What is a DDoS Botnet?

Introduction

It’s hard to believe that the first Terminator movie was released in 1984 – decades before the first DDoS botnet attack but a harbinger of things to come. Like Terminators that are used as infiltration units, their appearance allowing them to blend in with humans, bots are hardware devices that attackers compromise and use to launch cyberattacks within an organization. When grouped into networks or botnets, they become an especially formidable force to combat.

In this blog, we’ll delve into DDoS botnets to understand their components, how a DDoS botnet attack unfolds, and some of the most damaging attacks over the last several years. We’ll also explain how you can detect and defend against botnet attacks that disrupt service availability and can lead to data exfiltration, ransomware attacks, and other malicious activity.

Understanding DDoS botnets

DDoS botnets consist of networks of Internet-connected devices that cyber criminals use to launch DDoS attacks at scale. Cyber criminals infect the device with malware that allows them to control the device remotely. To maximize the impact of a DDoS attack they create groups of bots to form a botnet.

Definition and concept of DDoS botnets

Once cyber criminals have established a botnet, they can execute coordinated attacks against targeted systems by sending remote instructions to each bot. Each bot sends requests to the target’s IP address, causing the server or network to become overwhelmed and resulting in a denial-of-service to normal traffic.

How compromised devices are used in coordinated attacks

The cyber criminal or “botmaster” uses intermediate machines, known as command-and-control (C&C or C2) servers, to remotely control the bots. They use a variety of channels to communicate with the C&C servers including websites, IRC protocols, and social media channels.

DDoS botnet malware can work in two different ways:

1. Some DDoS botnet malware takes control of the device.
2. Other DDoS botnet malware runs silently in the background, waiting for instructions from the botmaster.

DDoS botnets can be self-propagating, meaning they can bring other hardware devices into the botnet. They use a variety of channels for this recruiting, including vulnerabilities in websites, Trojan horse malware, and compromising credentials to gain remote access to the targeted device. Once inside the device they infect it with malware. The compromised device (known as a zombie) can now be controlled by the botmaster through the C&C server and become part of the botnet.

Significance of DDoS botnets

Botnets can be built on malicious software that is designed for rapid infestation. The most prominent example is Mirai malware and its multiple variants that can take advantage of weaknesses in IoT devices with low computational power, or higher-powered networking equipment to launch even more potent attacks.

Botnets can range in size from hundreds of bots to more than a million for the most sophisticated attacks. Botnet servers can communicate with other botnet servers to create a Peer-to-Peer (P2P) botnet. The P2P botnet can be controlled by one or multiple botmasters, working in coordination or independently, which makes DDoS botnet attacks even more difficult to understand and defend against.

Impact of DDoS botnets on internet infrastructure

Sophisticated botnet DDoS tools and botnet services are readily available through online marketplaces for a few hundred U.S. dollars. This makes it easy and inexpensive to launch a DDoS attack and reap the financial and competitive gains with little technical knowledge.

Service providers and organizations in critical infrastructure sectors such as financial services, transportation, energy, communications, and healthcare are particularly attractive targets for DDoS botnet attacks. Due to the crippling damage a DDoS attack can inflict on their ability to keep their operations running and maintain not just livelihoods but lives, these types of organizations are more likely to succumb to attackers’ demands for money. However, companies in gaming, hospitality, entertainment, and social media have also suffered outages that have impacted consumers on a global basis.

Examples of notable DDoS botnet attacks

As our reliance on connectivity has increased and Internet of Things (IoT) devices have proliferated, so too have significant DDoS botnet attacks that leverage Mirai-based and IoT-based botnet activity. The following examples illustrate the notable impact these attacks can have and how they are escalating in size and sophistication.

• Mirai Botnet Attack (2016). A self-propagating botnet malware that takes over poorly protected internet-connected devices. It is capable of infecting tens of thousands of devices and coordinating them to overwhelm a chosen target.
• Krebs on Security Attack (2016). The Meris DDoS botnet is an augmented version of Mirai and was responsible for some of the largest DDoS attacks, including the attack on Krebs on Security. In contrast to IoT botnets like Mirai, Meris leverages enterprise networking equipment with higher computational power to launch faster and more powerful attacks.
• OVH Attack (2016). One of Europe’s largest hosting providers, OVH was targeted by a DDoS attack driven by a botnet estimated to consist of 145,000 bots. The attack lasted nearly a week and targeted one of OVH’s largest customers.
• Dyn DDoS Attack (2016). Dyn, a major Domain Name Service (DNS) provider was hit by what was a record-setting DDoS attack at the time. The attack brought down high-profile websites, including GitHub, HBO, Twitter, Netflix, PayPal, Reddit, and Airbnb.
• GitHub Attack (2018). Two years later, GitHub was again impacted by a DDoS botnet attack that lasted roughly 20 minutes and was traced back to a vast network and powerful database caching system that was able to amplify traffic by more than 52,000 times.
• Azure Attack (2021). In November 2021, Azure experienced what was at the time the largest DDoS attack ever. The attack on an undisclosed customer reached a throughput of 3.47 terabits per second (Tbps). According to Microsoft, the attack originated from approximately 10,000 sources in at least 10 countries.
• CatDDoS Botnet (2023). A majority of CatDDoS botnet attacks targeted organizations in countries including China, U.S., Japan, Singapore, and France with more than 300 attacks observed on any given day. The CatDDoS malware exploits more than 80 known security flaws in software that impacts routers and other networking gear.
• Gorilla Botnet Attack (2024). A new botnet malware family called Gorilla, a Mirai variant, is reported to have issued over 300,000 attacks during three weeks in 100 countries. Gorilla supports multiple CPU architectures and comes with capabilities to connect with one of five predefined C&C servers to await DDoS commands.

Anatomy of DDoS botnets

In order to protect against the damaging impact of a successful DDoS botnet attack, it’s useful to deconstruct the components and operational mechanics of DDoS botnets to gain valuable insights into how they work. Getting inside the mindset of an attacker, including understanding the lifecycle and stages involved in launching a DDoS botnet attack from setup to execution, helps shed light on how to improve detection and strengthen defenses.

Components of DDoS botnets

As discussed earlier, the key elements comprising DDoS botnets include:

• The cyber criminal or attacker, also known as the bot master or bot herder
• Command and control (C&C or C2) servers they use to communicate to targeted devices
• Compromised devices, called bots or zombies
• Networks of compromised devices, called botnets

Each element plays a critical role in facilitating coordinated attacks that flood the network with traffic in order to slow it down or disable it entirely so that it is inaccessible to legitimate users.

Operation of DDoS botnets

Large-scale DDoS attacks are orchestrated using botnets and typically follow three main phases and a very specific set of steps.

• Reconnaissance.The bot master prepares the attack by:
  • Identifying potential targets that could be vulnerable to a DDoS attack
  • Creating a botnet by infecting a large number of devices with malware and grouping them together
  • Adopting techniques to disguise their identity as the perpetrator and evade security measures
• Infiltration. The bot master launches the attack by:
  • Sending instructions to the zombies in the botnet to send requests or traffic to the target organization simultaneously
  • This orchestrated attack quickly overloads the network to disrupt or disable resources
• Execution. Once normal network functionality is impaired, the bot master can direct the bots in the botnet to:
  • Launch extortion/ransomware attacks
  • Exfiltrate data
  • Remain hidden and wait for instructions to conduct attacks in the future

Types and techniques of DDoS botnet attacks

There are various characteristics of DDoS attacks. Here, we take a look at four types of attacks and the techniques they employ.

• Volumetric attacks. By definition, DDoS botnet attacks are volumetric in nature as they leverage groups of bots to generate a massive volume of data packets directed at the target network to saturate it with a flood of traffic.
• Protocol/Network Layer attacks. These types of DDoS botnet attacks take advantage of weaknesses in protocols or services at the network layer (Layers 3 and 4) of the OSI model, to consume server resources and degrade service performance or cause an outage. Examples include:
  • SYN Flood attacks which exploit the TCP handshake process by sending large number of SYN requests without completing the handshake
  • UDP Flood attacks which flood the target with UDP packets that often target specific ports
• Application Layer attacks. Also known as Layer 7 DDoS attacks, these target the application layer of the OSI model with the intent of exhausting server resources or disrupt web application functionality. Common techniques include:
  • HTTP/S Floods which overwhelm web services with HTTP requests
  • Slowloris attacks which exploit the server’s resource allocation by sending partial HTTP requests and keeping connections open for as long as possible
• Reflection/Amplification attacks. Here, the attacker spoofs the source IP address and sends requests to servers that reply to the spoofed addressed, flooding the victim with responses. This amplifies the volume of the traffic directed to the victim. Commonly used protocols include DNS, NTP, and SNMP.

Detecting DDoS botnet attacks

The sooner you can detect and stop a DDoS botnet attack, the better your chances of mitigating the impact on revenue and customer satisfaction due to service disruptions, as well the risk of data theft and extortion, and penalties associated with compliance violations. Techniques to detect botnet activity include:

• Traffic analysis and anomaly detection to identify unusual or suspicious volume, source, and destination of network traffic as well as the types of packets being sent.
• Network performance monitoring can detect latency issues, failed connections, or timeouts which may be symptoms of DDoS botnet activity.
• Deep packet inspection to identify the known signatures or patterns of botnet activity include the behaviors of specific types of malware associated with botnets.
• Behavior-based detection to identify behavior of individual devices or systems on a network that could indicate bot-like activity. This could include monitoring processes and file changes as well as the types of network connections being made.
• Automated alerts triggered by downtime or performance thresholds being violated can notify IT teams to investigate and react.
• Load balancing and failover mechanisms that distribute traffic across different servers and cloud resources help mitigate the impact of an attack and assist with continuity of service while IT teams investigate and respond.

Protecting against DDoS botnet attacks

As with all threats, an ounce of prevention is worth a pound of cure. To defend against DDoS botnet attacks, organizations can use a combination of best practices and technology, including:

• Maintain good cyber hygiene. Educate employees on the dangers of botnets and how to avoid becoming infected through the use of strong passwords, multi-factor authentication, and not clicking on suspicious links or attachments in emails from unknown sources.
• Keep software and operating systems up to date. Install patches for vulnerabilities as soon as they are released by your software and network device vendor, prioritizing those patches that botnets are known to exploit.
• Rate limit traffic. Where possible, rate limit traffic to prevent volumetric attacks.
• Proactively monitor your network. Monitor your network for anomalous behavior that could indicate botnet or some other form of malicious activity.
• Disable unnecessary services. A general rule of thumb is to disable services that are not being used as they are typically not on the IT team’s radar for updates and can become an easy vector for attackers to exploit.
• Add firewall rules and IDS/IPS. Add specific firewall policies and implement IDS/IPS technology to detect and block activity that could indicate DDoS botnet attack attempts.
• Use a DDoS protection platform. The most comprehensive way to mitigate DDoS attacks, including DDoS botnet attacks, is with DDoS protection. The best solutions will allow you to maintain uninterrupted service availability even in the midst of a DDoS attack and protect you against follow-on threats including data leakage, ransom attacks, and other threats to your operations.

Conclusion

DDoS botnet attacks continue to increase in complexity and frequency, and no industry or geographic region is immune. In addition to critical infrastructure sectors, companies in gaming, hospitality, entertainment, and social media have also suffered outages which have impacted consumers on a global basis.

As the use of IoT devices and malware variants proliferates, these attacks show no sign of slowing down. Additionally, the volumetric, amplification, and self-propagating factors make DDoS botnet attacks a particularly powerful force to deal with.

Fortunately, there are multiple best practices and technologies organizations can use to defend against DDoS botnet attacks, including maintaining good cyber hygiene, keeping software and systems up to date, rate limiting traffic, disabling unnecessary services, adding firewall rules and IDS/IPS technology, and using a DDoS protection solution.

DDoS protection provides uninterrupted service availability even in the midst of a DDoS botnet attack and can also protect you from other types of DDoS attacks and the follow-on malicious activity that can threaten your operations. Visit our threat intelligence research center for more information on the latest trends and insights about DDoS botnet attacks. Speak with a specialist to learn more.