Automated attacks are a growing threat as cybercriminals attempt to scale their operations and increase revenue. Understanding what is a bot and how to identify and protect against one is essential to organizational cybersecurity.
This is even more true in recent years as the number of botnets in operation continue to grow. In 2019, the number of botnet command and control (C2) servers jumped by almost three-quarters, demonstrating that cybercriminals are increasingly taking advantage of botnets to maximize the impact of their attacks.
Inside a Botnet
At its core, a botnet is a collection of computers under the control of a cybercriminal. The cybercriminal sends commands to these computers using a C2 server and receives responses from the devices.
This allows a botnet to be used for a variety of different purposes. A cybercriminal can use one to maximize the impact of their scanning and reconnaissance efforts since each bot can perform scans independently and may be inside of firewalls.
Alternatively, bots can be used to collect data from their target machines, which is collected, aggregated, and analyzed by the C2 server to determine the cybercriminal’s next move. Bots can also be used in credential stuffing or other automated attacks, where a number of different IP addresses and machines may be necessary for allaying the target’s suspicions.
Botnets are a growing threat to modern organizations because they have become so easy for an attacker to build. The Internet of Things (IoT) is growing, and IoT devices are known for having extremely poor security. The Mirai botnet, which included over 400,000 devices at its peak, was built by malware that simply tried to log into different devices using a list of 61 common username and password combinations. Alternatively, an attacker may exploit a vulnerability in an IoT device since these devices are typically exposed to the Internet (to enable them to be controlled by a smartphone) and no one ever thinks to perform software updates or install an antivirus on their lightbulb or toaster.
For those would-be cybercriminals without the technical knowledge to exploit a large quantity of IoT devices, the advent of cheap cloud computing provides a viable alternative. A hacker can lease cloud computing resources from a number of providers and use them to perform their attacks.
The result of all of this easy access to computational resources is that it has become cheaper and easier to build a botnet and use it for malicious purposes. It is now extremely common for cybercriminals to operate Distributed Denial of Service (DDoS) for hire services, where a cybercriminal sells their services and use of a botnet to customers for a very affordable price. As operating a botnet becomes cheaper and more profitable, the number and size of botnets in operation has skyrocketed.
The Growing Botnet Threat
Every botnet needs a C2 server to send the commands of the bot herder to the bots. While the same operator may use multiple C2 servers, the number of botnet C2 servers in operation gives a rough estimate of the popularity of botnets in cyberattacks.
In 2019, the number of botnet C2 servers skyrocketed compared to previous years. In 2019, a total of 17,602 botnet C2 servers were detected and blocked by Spamhaus, which tracks the domain names and IP addresses of malicious C2 servers. This represents a 71.2% growth over 2018, when only 10,263 C2 servers were detected and blocked by the service.
The growing number of botnet C2 servers indicates that the use of botnets is increasingly common in the current cyber threat landscape. Since computing power is readily available in the form of insecure IoT devices and cheap cloud computing, cybercriminals can easily build botnets for use in Distributed Denial of Service (DDoS) attacks, spamming, and other malicious activities that require access to a large number of machines to perform.
However, C2 servers are not only used to control botnets performing large-scale attacks. In fact, over 60% of the detected C2 servers were associated with credential stealing malware. In these cases, a botnet C2 server may be used to collect stolen credentials from malware and pass it on to bots to perform credential stuffing attacks.
The growth of botnets impacts the security of both the owner of each bot and the organizations that are targeted in their attacks. Protecting against becoming part of a botnet, by securing potentially vulnerable devices, and protecting against botnets’ attacks are both important for organizational security.
Protecting Against Bot-Driven Attacks
Bots are used for a number of different malicious purposes, and the use of botnets are becoming more common. Cheap and easily-accessible computational power makes it easy for cybercriminals to build large botnets and use them in attacks.
For many of the most common bot-driven attacks, like DDoS and credential stuffing attacks, it is possible to detect and block this malicious traffic. Bots commonly have behaviors that differ greatly from human users, whether in the rate of requests, the identifying characteristics of the browser being used, or how a user or bot navigates a webpage.
Deploying defenses against bot-driven attacks can help protect an organization from exploitation and from valuable resources being wasted by bot-related traffic. A web application firewall (WAF) with bot detection based upon behavioral analysis of network traffic can be a significant asset in an organization’s cybersecurity defensive strategy.