Botnet

When an online service collapses under a flood of pointless requests, a single computer is rarely behind it. The load comes from tens of thousands of hijacked devices worldwide whose owners have no idea. Such remotely controlled collections are called botnets.

For companies, the topic is relevant in two ways: they can become the target of attacks from botnets, and their own devices can be part of a botnet without anyone noticing. The operators think in economic terms: every additional device lowers their costs and increases their striking power.

What is a botnet?

A botnet is a network of compromised devices running malware that can be controlled remotely from a central point. Each individual device is referred to as a bot or zombie, the controlling person as the botmaster. In principle, any networked system can become a bot: servers and workstations as well as routers, cameras and other IoT devices. The latter in particular are popular because they often run with factory passwords, rarely receive updates and are permanently online. The strength of a botnet lies in numbers: many weak devices together form a powerful attack infrastructure. The size ranges from a few hundred to several million devices, and for the owners the external use usually remains invisible because the devices appear to keep running normally.

How it works

  • Infection: The bot software spreads via unpatched vulnerabilities, weak passwords and infected downloads. Much of this runs fully automatically, because existing bots constantly scour the internet for new victims. For IoT devices, the credentials set at the factory are often already enough.
  • Registration: After infection, the device reports to the attackers' control infrastructure, the command-and-control server (C2), and from then on waits for commands.
  • Control: Classic botnets use central C2 servers. More modern ones distribute control across the bots themselves or change their domains every few minutes to evade takedowns. The communication likes to hide in ordinary web traffic.
  • Execution: The botmaster sends a command, thousands of devices carry it out at the same time, from a storm of requests against a target to the automated trying-out of stolen passwords.
  • Rental: Many botnets are rental infrastructure. Attacks and spam campaigns can be booked as a service in the criminal underground, support included.

Why botnets matter for companies

  • Availability risk: DDoS attacks from botnets paralyse web shops and customer portals, often coupled with an extortion demand.
  • Your own devices as perpetrators: compromised systems in the corporate network send spam or attack third parties. The consequences range from blocklists for your own mail servers to questions of liability.
  • Resource theft: cryptomining bots consume computing power and electricity. For a long time, the performance losses look like vague IT problems.
  • A door-opener for follow-up attacks: a bot in the network is remote access for attackers. Botnets such as Emotet in its day served as a distribution platform for ransomware.
  • IoT as a blind spot: cameras, printers and building technology appear in no endpoint management and, without controls in the network, remain unobserved.
  • Compliance and reporting paths: if one of your own devices becomes part of a botnet, a security incident has occurred, with the same investigation and reporting obligations as with other attacks.

Typical usage scenarios

The best-known scenario is the DDoS attack: tens of thousands of bots call up a target at the same time until it collapses under the load. The force that poorly secured IoT devices can unleash was demonstrated in 2016 by the Mirai botnet, which disrupted central internet services with hijacked cameras and routers. Besides this, botnets earn money by sending spam and phishing, with credential stuffing against customer accounts, with click fraud in online advertising and with cryptomining on other people's hardware. A growing business field is proxy services: criminals route their traffic through hijacked devices and thereby disguise their origin. To the affected organisation, it then looks as if attacks are coming from perfectly ordinary private households. Extortion without an actual attack also occurs: the mere threat of a storm of requests, backed up by a short demonstration, is meant to trigger payments.

Bot vs. botnet

A bot is first of all a program that performs tasks automatically. In itself, that is neither good nor bad: search engine crawlers and monitoring agents are useful bots. In the security context, the term means a single compromised device under someone else's control. The botnet is the collection of many such bots with shared control. Both levels are relevant for defence. Bot management at the application level distinguishes desired from harmful automated access to websites and interfaces. Botnet defence, by contrast, prevents your own devices from being recruited or attacks from botnets from hitting your own infrastructure. Incidentally, those who talk about bot traffic in everyday terms usually mean the application level, that is, automated access to websites, regardless of whether a botnet is behind it.

Protection against botnets at KAEMI

KAEMI addresses both sides of the problem. With Application Security based on the Cloudflare platform, we protect publicly reachable applications against DDoS attacks and harmful bots. On the inside, microsegmentation prevents hijacked devices from spreading or communicating with the outside world in an uncontrolled way. On request, we add an analysis of outbound traffic to uncover existing infections. For an assessment of your exposure, you can reach us via the contact page .

Frequently asked questions about Botnet

What is the difference between a bot and a botnet?

A bot is a single program or device that performs tasks automatically, in the security context a hijacked system under someone else's control. A botnet is the association of many such bots that are controlled via a shared infrastructure. The numbers are what make it dangerous: only thousands of coordinated devices make effective DDoS attacks or large-scale spam sending possible.

How can I tell that my company's devices are part of a botnet?

Indications are outbound connections to unknown destinations, communication over unusual ports, increased load for no discernible reason, or your own IP addresses being added to spam blocklists. More reliable than individual symptoms is the systematic monitoring of outbound traffic. Conspicuous communication patterns from IoT devices deserve particular attention, because no endpoint protection can be installed on them.

What is a command-and-control server?

The command-and-control server, C2 for short, is the control centre of a botnet. Infected devices report to it, receive commands and deliver results. Modern botnets disguise this infrastructure through constantly changing domains or distribute control across the bots themselves. Detecting C2 communication in outbound traffic is therefore one of the most effective approaches against an infestation.

Why are IoT devices so often part of botnets?

Many IoT devices are operated with factory passwords, rarely receive security updates and are permanently connected to the network. A protection program usually cannot be installed on them at all. Attackers scan the internet automatically for such devices and take them over in large numbers. In 2016, the Mirai botnet impressively demonstrated the attack power that arises from this combination.

How do you protect yourself against DDoS attacks from botnets?

Effective protection filters attack traffic before it reaches your own infrastructure. Cloud-based services spread the load across global networks and separate automated requests from real users. Local bandwidth alone is not enough against large botnets. It is also sensible to have an emergency plan that regulates responsibilities and communication paths for the event of an attack before it occurs.

Want to put this into practice in your own network? Talk to KAEMI, aligned to your requirements and with operations from a single source.