LAST UPDATED September 22, 2022
A botnet is simply, as the name implies, a network of bots. Attackers conscript many computers into a network of systems, each running some variant of an attack. These networks of systems are “botnets.” Attackers build, buy, or rent botnet capacity and construct their bots in such a way that they operate across a federated bank of systems, each with its own IP address. In this way, they both increase the speed, frequency, and intensity of their attacks, and reduce the collateral damage to their own criminal efforts if a single node in that network is discovered and blocked.
Botnets are getting bigger and more sophisticated. In fact, they have been in the news a lot in recent weeks, with several record-breaking DDoS attacks carried about by botnets. We face a lot of malicious botnet activity in the ThreatX SOC, and below we share a few examples of some botnets that we’re currently seeing in the wild.
Get more specifics on bot-enabled API attacks in our recent blog post, How Attackers Are Using Bots to Breach APIs.
This botnet is cleverly named after the Mantis shrimp, a tiny creature with enough power in its punch to break a human finger. In this case, it’s something similar. Although there were only 5,000 devices involved in this botnet, it really packed a punch in a recent attack. This record-breaking DDoS attack peaked at around 26 million requests per second.
For reference, the previous record was 20 million requests per second. And it was also similarly impressive that they only needed 5,000 devices to do so. The attackers accomplished this by focusing on the quality of the devices leveraged for the botnet, rather than the quantity of devices. A lot of other botnets are focused on IoT devices, but in this case the attackers sought out virtual hosts with a lot of CPU and RAM computing resources. In this way, each individual device could send a lot more requests, compared to a normal botnet.
Just when you thought the botnet in June was record-breaking, along comes a Meris botnet attack in August 2022. Google reported in August 2022 that they detected a DDoS attack that escalated from 100,000 RPS to 46 million RPS, within an hour. The Meris botnet is made up of infected routers and networking hardware manufactured by a company called MikroTik. Attackers used a vulnerability in the router’s operating system to exploit the devices.
The infected routers have a high capacity for RPS, and it is currently thought that attackers can proxy requests from many devices to the infected routers to help hide the origin of the attack. Additionally, the Meris botnet is known to take advantage of HTTP pipelining, which allows a single connection to send multiple requests without waiting for a server to send a response. This technique helps inflate the RPS the botnet is capable of.
One of the most famous botnets is the Mirai botnet, named after the anime Mirai Nikki. Taking advantage of default password settings on IoT devices, Mirai became a botnet army of compromised closed-circuit TV cameras and routers. The source code was shared by a person named Anna-Senpai through forums quite a few years back. This sharing led to a DDoS attack that took down much of the Internet on the U.S. East Coast in 2016.
The interesting thing about the Mirai botnet is that it’s very easily extensible, since this source code has gone essentially open source in the malicious network. Anytime a new vulnerability comes out, for example, Log4J or Spring for Shell, people can very easily modify the source code of the botnet so that they’re able to use these new vulnerabilities to spread easily.
Get all the details on how attackers are abusing APIs and the best practices in API protection in The Definitive Guide to API Attack Protection.
Finally, the RSOCKS botnet, named after the user who was distributing it. This botnet was not used for crypto mining, DDoS, or credential stuffing. Attackers were using it to sell the IPs they compromised as a proxy server, a clever and unique way to use a botnet.
Compromised IPs were sold to other attackers, who could then use them as proxy servers to help obfuscate their own attacks/ traffic. If you navigate to the RSOCKs website now, there is a message showing that the FBI has seized it. The Justice Department had put out a statement regarding the proxy service: “It is believed that the users of this type of proxy service were conducting large scale attacks against authentication services, also known as credential stuffing, and anonymizing themselves when accessing compromised social media accounts, or sending malicious email, such as phishing messages.”
How to Detect, Stop, and Protect Against Botnets
It is important to note that bots and malicious automation are always evolving and can lead to consequences like platform outages and damaged brand reputation. Detection that works on one form of automation may not work on another. If an attacker is thwarted by a particular technique, they are likely to shift to others the next time. This makes it important to utilize a solution that takes a combined approach to protecting your web application and API attack surface against modern, bot-based attacks, including:
- Behavioral analysis that continuously monitors the actions of visitors and correlates behaviors over time. Building the historical context of attacker activity provides the ability to identify and block even the “low and slow” attacks that would normally fly under the radar.
- Application profiling that learns the behaviors and traits of an application to establish a baseline, providing the context needed to identify suspicious usage of an application vs. spikes in legitimate traffic.
- Active interrogation or deception technology to challenge a visitor that can confidently, and accurately, distinguish a bot from a valid user.
- DDoS protection to protect the allocated resources and ensure applications remain available and online.
- The ability to see reused values in certain parameters to protect against basic scripts, and to see the rotation of values in parameters to protect against more complicated attacks.
- Inline, real-time blocking to ensure applications and APIs are protected against exploitation attempts. If the solution doesn’t provide immediate defense with its own WAF capabilities, then your attack surface isn’t protected.
Hear members of our SOC team share their experiences with bot-enabled attacks in the recording of our recent Live Q&A: Malicious Bots in Modern Threats.