whatever service the victim is providing – a website, a SIP phone service, or what-have-you – cease providing that service.

DDoSes can be visualized as very similar to a large protest: if you get 100,000 humans to pack a street, that street can no longer be used for things other than holding 100,000 humans. With a botnet, however, its 100,000 compromised internet-connected widgets taking up all the space, and they do it at the direction of one human. In one botnet attack example, Github in 2018 was attacked by the largest DDoS up to that date, and was knocked offline for fewer than 10 minutes.

It’s worth noting that while DDoSes are one of the most common uses of botnets, they’re often more annoying than damaging.

Brute Force Attacks follow a similar theme to DDoS attacks. Let’s say that you code a website such that there are no logon attempt timeouts. You can just keep trying to log on, over and over, and you won’t get locked out. This is the perfect use case for a botnet: thousands or millions of devices try one password after another until they figure out which one works, then pass that information back to the human in charge.

Spam and phishing attacks have to come from somewhere, and botnets are typically the “where”. If all spam came from a single server it would be really easy to block, so spammers make use of botnets in order to send spam from as many places as possible, making it difficult to isolate and block.

Scraping and data breaches are a type of botnet attack that operates in reverse compared to most uses of a botnet. Where most botnet attack types basically flood a victim with data, scraping attacks use botnets to remove as much information from a target as fast as possible. Scraping may be used to copy publicly available information, but where it is used in combination with a botnet it is usually because someone found something that shouldn’t be publicly available, and they’re using the botnet to copy all the data before the owner of that data gets wise.

Distributed Processing botnets are used like a giant supercomputer to do something. This could be anything from large-scale image manipulation to mining cryptocurrency. These botnets do not directly attack victims with internet traffic, but can run up the bills for the individuals or organizations that own the compromised devices that make up the botnet.

Distributed Hosting botnets are used like a large, distributed website that’s nearly impossible to take down. These botnets often host data that law enforcement agencies are actively attempting to remove from the internet.

Social attacks are also possible using bots. What is a social bot attack? Think about the spread of vaccine disinformation through social media: much of this was done simply by using botnets to sign up for thousands of accounts, and then having those bots spread disinformation, like one another’s posts, and otherwise amplify the disinformation message.

How Does a Botnet Attack Work?

To make a botnet, an attacker compromises multiple internet-connected devices and somehow gets those devices to do what they want. If this sounds really vague, that’s somewhat intentional. There are almost as many different ways to compromise a device as there are devices, and how you compromise a device determines how you get it to do what you want it to do.

The “classic” botnet involves breaking into a device – often an Internet of Things (IoT) device like a CCTV camera – and then installing some sort of agent software on it. The agent software will check for commands from a central location, and then execute those commands. In this type of botnet, anything that an attacker can compromise and get an agent on can be part of the botnet, but this is far from the only way to build a botnet.

Some botnets don’t actually require “compromising” a device in the sense of “logging into the device and installing something so that you can control it”. Some devices are simply so poorly designed that all that is needed is to send the device a specific web request, and it will perform one or more useful functions for an attacker without any further intervention. Regardless of how the botnet is built, the attacker’s goal is always to use the sheer scale of the botnet to accomplish one or more tasks.

Botnets are valuable enough that their creation and use have become part of a differentiated economy. Some malicious actors spend their days identifying new vulnerabilities in software and devices. Bot Herders apply this knowledge to actually compromise devices and build out networks of bots. Access brokers sell time on these botnets, while “retail attackers” rent time on botnets to accomplish their goals.

For botnets to work all the bots have to receive instructions. Whatever is being used to distribute these instructions is referred to as the Command and Control (C2) infrastructure. The typical way to take down a botnet is to disable the C2 infrastructure, making C2 infrastructure a significant point of evolution for botnets.

C2 infrastructure ranges from the extremely simple centralized options (like a website or IRC server) to complicated and distributed Peer to Peer (P2P) C2 setups that are much more difficult to eliminate. In some cases, a distributed hosting botnet will serve as the C2 infrastructure for one or more other botnets.

How to Prevent Botnet Attacks

The best defense against botnets is a good overall information security posture. Botnets are an amplification attack: they amplify some other underlying attack. But that attack can effectively be any kind of cyberattack, meaning that if you want to prevent a bot attack you need to defend yourself against everything else.

Thinking about how botnets work can help focus defenses somewhat. The majority of botnet attacks are going to manifest themselves as either some sort of high-volume attack originating from the internet, or as spam. Spam is its whole own thing, and if you are reading this article looking for advice on botnets, you emphatically should not be running your own e-mail servers.

E-mail is an interesting example of exactly how the industry has responded to botnets. Partly in an attempt to deal with the increasingly difficult issue of spam, e-mail provisioning has gone through a massive consolidation in the past few years, with a handful of large e-mail providers taking the majority of the market.

While one could debate the implications of e-mail market consolidation for some time, the end result is that the large e-mail providers’ anti-spam efforts make it increasingly difficult for independently-operated email servers to successfully send even legitimate e-mail to these services, so most organizations are just moving to them as e-mail providers.

The end result is that e-mail providers are able to take something of a “white list” approach: e-mail from providers known to obey all the newest protocols, and who have robust internal anti-spam systems are rated higher than e-mail from some random system that is probably part of a botnet. E-mail going from Gmail to Microsoft 365 will probably end up in your inbox. E-mail from some compromised printer most likely will not.

After Spam, the clearest botnet-related defense is anti-DDoS defenses. Anti-DDoS defenses come in two flavours: those provided by content distribution networks (which make sure that your website is available at all times), and “other”. The “other” in this discussion being a sophisticated (and expensive) information security service provided by a dedicated anti-DDoS vendor that usually requires the cooperation of your Internet Service Provider (ISP).

Beyond the clear anti-spam and anti-DDoS protections, however, general information security best practices are the only real anti-botnet defenses anyone has:

• Make sure all software and devices are updated, especially if they connect to the internet.
• Obey the principle of least privilege when designing and assigning access to systems.
• Continuously monitor both individual endpoints and network traffic.
• Regularly revise cybersecurity training to incorporate information about new threats.
• Test your information security defenses in partnership with third-party experts.
• Run regular security audits.

Conclusion

Botnets amplify cybersecurity attacks allowing threat actors to operate at scales otherwise unachievable by individual attackers. Because they are so versatile, botnets can reproduce nearly any attack, meaning that good overall security hygiene is your best defence.

Emsisoft Anti-Malware provides multiple layers of protection as part of our award-winning endpoint security solution. Click here to try now!