Complete guide to Botnets, and how to stay protected

It’s been close to two decades since the Internet first noticed the existence of Botnets. They not only stand the test of time but still act as one of the most powerful tools for threat actors. In this article, we bring you all the information you need to know about them.

A Botnet is a network of inter-connected systems established via means of malware infections, across the globe which can work together and are controlled by a single threat actor. These systems can perform tasks that are mostly malicious as a single distributed entity and overwhelm any defense system.
The systems that are part of the bot network are called Zombies and the group in control of the systems is called Bot Master or Bot Herder.

The Command and Control server acts as a hotline between the Bot and the Herder and can be considered as its central nervous system.

What are Botnets used for?

Botnets are a favorite of Cybercriminals since they can not only be used to sabotage services but also be used to executes scams and cybercrimes on a very large scale. Following are some of the key use cases of Botnets:

• Distributed Denial of Services (DDOS) attacks 
• Brute Force attacks
• Cryptojacking and stealing Cryptocurrency
• To run large scale Phishing and spam campaigns
• Snooping and stealing of information or credentials
• Bricking attack to delete the software from IoT devices

Types of Botnets

Botnets can broadly be categorized as:

1. Internet Relay Chat (IRC) Botnet

IRC botnets are comprised of systems that use a preconfigured IRC channels to receive commands from the Bot Herder. This is a centralized communication system and these bots are easy to deploy.

2. HTTP Botnet

HTTP Botnets use the HTTP channel for communication between the Bots and the Bot Herder. This helps them to disguise their activities as normal web traffic.

3. P2P Botnet

P2P Botnet is created by using P2P communication between bots. This is considered to be more advanced, tough to deploy, and also the most resilient.

How do Botnets work?

Following are the key steps for Botnet functioning:

1. Bot Herder spreads the infection using malware campaigns, malicious web uploads, etc.
2. Backchannel communication is initiated and established from Bot to C&C Server.
3. The Bot aka Zombie downloads the updates and waits for the instruction.
4. Once the Bot Herder sends the instruction, the Bot engages in desired activities.

Which country has the most Botnets?

While it’s difficult to say as there is no data or records which clearly show or highlight the presence of Botnets in a particular country. Further, as this data is dynamic in nature, it can change in time.

However, based on the data available from Cloudflare for Q1 2021, we have observed that the highest Botnet traffic for DDOS attacks was observed from China which was 36% followed by the USA (30%), Malaysia (8%), India (6%) and Brazil (5%) so a rough assumption can be made.

Is creating a Botnet Legal?

Botnet is just a network of computers, so creating a Botnet is legal. However operating a Botnet is illegal, and in many cases, punishable as a felony in most countries. 

How do hackers create Botnets?

Creating Botnets is super easy and anyone who doesn’t have programming knowledge can also easily create a Botnet by using freely available tools like Kali Linux within an hour or less.

One of the interesting tutorials are available at following link:

This information is for educational purposes only. As botnets are illegal, trying to attack external networks will land you in serious legal trouble.

How much does a Botnet cost?

A botnet is available for as low as $99 per hour for a DDOS attack over Dark Web. DDoS-for-hire services (aka Stresser or Booter) can just be googled, and are available for hire for even lesser prices.  

Examples of attacks by Botnets

1. Attack on Amazon Web Services in 2020

AWS, the giant of cloud computing was targeted by a major DDOS attack in February 2020. This method targets the vulnerable third-party CLDAP servers. It can amplify the amount of data sent to the victim’s IP address by 50 to 70 times. The attack lasted for three days and went up to a staggering 2.3 terabytes per second. The attack lasted for 3 days.

2. DDOS attack on Github in 2018

GitHub was hit on Feb 28, 2018, with a major?DDoS attack that peaked at 1.35 terabits per second?and lasted for roughly 20 minutes.? GitHub, later responded that the traffic was identified to “over a thousand different autonomous systems (ASNs) across tens of thousands of unique endpoints.”

Though GitHub had the security measures in place for a DDoS attack, their defenses were simply swamped.

3. Attack on Brian Krebs Blog

The blog of Cybersecurity Expert Brian Krebs was assaulted on September 20, 2016, by a record DDOS attack at the time which peaked in access of 620 GBPS. Krebs had recorded 269 DDoS attacks since July 2012, but this attack was actually three times big than anything his site or, for that matter, the internet had seen before.

The attack was executed by the Mirai botnet, which consisted of more than 600,000 compromised Internet of Things (IoT) devices.

4. Dyn Attack in 2016

Another notable DDoS attack by Mirai in October 2016 was at Dyn, a major DNS provider. This attack was catastrophic and created disruption for many leading sites, including Paypal, Airbnb, Netflix, Visa, Amazon, The New York Times, Reddit, and GitHub.

5. Spamhaus attack in 2013

Spamhaus helps combat spam emails and spam-related activities across the globe and actually filters as much as 80% of all spam, which makes them a popular target for people who would like to see spam emails reach their intended recipients.

The attack peaked at a rate of 300 Gbps which was a record at the time. Once the attack began, Spamhaus signed up for Cloudflare to mitigate the attack. The main culprit of the attack was a teenage hacker from Britain, who was paid to launch this DDoS attack.

How to protect against Botnets

Following are some useful tips to help your devices from becoming a Bot aka Zombie:

1. Subscribe to a DDoS protection service from a reputed provider. Several high-quality services are available in the market like Akamai, Cloudflare, Radware, etc. 
2. Keep all your device firmware updated to the latest
3. Change the default passwords of all of your devices, including IoT devices
4. Limit access to the admin or root account
5. Do not download pirated content or unknown programs
6. Regularly scan the system with a good antivirus program.
7. Pay attention when your antivirus shows you a warning

Legacy devices are always at a greater risk of any infection. Please refer to this post from our website for the protection of legacy devices.