Distributed Denial of Service (DDoS) attacks represent one of the most public forms of cyberattack; unmissable to your customers and end-users, DDoS attacks can bring your operations down in a heartbeat. The mechanisms that support widespread DDoS attacks overlap significantly with the number of low-security, easily-infectable devices connected to networks around the globe. The rapid increase of remote work, greatly contributed to by the pandemic, has facilitated a rise in botnet size and complexity. In an age where application availability is so crucial to SLAs and customer satisfaction, DDoS mitigation is now essential.
How the Botnet Came to Be
The power of a DDoS attack depends on its underlying botnet. The botnet refers to a large number of devices that have been partially hijacked by the attacker. It’s very common for the owners of devices to have no idea their device is even infected; all the attacker requires is a relatively small amount of processing power from each infected bot. The original recruiter for a botnet is often referred to as a botmaster, or herder. This individual controls the overarching command and control server, through which they communicate with the infected devices. It’s rare, however, for the one individual to focus on sourcing an entire botnet. Instead, malware will be written with automatic recruitment in mind: by sniffing out vulnerable endpoints across the internet, botnet malware is capable of rapidly spreading, without direct manual support. This means that the targeting patterns of botnet malware are essentially random: specific individuals or organizations are not targeted, and the next wave of botnet infections are not isolated to specific industries.
The command and control server architecture is now largely defunct – having a singular command center represents a large risk, as it could be held under close scrutiny by cybersecurity forces. Instead, modern attackers will usually use a peer-to-peer network. The P2P botnet offers a decentralized pattern, where each individual bot will seek out other infectable devices or sites. Updated commands are also sent through this decentralized chain of command, empowering cybercriminals to avoid detection by law enforcement.
The architecture of botnets is highly scalable, and rapidly becomes a confusing mess – perfect for escaping detection. Botnet servers can communicate and cooperate with others of its ilk, essentially allowing strings of C2C servers to operate as a peer-to-peer organism. Any given DDoS attack can therefore have multiple origins, or be controlled by a wide number of illicit actors. Sometimes coordinated, and regularly working independently, pinning attacks on specific groups is a real headache.
One of the more famous botnets includes Mirai. Mirai malware was built in order to sniff out insecure Internet of Things (IoT) devices, whilst also being programmed to avoid the IP addresses of major corporations. Once a potential device was found, Mirai would begin credential stuffing attacks, cycling through the most common default passwords. Wiedling a million-strong army of wifi-connected CCTV cameras, baby monitors, and smart fridges, Mirai conducted some record-setting volumetric DDoS attacks in late 2016.
How Remote Work Fueled the Fire
The cyber landscape has greatly evolved since Mirai hit the scene, however. The FBI’s 2021 internet crime report explicitly noted the new threats introduced in the modern WFH setup. Corporate networks, with the traditional network perimeter, are vastly easier to secure than the current, perimeter-less widespread network. The rise in remote control and video-conferencing softwares are of particular concern to the FBI, as at-home devices rarely enjoy the same layers of security as their on-premise counterparts.
The top spot of 2021’s most virulent botnet strain was swiftly claimed by RSocks. Masquerading as a proxy server available through the internet, RSocks was in fact a rapidly-growing assembly of infected devices. With an initial focus on IoT devices, RSocks rapidly garnered other victims, including Android and PC devices. Within the botnet, each infected device was assigned an individual IP address; then, RSocks’ network was listed for hire by the bot-herders responsible. Rather than offering access to each device, its controllers instead offered their shady clients the chance to utilize each victim’s IP address. This botnet lends attackers a hidden, underground route through which to send malicious traffic; not satisfied with its DDoS capabilities, it’s estimated that RSocks was primarily used for credential stuffing attacks.
Protecting Against the Growing DDoS Threat
DDoS attacks are one of the most public forms of cybercrime, and greatly damage your brand image and trust. If customers click through to unavailable pages, they may leave – and never return. The automated nature of DDoS attacks make them highly nimble pieces of an attacker’s arsenal, as botnets are hireable on command. Manual response times are far too slow to adequately mitigate these attacks: the average response time of a manual team is 35 minutes. Compare this with the response times of automated defense systems – a mere 6 minutes. This is largely thanks to the fact that automated systems can instantly recognize a DDoS attack, and switch your site, application or server over to its mitigation backup solution before too much damage is wreaked.
But your botnet-busting solution needs to go further. Even when fraud attempts are mitigated, the ever-evolving capabilities of various botnets may mean that sufficient resources are drawn during an attack, leaving your legitimate users in the dark. Automated traffic analysis needs to first distinguish between a legitimate user and a bot. This will depend on the type of site you operate – by analyzing a visitor’s behavior, they can be classified as a good, bad, or unknown bot. Bad and unknown bots are treated with suspicion or outright prevented from connecting. Bot mitigation options should be clearly and easily customizable; you should be empowered to block any possible causes of concern. Filtering by origin, behavior, and your own access control policies is a must-have option. The repeating demands made by a malicious credential-stuffing botnet are now identifiable and automatically blocked.
Once a suitable anti-botnet solution is in place, DDoS attacks become far more identifiable – and preventable. However, there are further benefits to bot recognition solutions: it also facilitates the prevention of broader, more hidden threats – such as RSock’s credential stuffing campaigns.
TechnologyHQ is a platform about business insights, tech, 4IR, digital transformation, AI, Blockchain, Cybersecurity, and social media for businesses.
We manage social media groups with more than 200,000 members with almost 100% engagement.