Question: What are botnets used for? Answer: Distributed Denial of Service (DDoS) Attacks.
Botnets are bad. The DDoS attacks that they can launch are even worse. The concept of a DDoS attack is simple. Generate enough malicious traffic to a web site, and it will become unable to respond to legitimate requests. In effect, the web site will be taken down. DDoS attacks have been used for retaliation, for political statements, for competitive reasons, and even for ransom.
Guest article by Dr. Bill Highleyman
The damage DDoS attacks can inflict on a company’s public-facing Internet services, such as web sites, or to the Internet in general is massive. There have been many examples of the use of botnets to bring major corporations to their knees:
- In retaliation for the anti-Islamic YouTube video “Innocence of Muslims,” Islamic hackers launched massive DDoS attacks against several U.S. banks and took down their online banking portals for over a day each. Several months later, the hackers repeated their attacks; and they vowed to continue until the video is removed from the Internet. Their attacks so far have generated up to 70 gigabits per second (gbps) of malicious traffic – enough to overwhelm most web sites.
- Spamhaus was hit with the most massive DDoS attack yet reported – a malicious data rate of 300 gbps! Spamhaus is a firm that maintains a blacklist of spam-generating sites and sells the list to corporations, government agencies, and ISPs so that they can block traffic from these sites. One of the web sites on the blacklist is CyberBunker, which advertises that it will post anything except child pornography and terrorist threats. It is CyberBunker that is suspected of launching the assault against Spamhaus.
Until these large attacks occurred, most DDoS incidences generated about 10 gbps of malicious traffic. Clearly, their severity is increasing. So is the frequency and length of attacks. Prolexic, a DDoS mitigation firm, found in its surveys that DDoS attacks increased 53% from 2011 to 2012. During this time, Prolexic mitigated seven attacks that exceeded 50 gbps. In this three-part series, we examine the anatomy of DDoS attacks. Part 1 describes how botnets are created and are used to launch attacks. Part 2 describes the types of DDoS attacks that can be used to disable your customer-facing systems. In Part 3, we discuss various mitigation strategies available for minimizing the effectiveness of a DDoS attack.
A single PC is not powerful enough to generate sufficient traffic to overwhelm most systems. It takes a concerted effort of many PCs to do so. This is a botnet. A botnet is a collection of infected systems that can be commanded to take a joint action upon request by a bot master. For DDoS attacks, this joint action is the generation of massive amounts of malicious data directed toward a victim’s web site.
There are several classes of botnets:
- The earliest botnets were made up of infected PCs. Typically, a PC is infected by a Trojan that enters the PC via a malicious email, a malicious web site, or an infected web site. The Trojan opens a backdoor to the PC that allows the bot master to download its DDoS software into the PC. The PC then connects to the bot master and thereafter will be under its control. PCs cannot generate a great deal of traffic, primarily due to the bandwidths of their Internet connections. A megabit per second (mbps) is typical. Therefore, to generate ten gigabytes per second of traffic, the botnet must comprise ten thousand PCs.
- Some attacks are politically popular and generate a great deal of support among a class of people around the world. In this case, attackers have enlisted many individuals to voluntarily contribute the services of their PCs to the botnet. The Islamic hackers that attacked U.S. banks in retaliation for the anti-Islamic YouTube video reportedly had access to hundreds of thousands of voluntarily provided PCs. Another example was an attack launched by supporters of Julian Assange, founder of WikiLeaks, when he was arrested for leaking classified material.
- The limited capability of a PC to generate DDoS traffic is solved to a great extent by using powerful servers instead. In this case, servers are infected with DDoS software, often through known security vulnerabilities in popular programs such as Joomla and WordPress. A powerful server with wideband access to the Internet can generate a thousand times as much traffic as a PC.
Botnets for Rent
Botnets are readily available for rent on the darknet, private networks where connections are made only between trusted peers. Hackers form a community of trusted peers and can gain access to botnet rentals. The cost for botnets is relatively modest given the damage they can inflict. For instance, the following botnet rentals are advertised on the darknet:
- 10,000 PCs – 10 gbps – $500 per month
- 100,000 PCs – 100 gbps – $200 per day
In this article, we have reviewed the botnet mechanism for launching DDoS attacks. In Part 2, we look at some of the DDoS strategies that are used by botnets to disable corporate web sites.
For more on the issues of IT security, read the Aberdeen report Securing the Evolving Datacenter
Dr. Bill Highleyman brings more than 40 years’ experience in the design and implementation of mission-critical computer systems. He has published extensively on availability, performance, testing, and middleware issues. He is the author of Performance Analysis of Transaction Processing Systems, published by Prentice-Hall, and is co-author of the three-volume series Breaking the Availability Barrier. Dr. Highleyman is the Managing Editor of the monthly Availability Digest (www.availabilitydigest.com), which focuses on topics related to high- and continuous availability. He holds sixteen patents, many of which are in the areas of data replication and active/active systems. He is a graduate of Rensselaer Polytechnic Institute and MIT and earned his doctorate in electrical engineering from Polytechnic Institute of New York. He can be reached at firstname.lastname@example.org.