What is a botnet? 2 different ddos compared
On September 25th, a member faced a Distributed Denial Of Service (DDOS) attack from 69,081 unique attackers that lasted for 8 minutes. The attack shutdown the targeted service. though it only peaked at 74Mbps which is likely slower than your home internet connection. The problem wasn’t throughput but rather numbers of packets, in this case 184,000 packets per second, which easily overwhelms a lot of firewalls and web servers though we had no measurable impact to our ISP grade equipment.
Each of those 69,081 addresses represents an infected computer though their owners are most likely unaware they’ve been compromised. But how does a disparate group of infected computers act cohesively? Botnets are born when malware communicates with a Command and Control system. Cyber criminals behind the botnet are able to distribute commands to the bots so that they all act in unison. Generally speaking, the available commands are limited to various types of DDOS attacks or sending spam emails.
A botnet’s greatest weakness is its reliance on domain names. Malware analysis quickly reveals these domain names so that you can work toward shutting then down and effectively cripple or disable the botnet. Regular readers know we have recently started actively blocking malicious domains via DNS. Many countries do not assist with shutting down these botnets therefore the only fix is blocking the domain.
Shutting Down Botnets
I assisted in shutting down a botnet. It may have been small, but the process is the same regardless of size. I was 100% certain I had a virus even though VirusTotal did not consider it malicious. After analyzing the malware, I discovered the C&C domain and after port scanning the service, I found an IRC server running in Europe. I connected to the IRC server and found a botnet with about 1,000 infected bots. Since it is clearly an IRC C&C, I reported my discovery to the hosting company who happily shutdown the botnet.
Admittedly a thousand hosts is a small botnet but not all bots are online all the time so it’s difficult to say how many shutdown or idle computers are also members. Though it’s difficult to estimate the potential size of this botnet, we know that small groups can be mighty.
September 28th
Case in point, at midnight on the 28th another member was targeted by a DDOS attack. This time a completely different technique was used by only 366 bots in the botnet. However the attack size was 550.8 Mbps and 158,100 packets per second which, though similar to the attack on the 25th in terms of packets per second, was nearly 10 times the size due to the larger packet sizes.
The target of the DDOS was a residential user with a dynamically assigned address. The intent or motive is unknown but we assume the target is a victim. Previous investigations of similar attacks indicate the victim was targeted because they installed a Pinyin language keyboard and transcription software.
The important note is that even 366 bots have enough resources to execute a large attack. The botnet I assisted in shutting down was much larger and no doubt more capable so we shouldn’t downplay the significance of taking it offline despite it initially seeming small and unworthy of attention. It only takes a tiny bit of effort to discover malicious domains and report them. Hosting companies are more than happy to shutdown these malevolent forces. Be a good neighbour, investigate your malware!