As a term, botnet is a combination of two words: robot and network. Basically, a botnet is a group or network of computers or other devices that are internet-connected. Using malware, a hacker infects these devices and turns them into an army of minions, who then mindlessly execute their orders.
Botnet attacks are becoming increasingly common and complex. But what exactly are they? How do they work, what can they do, and most importantly, how can you prevent them? This article breaks down these and other botnet attack questions.
Botnet attacks use a command and control model to allow one or more hackers to drive the actions of those devices (often called ‘zombie bots’) from a remote location. The more devices that have been infected with the attacker’s malware, the stronger the attack is likely to be.
Any device capable of accessing the internet could be used as a zombie bot in a botnet attack that puts enterprises in jeopardy. This is especially true if the device doesn’t receive regular antivirus software updates.
All of the five main classes of Internet of Things (IoT) applications can present security risks, including consumer, commercial, industrial, smart city infrastructure, or military arenas. In each of those fields, the market is flooded with IoT devices, many of which are lacking in security.
Vulnerable devices may include:
Computers
Mobile phones
Tablets
Network routers
Web servers
Wearables like smartwatches and fitness trackers
Web-enabled smart home devices
Security cameras
Doorbell cameras
Televisions
Thermostats
Speakers
Cybercriminals can inflict considerable damage by themselves or with a small team. However, many are willing to spend just a little time and money to develop a botnet attack that leverages their efforts by leaps and bounds.
Botnet attacks are far more dangerous than single malware attacks because rather than infecting a single device, botnets infect hundreds, thousands, or even millions of connected devices at once. This poses an exponential threat that is much harder to stop.
Making them even more evasive is the fact that the attacker can use incoming software updates from infected devices to redirect or scale up their attack on the fly. This helps attackers stay ahead of countermeasures employed by their victims.
Armed with a large force of zombie bots, a single attacker can do more than compromise whole networks. They can quickly replicate and distribute their malware, hijacking growing numbers of devices as unwilling recruits.
Botnet attacks can be carried out by a single person or team. Either way, a force of zombie bots is controlled by the bot herder, which is the individual or group driving the attack. The bot herder can build their own botnet from scratch or rent it from other bad actors (sometimes dubbed “malware-as-a-service,” or MaaS).
Once infected, zombie bots are anonymously controlled via a centralized client-server model or decentralized peer-to-peer (P2P) model.
A centralized botnet attack is executed by a single server functioning as the bot herder. There may be a hierarchy of proxy or sub-herding servers set up under it, but the commands originate from the bot herder server.
The centralized approach is a bit outdated. As you can imagine, identifying and shutting down one centralized server is much easier than locating and stopping an attack when the commands are deployed by multiple zombie bots.
In a decentralized botnet attack, the responsibility for giving instructions is embedded across all the bots in the botnet. If the attacker can communicate with any one of them, the malware can still be propagated through the other hijacked devices.
As you can imagine, the P2P framework makes it much harder to identify the person or people in control. Because of this, the decentralized model is much more widely used.
There are three basic steps to carrying out a botnet attack.
Find a vulnerability
Infect user devices
Mobilize the attack
Any vulnerability in a website or application can provide an opening for botnet attackers. Sometimes, inadvertent user behavior creates that vulnerability. No matter the source of the vulnerability, the attacker's objective is to find a way to exploit it.
This is where unsuspecting users are hijacked into becoming zombie bots via malware delivery. One example of a delivery method includes spamming and social engineering, where attackers send emails or other messages that trick users into downloading malware, such as a Trojan virus.
There are a number of delivery methods that would be considered bolder, but whatever they choose, the attacker’s goal is to breach your security by breaching the security of a handful of users.
Once a few devices are infected, the botnet attacker is able to network them together so they can be controlled remotely. Their ultimate goal is to hijack as many devices as they can so that they inflict as much damage as possible.
Let’s look at the kind of damage botnet attacks can do.
Cybercriminals employ botnet attacks for a number of reasons, with money and power usually at the root of their strategy. Once they have control of zombie devices, they can access operations normally reserved for admin-level users, such as:
Monitoring user activity
Collecting user data
Installing and operating applications
Transferring sensitive data or files
Identifying vulnerabilities in other network devices
Reading and writing data in the system
With these abilities now under their control, an attacker could use them for ad-hoc crimes, including:
Stealing money outright
Extorting payments
Mining for cryptocurrency
Stealing confidential account data
Selling their stolen access to others
Many times, botnet attacks are used to enable a secondary scheme. Once they’re in control, there are a handful of standard tactics attackers might use to do so, depending on their ultimate goal.
Email spam and phishing scams go hand-in-hand. These social engineering tactics are extremely common methods for enticing and then tricking users into giving up login credentials or other sensitive information. If phishing is successful, it may grant access to the victim’s device, adding it to the botnet.
DDoS is one of the most common types of botnet attacks. Under DDoS, an attacker inundates a network with heavy traffic with the goal of disrupting service.
One notorious example of this is the 2016 Mirai botnet attack, which managed to take down a major domain name service provider. Mirai caused performance disruptions and complete outages of services including Netflix, Twitter, CNN, and others. It also affected an entire country (Liberia) and several of Russia’s biggest banks.
Brute force is used when the attacker doesn’t have access to their target’s login passwords. So instead, they try to seize them by force. Credential stuffing and dictionary attacks may be used to take advantage of weak user passwords and gain access to the associated data.
Before we discuss prevention, consider the following statistics:
By 2023, it’s estimated that there will be 43 billion internet-connected devices in use (McKinsey).
In 2021, the average costs associated with data breach rose 10% from the previous year, to $4.24 million (IBM).
Consider the costs of a data breach magnified by the sheer number of potentially vulnerable devices, and the urgency to protect your organization becomes clear. So when it comes to avoiding botnet attacks specifically, where should you start?
This is not an exhaustive list, but it does include some best practices to consider.
Keep all systems updated. Botnets are designed to exploit vulnerabilities in your network, which includes unpatched security risks in connected devices. Keep those devices more secure by installing antivirus and other software updates and patches as soon as they become available. Even if they’re not actively used, all hardware and legacy devices should be kept up to date.
Provide user awareness training. Make sure employees and other users of your network know how to identify and avoid falling victim to spam, phishing, and unsecure links. It only takes one bad click to put your network at risk.
Multi-factor authentication (MFA). MFA allows password-only logins to be replaced by faster and more secure login experiences when accessing applications or websites enabled with specific Fast Identity Online (FIDO) standards.
FIDO2 – Users choose a FIDO Security Key or biometric authentication method (such as a fingerprint or face identification) to authenticate
Universal Authentication Framework (UAF) – Users choose a biometric authentication method for their device and uses it to authenticate
Universal Second Factor (U2F) – The user inserts a USB key into any USB port and touches a button to authenticate
Monitor network traffic. Keeping a close eye on traffic flow and volume can help you identify potential data leaks and DDoS attacks before they get too far. PingOne Risk and PingIntelligence for APIs can help you with this.
Adopt a passwordless environment. Security architects need to consider the amount of friction (passwords, other authentication factors) required for a given experience. Going passwordless can allow you to create the best user experience possible without giving up security.
Implement zero trust. This is today’s most advanced approach to cybersecurity. Instead of the previous standard of a perimeter-centric network (“trust but verify”), a zero trust model assumes that security threats already exist within your enterprise, requiring continuous trust assessments across each device, application, and user (“never trust, always verify”).
Ping Identity can help you secure your workforce while protecting your enterprise with frictionless access. Click the link for the ultimate guide.
Start Today
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo