What is a botnet?

Posted on

Created: 2023-03-1716:12

What is a botnet:

  • network of computers infected with malware
  • controlled by a bot herder
  • each device in the network is referred to as a bot

How Are Botnets Controlled?:

  • two structures:
    • centralized
    • decentralized
  • centralized
    • direct communication between bot and herder
  • decentralized
    • multiple links between all infected bots

Centralized Client-Server Model:

  • popular in first gen botnets
  • one command & control (C&C) server operates entire botnet
  • susceptible to a single point of failure

common communication channels

  • Internet Relay Chat (IRC)
    • one of the earliest types of botnet
    • controlled with a pre-configured IRC server
    • bots connect to the server and listen for commands
  • HTTP
    • web-based
    • uses the HTTP protocol to send commands
    • bots visit the server to get updates and new commands
    • allows traffic to be masked as normal web traffic

Decentralized, Peer-to-Peer Model:

  • bots share commands and info with each other
  • no direct connection to the command server
  • harder to implement
  • more resilient
  • each bot acts as a client & server

How Does a Botnet Work?:

  • Stages of creating a botnet
    • Expose
    • Infect & Grow
    • Activate
  • Expose
    • hackers find vulnerabilities in order to expose users to malware
  • Infect & Grow
    • victim’s devices are infected with malware that can control their devices
    • web downloads, exploit hits, popup ads, and email attachments are all methods of attack
    • centralized direct bots to the C&C server
    • decentralized peer propagation begins and devices seek to connect with e/o
  • Activate
    • mobilization for attacks
    • bots get updates from C&C or P2P and receive orders for malicious activities

Types of Botnet Attacks:

  • Phishing
    • distribute malware via phishing emails
    • difficult to shut down
  • Distributed Denial of Service (DDoS) Attacks
    • botnet send overwhelming amount of requests to targeted server or application causing a crash
    • Network layer attacks:
      • SYN & UDP floods
      • DNS Amplification
      • target is the network bandwidth of target device to prevent legitimate requests from being served
    • Application layer attacks:
      • HTTP Floods
      • Slow Loris
      • RUDY attack
      • zero-day attacks
  • Spam Bots
    • harvest emails from websites, forums, guestbooks, chatrooms,
    • emails are used to create accounts and send spam messages

References:

  1. https://www.crowdstrike.com/cybersecurity-101/botnets/

Leave a Reply

Your email address will not be published. Required fields are marked *