The rise of the Botnet
Over the previous several years, the steady growth of IoT and connected devices has resulted in botnet attacks growing in number and becoming much more of a serious threat to networks.
Botnets are capable of being able to carry out many types of attack, including click fraud, bitcoin mining, malspam campaigns and Distributed Denial of Service (DDoS) to name a few.
Neustar's report for 2019 Q1 indicated that, from a survey of over 170 senior security experts representing small and large companies, the majority believed that DDoS is the top threat to their network.
DDoS is most efficient when it has a large botnet, capable of generating enormous amounts of traffic from numerous devices in order to flood its victim with malicious traffic and sustain a denial of service for a prolonged period of time.
So what is a botnet?
The term ‘botnet’ is derived from the words ‘robot’ and ‘network,’ which sums up nicely what it is – a network formed by systems, machines or robots.
The systems within this network are known as ‘bots,’ which are generally unaffected in their regular, day to day activity so that the user is unknowing that their system is part of the botnet. In this state the bot is considered dormant, awaiting instruction from its master or command and control server (C2).
This dormant state allows time for the botnet master to further their reach, with the intent of amassing as large a botnet as they possibly can, as the bigger it is, the more effective it is likely to be.
Botnets are traditionally controlled in one of four different structures; star, multi-server, hierarchical or random. Using the hierarchical structure as an example, a master control computer sits at the top sending instructions or commands down to its C2 servers, which in turn is then forwarded on to any devices connected to these servers (Fig 1).
Figure 1. Typical example of a hierarchical botnet structure.
The interconnectivity of the end devices and the C2 servers allows for redundancy within the botnet; should one of the C2 servers be identified and listed as a malicious IP address, or should the server go offline for any reason, the botnet is not destroyed/ compromised to a point in which it’s is ineffective.
The IoT has introduced more and more connected devices such as smart fridges, TVs, washing machines etc which can all potentially be incorporated within a botnet. In 2018 DoubleVerify, a digital media measurement software and analytics company identified a botnet that was specifically targeting smart TVs. The increase in connected devices therefore increases the potential size of botnets today and as we move towards 5G and even more connected devices, the scale of potential botnets of the future is hard to perceive.
However, whilst this all sounds like PC Armageddon, not all botnets are malicious. We have all heard about bad botnets and we continue to worry as to their capabilities and the potential impact they could have on an organisation, however most people have heard very little about good botnets.
So, let’s level the playing field for a change and talk about good bots.
A report from The Next Web states that internet traffic through 2018 was made up of 62.1% human traffic, 20.4% bad bots and 17.5% good bots. The good bots make up almost 1/5th of the overall internet traffic, surprising for something that receives little to no press.
So what is it that these ‘good’ bots do?
Good bots can be utilised for many different tasks including support for search engine optimisation, website monitoring, data aggregation and internet scraping.
For search engine optimisation, good bots essentially ‘crawl’ the internet, cataloguing and indexing webpages. These indexes can then be passed on to search engine tools such as Google, Bing etc allowing them to improve their services and therefore the user experience.
Good bots are also used to monitor websites for broken links, page loading times, down times and identifying technical issues.
These are much more commonly spring to mind when bots are discussed. With the increase in IoT over recent times and in the coming years, it is assessed that hackers and criminal organisations are likely to move away from traditional and laborious exploits and moving towards botnets, which according to Bitdefender Box is increasing.
In addition to Bitdefender Box, the 2019 Botnet Threat Report produced by Spamhaus also indicated that there has been a significant increase in domain names being registered purely for hosting a botnet C2, an increase of 100% against 2017. This has resulted in 103,503 domain names being registered solely for botnet C2 purposes.
This amount of domain names being registered demonstrates exactly why the EC Council consider the botnet to be the most prevalent type of attack facing individuals and businesses on the internet today.
Anything made for good can and will be exploited.
As Tyson J. Thomas recently stated at Black Hat 2019, “botnets need to be made non-viable for the bad guys, but they will always find a way to make money from this form of attack.”
Whilst cybercriminals continue to set up these elaborate and widespread botnets for financial gain, it is important that organisations remain vigilant against these types of attacks.
Network and endpoint security solutions exist in order to attempt to mitigate the rise of the bad bots, with threat intelligence communities actively identifying and sharing the known bad IPs in an effort to stop the spread and potential impact it can have on individuals and organisations alike.
However, it is also important to understand that good botnets exist and in an ecosystem such as the internet, the good bots should also be considered as aggressive botnet blacklisting could impede good bots, resulting in detrimental effects on the quality of user experience.