Bigger and badder: the evolution of botnets (and DDoS attacks)

Bigger and badder: the evolution of IoT botnets

An article by Manuel, Editorial Manager at IoT Business News.

Once upon a time, on an internet many packets ago, life was hard for botnet builders. In order to assemble an army of devices with which they could accomplish their misdeeds such as spamming, content scraping, stealing credentials or – most likely – DDoS attacks, botnet builders had to work to find unprotected computers or bypass security measures like anti-virus software.

Nowadays, committing cybercrime isn’t nearly this onerous a process. Putting together a botnet of epic proportions is as easy as ABC, 123, IoT.

Humble beginnings

Traditional botnets – or what used to simply be referred to as botnets – are networks of computers and servers that have been infected with malware. Malware commonly infects computers when users download attachments from malicious emails or click on malicious links from emails, instant messages or social media, installing an application that instructs the computer to connect to a central command and control server.

This is what allows computers and servers to be remotely controlled by the botnet owner, with commands being issued over Internet Relay Chat. Being able to issue commands to all these computers and servers is what allows cybercriminals to devote large amounts of computing resources to their illegal activities, often without the computers’ users ever knowing. As most botnets are used in DDoS attacks, this means aiming traffic or repeated requests at targeted networks or servers. The bigger the botnet, the more firepower it can generate.

With all the work that goes into building traditional botnets, botnet builders were lucky to assemble botnets consisting of thousands of devices. These are relatively unimpressive numbers now (more on that below) but even so, these botnets were mighty enough to make anti DDoS protection a must for websites and organizations of all sizes.

The Internet of billions of Things

Thanks to the Internet of Things, the world is full of exciting gadgets designed for 24/7 connectivity. From CCTV systems and DVRs to wireless baby monitors, front door surveillance, smart thermostats and fridges with voice control, we are living in an age of unprecedented connectivity. We’re also living in an age of botnets of unprecedented sizes, which means an age of DDoS attacks of unprecedented sizes. None of this is coincidence.

While there certainly still is malware targeting computers and servers to build traditional botnets, botnet builders have mostly moved on to botnets consisting of IoT devices. Up until recently, IoT devices were largely designed with security as an afterthought, if it was a thought at all. Combine that lack of built-in security with users tending to leave default usernames and passwords in place and you’ve got billions of devices just begging to be infected for use in a botnet.

Additionally, new botnets tend to use peer to peer communication to issue commands as opposed to the central command and control server. The central command and control server represented a single point of failure for security researchers to target in hopes of dismantling the botnet, and peer to peer communication eliminates that by allowing individual infected devices to both receive commands and issue them to other devices in the botnet. This decentralizes the botnet, making it harder to take down.

IoT botnets are also capable of growing themselves. Instead of needing to send out huge batches of infected emails on the hopes of growing a botnet, botnet owners can now sit back as their infected devices do the work for them after they are reprogrammed by their malware to self-propagate by scanning for other vulnerable IoT devices, with a worm-like component of the malware then spreading to the newly-identified devices.

As a result of the availability and vulnerability of IoT devices and new advances in malware, it’s now relatively easy for botnet owners who know what they’re doing to build botnets that consist of hundreds of thousands of devices, such as the infamous Mirai botnet that weighed in at 600,000 at its peak, and even millions of devices as in the case of the Reaper botnet. With these massive botnets, cybercriminals are launching massive attacks.

Growing attacks

It’s impossible to speak of IoT botnets without mentioning the destruction inflicted by the Mirai botnet. In the fall of 2016 Mirai went on a rampage that took down the website of famed security blogger Brian Krebs, French hosting provider OVH and the Dyn DNS server. Each attack was bigger than the last, with the attack on Krebs clocking at 620 Gbps, the attack on OVH hitting reaching 1 Tbps, and the attack on Dyn hitting a then-unheard of 1.2 Tbps and taking down 50+ major websites and online services including the New York Times, Twitter, Etsy, Reddit and Spotify. A Mirai-variant with self-propagating capabilities was linked to multiple attacks on global Fortune 500 companies in the financial sector in January of 2018.

While the bruising attacks unleashed by IoT botnets are obviously awful, what may be even worse is waiting to see what Reaper-sized botnets have in store for the internet. It’s been speculated that an IoT botnet could be capable of bringing down the entire internet.

IoT botnets are undoubtedly scary, but leading DDoS protection can handle those 1+ Tbps attacks. In order to try and head off the damage and devastation these botnets can do, websites and businesses require protection that is cloud-based for infinite scalability with tremendous processing power capable of bouncing huge amounts of attack traffic while leaving legitimate traffic unaffected. It’s about time botnet builders went back to having to work hard to do their dirty work.

Related posts