Online exclusive: Rise of the botnets

Online exclusive: Rise of the botnets

Emad Fahmy, Systems Engineering Manager, Middle East, NETSCOUT, looks at why botnets are one of the more dangerous threats to ISPs and enterprises

In the ever-evolving landscape of cybersecurity threats, distributed denial-of-service (DDoS) attacks have proven to be a persistent and potent menace. Among the various types of DDoS threats, botnets have emerged as one of the most dangerous adversaries faced by internet service providers (ISPs) and enterprises alike. With their ability to generate massive and relentless attacks, botnets have become one of the main weapons of choice for cyber attackers.

A botnet comprises hundreds to millions of interconnected devices controlled remotely by malicious actors. These networks of compromised devices are unleashed upon targeted systems, generating attacks of unprecedented scale and complexity, making them exceedingly challenging to mitigate. The sources of these attacks can range from data centres to malware-infected devices connected to a network, and their primary objectives often include website takedowns or holding them hostage for ransom.

According to NETSCOUT’S DDoS Threat Intelligence Report, the top five most targeted sectors in the UAE in the second half of 2022 by number of attacks were: Wired Telecommunications Carriers, Data Processing Hosting, and related services; Custom Computer Programming Services; Computer Storage Device Manufacturing; and Telecommunications Resellers.

As we delve into the statistics surrounding network bandwidth and throughput, we face the ever-looming threat of direct-path botnet attacks. While bandwidth refers to the maximum number of packets that can be transferred, throughput signifies the actual number of packets being transmitted, making it a crucial metric in assessing the impact of this growing menace.

Bearing the brunt of botnets

A closer analysis reveals that enterprises bear the brunt of bot-based attacks, although Internet Service Providers (ISPs) are far from being immune to this pervasive threat. According to the same report, the latter half of 2022 saw approximately 2,500 bot-sourced attacks against enterprises, while ISPs faced around 700 attacks during the same period.

Enterprises experienced more than 350,000 security-related alerts in the second half of 2022, with an average impact of approximately 5 Gbps per bot node. The United States, Mexico and Spain emerged as the top target countries, with government organisations at the federal, state, and regional levels, as well as banking-related companies, being the primary victims.

Meanwhile, ISPs endured approximately 60,000 botnet attacks during the latter half of 2022, with South Korea, the United States and Italy emerging as the most targeted countries. The prevalent types of botnet-sourced attacks observed were TCP SYN floods and reflection/amplification attacks.

One particularly notorious DDoS attack method is the TCP SYN, also known as a SYN flood. Exploiting the three-way handshake process that establishes a TCP connection, this attack overwhelms a target device by inundating it with a massive and rapid influx of TCP connection requests. The sheer volume of requests exceeds the device’s processing capabilities, rendering the network unresponsive and incapacitated.

How common are botnets?

When it comes to the identification of common botnets, researchers at NETSCOUT tracked approximately 1.35 million bots in 2022, originating from malware families such as Meris, Dvinis, and Mirai. The majority of direct-path attacks were observed to stem from DDoS botnets and proxy servers employed by groups like Killnet, a pro-Russian hacking collective notorious for targeting government institutions worldwide with devastating DDoS assaults.

Botnets have plagued ISPs and enterprises for more than two decades, with their nefarious activities leaving a trail of misery in their wake. Notable instances include the 2000 EarthLink Spammer, which unleashed a phishing scam via 1.25 million emails disguised as legitimate websites. However, it was the Mirai botnet, first appearing in 2016, that proved particularly destructive, causing widespread internet outages across the US East Coast. Mirai notably became the pioneer in infecting Internet of Things (IoT) devices, with its peak infection count surpassing 600,000.

An alarming development in the world of botnets is the emergence of the Passion botnet. On January 27, 2023, the US Department of Health and Human Services Cybersecurity Coordination Center issued a warning about the targeting of the US healthcare sector by Killnet and Anonymous Russia, resulting in DDoS attacks. While the Passion botnet did not cause significant damage, it did lead to website outages lasting several days and the compromising release of personal health information. Disturbingly, the Passion botnet is openly available for sale to any adversary willing to purchase it.

As the spectre of direct-path botnet attacks looms large, it is imperative for enterprises, ISPs and cybersecurity professionals to remain vigilant, adapt to emerging threats, and employ robust defence strategies to safeguard their networks. The battle against botnets is ongoing, but with informed action, organisations can mitigate risks and protect themselves from these malicious networks’ disruptive and damaging consequences.