A botnet has never been a particularly nice thing. Even going all the way back to 2000 when GTbot was causing rudimentary denial of service attacks, botnets were designed for one thing and one thing only: malicious activity.
While the aim of botnets hasn’t changed much in the last 17 years, what has changed is botnets’ capacity for nastiness. The last couple of years in particular have seen a rapid evolution in the size of botnets as well as the size of attacks they’re able to perpetrate thanks to a combination of attackers’ ingenuity and the new breed of less than secure internet connected devices.
A botnet is a network of internet connected devices that have been infected with malware, allowing an attacker to control them remotely without the permission or even awareness of the devices’ owners. The devices within a botnet are sometimes referred to as zombies, making botnets themselves zombie armies.
While botnets are also used in the mass distribution of spam, they’re primarily known as the instruments of a DDoS attack, which uses the large amount of traffic generated by a botnet to overwhelm the server or resources of a target website in order to push it offline or slow it down past the point of usability, denying its services to its legitimate users.
Throughout the history of botnets, they have primarily been made up of infected computers. However, as computer security has improved and the range of internet connected devices has broadened, the makeup of some of the most ‘impressive’ botnets has changed.
Attack Of The Things
With the advancement of technology has come a whole new wave of internet connected devices that present a major opportunity for botnet builders: the Internet of Things (IoT), all of those smart devices that boast internet or network connectivity. Thermostats, baby monitors, refrigerators, CCTV cameras, fitness trackers – these devices number in the billions, and security is generally lax from the manufacturer right down to the end user, making it easy for hundreds of thousands of devices to be hijacked for a single botnet.
IoT botnets are the latest DDoS trend to strike fear in the hearts of organisations and website owners around the globe, and for good reason. The IoT Mirai botnet has already become synonymous with major distributed denial of service destruction thanks to high profile attacks on security blogger Brian Krebs, French hosting provider OVH and DNS provider Dyn, an attack that resulted in major services and sites like Twitter, PayPal, Netflix and Spotify going down. These Mirai-powered attacks ranged in size from 620 Gbps to 1.2 Tbps.
As 2016 came to a close it became clear that Mirai isn’t the only mega botnet causing major trouble. Professional DDoS mitigation providers Imperva Incapsula found themselves staring down a 400 Gbps attack aimed at their network. When Incapsula was able to handle that 20-minute attempt with ease, the attacker came back with a second attempt that peaked at 650 Gbps and more than 150 million packets per second. This was also handled by Incapsula and the attacker ceased his or her efforts.
Though the attack attempts came from spoofed IPs so the botnet’s geolocation was untraceable, Incapsula was able to analyse the payload to uncover information about the botnet.
While IoT botnets loom large as a threat to website security, for a good chunk of 2016 the Mirai botnet stood alone as the major bad actor comprised of smart devices. Well the Mirai botnet is lonely no more. After analysing the payload of the botnet behind the 650 Gbps DDoS attack attempt, Incapsula determined it was an IoT botnet they have dubbed the Leet botnet thanks to the ‘1337’ signature left by the malware in the TCP options headers of some of the SYN packets.
The Mirai and Leet botnets are scary enough as botnets, but they’re even more frightening as harbingers of things to come, namely IoT botnets even bigger and badder than they are. And with the Mirai botnet already being offered as a DDoS for hire service, the potential targets of these humongous threats are scattered far and wide across the internet.
It’s necessary to note that while the Leet attack attempts were smacked down by Incapsula, a website lacking truly robust DDoS protection would not fare anywhere near as well and would most certainly be met with instant and lasting downtime, if not further damages. Brian Krebs, for instance, did have professional DDoS protection, but it wasn’t enough to counter the 620 Gbps attack aimed at his website. Not only is professional distributed denial of service attack protection absolutely essential for any website that needs to be concerned with providing uninterrupted service to its user base, but top of the line protection is required in the face of these rapidly evolving botnets.