In October 2016, the Mirai botnet took down domain name system provider Dyn, waking much of the world up to the fact that Internet of Things devices could be weaponized in a massive distributed denial of service (DDoS) attack. Although DDoS attacks have been around since the early days of the modern internet, IT communities around the globe came to realize that IoT devices could be leveraged in botnet attacks to go after all kinds of targets.
In the case of Dyn, the cyberattack took huge chunks of the web offline, since Dyn served as a hub and routing service for internet traffic. The attack temporarily shut off access to Twitter, Netflix, Spotify, Box, GitHub, Airbnb, reddit, Etsy, SoundCloud and other sites.
The rising prominence of botnets in DDoS attacks also prompted the federal government to take a stronger interest. President Donald Trump’s May 2017 executive order on cybersecurity directed the secretaries of Commerce and Homeland Security to lead “an open and transparent process to identify and promote action by appropriate stakeholders” that would improve the resilience of the internet and encourage collaboration around the goal of “dramatically reducing threats perpetrated by automated and distributed attacks (e.g., botnets).”
In late May, the departments of Commerce and Homeland Security issued a final report on the topic, which included numerous recommendations for agencies to take to mitigate DDoS attacks and botnet threats.
The government, the report says, “should leverage industry-developed capability baselines, where appropriate, in establishing capability baselines for IoT devices in U.S. government environments to meet federal security requirements, promote adoption of industry-led baselines, and accelerate international standardization.”
Among numerous other measures, the report says that agencies should put in place basic DDoS prevention and mitigation measures for all federal networks, and ensure they are not used to amplify DDoS attacks.
Before federal IT leaders and professionals put mitigation and prevention measures in place, it’s worth taking time to understand the nature of the threat. Here is a primer on DDOs attacks, botnets, the damage they can do and how agencies can guard against them.
What Is a DDoS Attack?
A DDoS attack is a cyberattack in which multiple compromised systems attack a given target, such as a server or website, to deny users access to that target.
Attackers often use compromised devices — desktops, laptops, smartphones or IoT devices — to command them to generate traffic to a website in order to disable it, in ways that the user does not even detect.
“The smart cybercriminal imposes limits on the malware code to avoid detection by not utilizing too much of the user’s bandwidth or system resources,” Carl Danowski, a CDW service delivery architect in managed services, writes in a blog post. “The user would have to know where to look to detect this, and probably won’t be motivated to as long as the software doesn’t cause any problems for them. The attack does not use just a single system but millions of such compromised systems, nearly simultaneously.”
The malware then visits or sends special network packets (OSI Layer 7 and Layer 3, respectively) to the website or DNS provider. The attack then generates what looks like, to most cybersecurity tools, normal traffic or unsuccessful connection attempts.
“However, the website soon becomes unavailable as some part of the infrastructure can no longer handle the sheer number of simultaneous requests,” Danowski notes. “It could be the router, the firewall, the web servers, the database servers behind the web servers — any number of points can become overwhelmed, leading to the unavailability of the service they are providing. As a result, legitimate users of the website are denied service.”
As the DHS/Commerce report notes, DDoS attacks have been a concern since the early days of the internet and were a regular occurrence by the early 2000s. They can “overwhelm networked resources, sending massive quantities of spam, disseminating keylogger and other malware.”
What Is a Botnet Attack?
Botnet attacks are related to DDoS attacks. Not all botnets are malicious; a botnet is a simply a group of connected computers working together to execute repetitive tasks, and can keep websites up and running. However, malicious botnets use malware to take control of internet-connected devices and then use them as a group to attack.
“More often than not, what botnets are looking to do is to add your computer to their web,” a blog post from anti-virus firm Norton notes. “That usually happens through a drive-by download or fooling you into installing a Trojan horse on your computer. Once the software is downloaded, the botnet will now contact its master computer and let it know that everything is ready to go. Now your computer, phone or tablet is entirely under the control of the person who created the botnet.”
Malicious botnets are often used to amplify DDoS attacks, as well as sending out spam, generating traffic for financial gain and scamming victims.
The rise of the IoT makes botnets more dangerous and potentially virulent. The IoT means there are simply many more (usually unsecured) connected devices for attackers to target. As a result, the DHS/Commerce report notes, “DDoS attacks have grown in size to more than one terabit per second, far outstripping expected size and excess capacity. As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved.”
Further, the report adds, traditional DDoS mitigation techniques, such as network providers building in excess capacity to absorb the effects of botnets, “were not designed to remedy other classes of malicious activities facilitated by botnets, such as ransomware or computational propaganda.”
Botnet Detection and Removal Tools
Botnet detection can be difficult, since infected bots are designed to operate without users knowing about them. A blog post from CA Technologies suggests several symptoms of botnet infection that administrators should look for. These Include:
- Internet Relay Chat traffic (botnets and bot masters use IRC for communications)
- Connection attempts with known command-and-control servers
- Multiple machines on a network making identical DNS requests
- High outgoing Simple Message Transfer Protocol traffic (as a result of sending spam)
- Unexpected pop-ups (as a result of clickfraud activity)
- Slow computing/high CPU usage spikes in traffic, especially on Port 6667 (used for IRC), Port 25 (used in email spamming) and Port 1080 (used by proxy servers)
- Outbound messages (email, social media, instant messages, etc.) that weren’t sent by the user
Some tools, such as CDW’s Threat Check tool, perform passive inspection of all inbound and outbound network traffic and look for evidence of malicious activity. “It will not block any traffic but simply monitor and report on what it sees. This includes connections to botnets, connections to command and control servers, remote access tools, visits to sites hosting malicious code, or any other evidence of an infection,” Aaron Colwell, manager of strategic software sales for the analytics practice at CDW, writes on CDW’s solutions blog.
“Botnet detection is useless without having botnet removal capabilities,” the CA blog notes. “Once a bot has been detected on a computer, it should be removed as quickly as possible using security software with botnet removal functionality.”
A Brief History of DDoS Attacks: Reaper, Zeus and Mirai Botnets
In recent years, there have been several high-profile botnet attacks that have rocketed around the internet, causing varying levels of devastation to IT environments.
According to CSO Online, the Mirai botnet was actually created by Paras Jha, then an undergraduate at Rutgers University, who became interested in how DDoS attacks could be used for profit, especially by using DDoS attacks to disable rival servers that might be used to host the online game Minecraft.
The major Mirai botnet attack took down the security blog KrebsOnSecurity in September 2016, and its source code was published online a few weeks later. Then came the major attack on Dyn. “The FBI believes that this attack was ultimately targeting Microsoft game servers,” which can be hosted and used to generate money from Minecraft players, CSO reports. The attack spread to vulnerable devices “by continuously scanning the Internet for IoT systems protected by factory default usernames and passwords,” Krebs reports.
An illustration of the global Mirai botnet attack on DNS provider Dyn in October 2016. Photo: Joey Devilla/Wikimedia Commons
Another recent botnet that made waves is Reaper, which is built on parts of Mirai’s code. However, as Wired details, it is different in dangerous ways. “Instead of merely guessing the passwords of the devices it infects, it uses known security flaws in the code of those insecure machines, hacking in with an array of compromise tools and then spreading itself further,” the publication reports, meaning that it could “become even larger — and more dangerous — than Mirai ever was.” The botnet surfaced in January when it was used to target financial services firms in the Netherlands, Security Week reports.
In 2014, the GameOver Zeus botnet rose to prominence, and was “responsible for the theft of millions of dollars from businesses and consumers in the U.S. and around the world,” according to the FBI.
“GameOver Zeus is an extremely sophisticated type of malware designed specifically to steal banking and other credentials from the computers it infects,” the FBI noted. “It’s predominantly spread through spam e-mail or phishing messages.”
In February 2015, the FBI announced a $3 million bounty for information leading to the arrest and conviction of Evgeniy Mikhailovich Bogachev, a Russian national the government believes is responsible for building and distributing the Zeus banking Trojan.
How Feds Can Respond to the Botnet Threat
The DHS/Commerce report offers agencies guidance on how they can combat DDoS and botnet attacks.
First, the report says that stakeholders and subject matter experts, in consultation with the National Institute of Standards and Technology, should lead the development of a Framework for Improving Critical Infrastructure Cybersecurity Profile for enterprise DDoS prevention and mitigation.
“The profile would help enterprises identify opportunities to improve DDoS threat mitigation and aid in cybersecurity prioritization by comparing their current state with the desired target state,” the report says. “The profile would likely include multiple levels to support industry sectors with different resilience requirements.”
After that is created, the report says agencies “should implement basic DDoS prevention and mitigation measures for all federal networks to enhance the resilience of the ecosystem and demonstrate the practicality and efficacy of the profile.”
In the past, the report notes, “hackers have leveraged federal networks in DDoS attacks using open resolvers and other agency resources to amplify their attacks.” DNS primarily translates hostnames to IP addresses or IP addresses to hostnames. As TechTarget notes, DNS resolvers are “servers that client systems use to resolve domain names.”
The report says that “poorly administered enterprise resources, such as open DNS resolvers, are often leveraged to amplify attacks.” Many network vendors, including Cisco Systems, offer agencies and other organizations best practices for guarding against DNS attacks.
“The federal government should lead by example, ensuring that federal resources are not unwitting participants and that federal networks are prepared to detect, mitigate, and respond as necessary,” the DHS/Commerce report states.
The administration should mandate implementation of the federal cybersecurity framework profile for DDoS prevention and mitigation by all government agencies within a fixed period after completion and publication of the profile, the report advises.
“The federal government should evaluate and implement effective ways to incentivize the use of software development tools and processes that significantly reduce the incidence of security vulnerabilities in all federal software procurements, such as through attestation or certification requirements,” the report adds.
To establish market incentives for secure software development, the government should “establish procurement regulations that favor or require commercial off-the-shelf software that is developed using such processes, when available,” and “should also ensure that government-funded software development projects use the best available tools to obtain insight into the impact of these regulations.”