68.510 Data Networking
27 Feb 2013
This paper will define botnets and how they are developed, used and controlled. The malicious attacks such as distributed denial of service (DDoS) will be discussed along with recent DDoS attacks and the likely perpetrators and their motives. Finally, I will describe what protocols and systems are used by attackers use to control and update botnets today.
In terms of today’s cyber world the term bot which was originally derived from the work robot, refers to end systems (desktops, laptops, servers) that have been infected by malicious software. Once compromised the end system is turned into a bot that is under the command and control of the criminal identity theft. Criminal organizations utilize malicious software to infect large numbers of systems to create botnets to perpetrate large scale attacks like those we have seen against our financial organizations. Malware is malicious software intended to cause harm. It usually refers to viruses, worms, trojans, or other forms of malicious code that is used to compromise the integrity of the target system with the intent to disrupt systems, spy on users and steal their credentials and /or identify, or take control of the system. Systems can be infected in multiple ways including physical contact such as sharing files on portable storage media such as CD’s or flash drives. However, today malware more commonly arrives in electronic mail messages, either in an infected file attached to the email or through a Web link within the message. Malware can also be embedded in a downloaded file such as a jpg or a music file. In addition, malware can enter through an open network connection, without any human intervention due to poor configuration, or the lack of security patching processes. Once infected the end system is under the command and control of the criminal organization to conduct illicit activities. The trend and sophistication of attacks using botnets has been increasing and recently has been taking the form of DDoS attacks. There are several reasons for the increase in the numbers and sophistication in the attacks namely the emergence of crime as a service (CaaS) and hactivism. CaaS has emerged as a threat due to the growth in low-cost highly available attack software that allows novice hackers the ability to unleash attacks. Secondly, hactivism or the use of cyber attacks to make political or social statements like we have recently seen emanating from the Cyber Fighters of Izz ad-Din al-Qassam (Cyber Fighters), Anonymous or the Occupy movement. Recent data shows that nearly 51% of observed attack traffic has originated in the Asia Pacific region, while just over 23% has originated in North and South America. Targets of recent DDoS activity include U.S. Bancorp, JPMorgan Chase, Bank of America, PNC Financial Services Group, SunTrust, HSBC, Ally Bank, BB&T, Wells Fargo and Capital One. However, a recent announcement by the Cyber Fighters indicates that they are going to be targeting regional and community banks. The methodology that is evidenced during recent attacks is that virtual private servers have been compromised with a per node attack rate that is one hundred times greater than the normal bot. In addition, the command and control of the botnet is much tighter and able to modify attack methods and shift between targets in as little as twenty minutes whereas it used to take hours or days. Some interesting examples of recent DDoS attacks using Botnets are as follows: Case #1 The London Olympics was the target of DDoS attacks from 25 July through 9 September. The first significant attack occurred five hours prior to the opening ceremony and used twenty-three different attack vectors with 234M requests over an hour and twenty minute period. The second significant event took place during the first full day of competition and over a twelve hour period there were 5.6 B requests. Case #2 A large East Coast financial services company was targeted during Hurricane Sandy and DNS requests peaked at 158K per second and totaled 19B in five days compared to 30M hits per week. Case #3 – A leading US financial institution (FI) with millions of customers was the target of a massive DDoS attack with peak attack traffic of 30 Gbps which is 30 times the normal daily high traffic volume. Because of mitigating controls in place the attack was unsuccessful and the attackers gave up after fifteen minutes. Then twenty-five minutes later another large US based FI underwent a DDoS attack whose peak attack traffic volume of 8,491 MBit/sec with a duration of approximately two hours and forty minutes. Despite existing mitigating controls there was a degradation of service. In conclusion, the use and sophistication of Botnets is increasing and recent trends indicate thus type of activity will continue to increase. Lessons learned include after a short probe of defenses the attacks begin in earnest and can last from minutes up to several days. Current attack methodologies are against Layer 7 of the protocol stack and attack SSL as opposed to the old attack methods that targeted Layer 4. Organizations need to develop and implement appropriate business continuity plans including preparing for dramatic increases of inbound network traffic, develop and implement incident response plans, and consider engaging service providers that specialize in real-time monitoring DDoS mitigation services.
1. Kurose, James F., and Keith W. Ross. Computer Networking: A Top-down Approach. Boston: Pearson, 2013. Print.
2. "2011 DDoS Attacks." Neustar. N.p., n.d. Web. 26 Feb. 2013.
3. "Akamai.com." State of the Internet. N.p., n.d. Web. 26 Feb. 2013.
4. "News & Updates." 2012 Cost of Cyber Crime Study: United States. N.p., n.d. Web. 26 Feb. 2013. <http://www.ponemon.org/news-2/44>.
5. "Cyber Crime." FBI. N.p., n.d. Web. 26 Feb. 2013. <http://www.fbi.gov/about-us/investigate/cyber>.
6. "Al-Qassam Cyber Fighters Threaten There's Not Much Time Until They Resume Attacks." - Softpedia. N.p., n.d. Web. 26 Feb. 2013. <http://news.softpedia.com/news/al-Qassam-Cyber-Fighters-Threaten-There-s-Not-Much-Time-Until-They-Resume-Attacks-330763.shtml>.