Botnets: The big, the bad, and the ugly

Few security professionals can contemplate the possibility of an enormous botnet targeting their organisation with a DDOS attack without feeling a shiver running up their spines. Furthermore, the proliferation of devices to compromise has enabled hackers to build botnets of unimaginable scale and complexity. These huge, highly complex botnets can then unleash very precise attacks that don’t leave a trail of footprints leading to the attackers behind them. So who are the instigators of these botnets and should we be afraid for what they have in store over the coming years?

Botnets: More accessible than ever

It’s fair to say that botnets have transformed the DDoS landscape. Once, attacks were the preserve of a small, technical elite who had enough coding skills to launch a strike. But now, DDoS-for-hire botnets have significantly lowered the barriers to entry. A quick Google search and a PayPal account makes botnets readily available for just a few dozen dollars, with no coding experience necessary. And they are becoming increasingly popular – DDoS-for-hire botnets are now estimated to be behind as many as 40 per cent of all network layer attacks.

But while the majority of purchasers are likely to be low-level attackers, seeking to cause mischief and settle personal grievances, more powerful botnets-for-hire are also being utilised by state actors and organised crime syndicates. In recent years, DDoS attacks have been getting bigger and bigger. Our Security Operations Centre recorded a dramatic (25 per cent) increase in very large attacks of more than 10Gb per second among our customer base in the second half of last year. And in terms of individual attacks, the strike on the BBC in January was one of the biggest ever reported, at an enormous 600Gb per second.

While these attacks clearly cause significant damage, we believe that their primary purpose is often just to demonstrate their attackers’ capabilities so that they can be sold as a service in the future. The kind of gigantic attacks that make headlines aren’t cheap to rent, and would probably cost upwards of $150,000 (£105,000) to engage. As a result, these are only likely to be utilised by criminal or nation state attackers, who have access to a sophisticated infrastructure with money laundering capabilities.

Will 'breaking the Internet' become a reality?

Looking forward, there is really no limit to the potential size and scale of future botnet-driven DDoS attacks, particularly when they harness the full range of smart devices incorporated into our Internet of Things. By using amplification techniques on the millions of very high bandwidth density devices currently accessible, such as baby video monitors and security cameras, DDoS attacks are set to become even more colossal in scale. Terabit-class attacks may be increasingly common and ‘breaking the Internet’ – or at least clogging it in certain regions – could soon become a reality. The bottom line is that attacks of this size can take virtually any company offline, and are a reality that anyone with an online presence must be prepared to defend against.

But it isn’t just the giant attacks that organisations need to worry about. Before botnets are mobilised, hackers need to make sure that their techniques are going to work. This is usually done through the use of small, sub-saturating attacks which most IT teams wouldn’t even recognise as a DDoS attack. Due to their size - the majority are less than five minutes in duration and under 1Gbps – these shorter attacks typically evade detection by most legacy out-of-band DDoS mitigation tools, which are generally configured with detection thresholds that ignore this level of activity. This allows hackers to perfect their methods under the radar, leaving security teams blindsided by subsequent attacks. If these techniques are then deployed at full scale with a botnet, the results can be devastating.

Besides harnessing enormous power, botnets are also notoriously difficult to spot. Once deployed, they utilise sophisticated techniques to hide their tracks. Their command and control infrastructure can be automated or set on autopilot, they can sleep for long periods of time, they can have ubiquitous bandwidth available at any time of day by waking up different regions at different times – they are a complex and vast maze, often operated by some of the brightest minds in cybercrime. But that’s no reason for organisations to resign themselves to eventually getting attacked.

So what are the most effective methods of defence?

Considering the characteristics of botnets – their scale, their automation, and geographic disparity – it’s virtually impossible for humans alone to successfully defend against them, since no-one can be up all hours of the day and react faster than a machine does. It’s also clear, given the fact that botnets are launched and then disappear without leaving enough information for victims to trace its origins, that organisations need to defend themselves at the edges of the network, to give themselves the greatest possible visibility.

So to beat the big bad botnet, solutions need to be a) automated, b) always-on, and c) deployed in-line so that traffic doesn’t have to be redirected through a scrubbing centre, in order to keep services up and running in the event of an attack. The human aspect of the security team can then focus on spotting the data exfiltration and other malicious activities which often accompany attacks. This protection comes in various forms – whether from an upstream provider, or on-premise – but it’s readily available for those who need it. With this sort of tool in hand, IT teams will be able to identify and mitigate the most serious botnet-driven DDoS attacks on their networks.

Dave Larson, Corero Network Security

Image Credit: Gunnar Assmy / Shutterstock