Check out all of our upcoming events


Latest cybersecurity news, insights and commentary by Telesoft engineers and specialists

The rise of the Botnet

Written by Robert Fitzsimons on Friday, 16 August 2019. Posted in Cyber

Over the previous several years, the steady growth of IoT and connected devices has resulted in botnet attacks growing in number and becoming much more of a serious threat to networks.

Botnets are capable of being able to carry out many types of attack, including click fraud, bitcoin mining, malspam campaigns and Distributed Denial of Service (DDoS) to name a few.

Neustar's report for 2019 Q1 indicated that, from a survey of over 170 senior security experts representing small and large companies, the majority believed that DDoS is the top threat to their network.

DDoS is most efficient when it has a large botnet, capable of generating enormous amounts of traffic from numerous devices in order to flood its victim with malicious traffic and sustain a denial of service for a prolonged period of time.

So what is a botnet?

The term ‘botnet’ is derived from the words ‘robot’ and ‘network,’ which sums up nicely what it is – a network formed by systems, machines or robots.

The systems within this network are known as ‘bots,’ which are generally unaffected in their regular, day to day activity so that the user is unknowing that their system is part of the botnet. In this state the bot is considered dormant, awaiting instruction from its master or command and control server (C2).

This dormant state allows time for the botnet master to further their reach, with the intent of amassing as large a botnet as they possibly can, as the bigger it is, the more effective it is likely to be.

Botnets are traditionally controlled in one of four different structures; star, multi-server, hierarchical or random. Using the hierarchical structure as an example, a master control computer sits at the top sending instructions or commands down to its C2 servers, which in turn is then forwarded on to any devices connected to these servers (Fig 1).



Figure 1. Typical example of a hierarchical botnet structure.

The interconnectivity of the end devices and the C2 servers allows for redundancy within the botnet; should one of the C2 servers be identified and listed as a malicious IP address, or should the server go offline for any reason, the botnet is not destroyed/ compromised to a point in which it’s is ineffective.

The IoT has introduced more and more connected devices such as smart fridges, TVs, washing machines etc which can all potentially be incorporated within a botnet. In 2018 DoubleVerify, a digital media measurement software and analytics company identified a botnet that was specifically targeting smart TVs. The increase in connected devices therefore increases the potential size of botnets today and as we move towards 5G and even more connected devices, the scale of potential botnets of the future is hard to perceive.

However, whilst this all sounds like PC Armageddon, not all botnets are malicious. We have all heard about bad botnets and we continue to worry as to their capabilities and the potential impact they could have on an organisation, however most people have heard very little about good botnets.

Good bots

So, let’s level the playing field for a change and talk about good bots.

A report from The Next Web states that internet traffic through 2018 was made up of 62.1% human traffic, 20.4% bad bots and 17.5% good bots. The good bots make up almost 1/5th of the overall internet traffic, surprising for something that receives little to no press.

So what is it that these ‘good’ bots do?

Good bots can be utilised for many different tasks including support for search engine optimisation, website monitoring, data aggregation and internet scraping.

For search engine optimisation, good bots essentially ‘crawl’ the internet, cataloguing and indexing webpages. These indexes can then be passed on to search engine tools such as Google, Bing etc allowing them to improve their services and therefore the user experience.

Good bots are also used to monitor websites for broken links, page loading times, down times and identifying technical issues.

Bad bots

These are much more commonly spring to mind when bots are discussed. With the increase in IoT over recent times and in the coming years, it is assessed that hackers and criminal organisations are likely to move away from traditional and laborious exploits and moving towards botnets, which according to Bitdefender Box is increasing.

In addition to Bitdefender Box, the 2019 Botnet Threat Report produced by Spamhaus also indicated that there has been a significant increase in domain names being registered purely for hosting a botnet C2, an increase of 100% against 2017. This has resulted in 103,503 domain names being registered solely for botnet C2 purposes.

This amount of domain names being registered demonstrates exactly why the EC Council consider the botnet to be the most prevalent type of attack facing individuals and businesses on the internet today.

Anything made for good can and will be exploited.

As Tyson J. Thomas recently stated at Black Hat 2019, “botnets need to be made non-viable for the bad guys, but they will always find a way to make money from this form of attack.”

Whilst cybercriminals continue to set up these elaborate and widespread botnets for financial gain, it is important that organisations remain vigilant against these types of attacks.

Network and endpoint security solutions exist in order to attempt to mitigate the rise of the bad bots, with threat intelligence communities actively identifying and sharing the known bad IPs in an effort to stop the spread and potential impact it can have on individuals and organisations alike.

However, it is also important to understand that good botnets exist and in an ecosystem such as the internet, the good bots should also be considered as aggressive botnet blacklisting could impede good bots, resulting in detrimental effects on the quality of user experience.

About the Author

Robert Fitzsimons

Robert Fitzsimons

Rob is a Field Applications Engineer with a background in Military Intelligence who recently completed his BSc (Hons) Intelligence and Cyber Security degree.

Leave a comment

You are commenting as guest.

Information cookies

Cookies are short reports that are sent and stored on the hard drive of the user's computer through your browser when it connects to a web. Cookies can be used to collect and store user data while connected to provide you the requested services and sometimes tend not to keep. Cookies can be themselves or others.

There are several types of cookies:

  • Technical cookies that facilitate user navigation and use of the various options or services offered by the web as identify the session, allow access to certain areas, facilitate orders, purchases, filling out forms, registration, security, facilitating functionalities (videos, social networks, etc..).
  • Customization cookies that allow users to access services according to their preferences (language, browser, configuration, etc..).
  • Analytical cookies which allow anonymous analysis of the behavior of web users and allow to measure user activity and develop navigation profiles in order to improve the websites.

So when you access our website, in compliance with Article 22 of Law 34/2002 of the Information Society Services, in the analytical cookies treatment, we have requested your consent to their use. All of this is to improve our services. We use Google Analytics to collect anonymous statistical information such as the number of visitors to our site. Cookies added by Google Analytics are governed by the privacy policies of Google Analytics. If you want you can disable cookies from Google Analytics.

However, please note that you can enable or disable cookies by following the instructions of your browser.