When you hear the term “botnet” what comes to your mind first? Yes , DOS (Denial of Service) attack. Not the generic DOS attack. Distributed Denial of Service attack.
First lets see what a botnet is.
As you can see according to my diagram an attacker writes a program/piece of code to execute in several PCs to achieve a common target ( eg : taking down a web server for a short time period ). This piece of code placed inside these PCs (Bots/zombies) using a C&C (Command & Control - “infrastructure used to control malware and botnets” - e.g.: HTPP,HTTPs,email ). Sometimes PC owners don't even know that their machines are taken by an attacker. In this case attacker becomes the botnetmaster. Once he places this program/piece of code inside these bots they will take care of the rest ! If all these bots send high network traffic towards one webserver that webserver becomes slow and finally it goes down. We call this DDOS (Distributed Denial Of Service ) attack.
We can categorize DDoS attacks can be caused by botnets as below,
Name
|
Description
|
What it does
|
Ping of Death (PoD)
|
bots create huge electronic packets(larger than 65,536 bytes) and sends them on to victims.
|
crash, destabilize, or freeze the targeted computer or service
|
Mailbomb
|
bots sends a massive amount of e-mail.
|
crashes e-mail servers
|
Smurf Attack
|
Huge number of ICMP (Internet Control Message Protocol) requests are sent to the victim’s IP address with a spoofed source destination IP.
|
server crashes
|
Teardrop
|
conducted by targeting TCP/IP fragmentation reassembly codes.
|
server crashes
|
How to place malicious program/piece of code inside computers
1.Asking users to download the program. ( trojan horse - pretend like a useful program )
2.Using a URL. ( once user clicks on the link executable file downloads and executes )
3.If it is a local network install the program on all computers at once with a simple command.
Evolution of botnets
The first generations of botnets use the Internet Relay Chat(IRC) and the relevant channels to establish a central command and control mechanism. Bots connect to the IRC servers and channels that have been selected by a botmaster and waits for commands. Yes, IRC botnets are easy to use, control and manage, but they suffer from a central point of failure.
Here comes the second generation to overcome this failure. In this generation the peer to peer (P2P) architecture is used in the botnets instead of having a central C&C server. The botmaster sends a command to one or more bots, and they deliver it to their neighbours. In this architecture botmaster commands are distributed. Therefore botmaster is not able to monitor the delivery status of commands. This is a huge problem. Moreover the implementation of P2P architecture is complex. So botmaster had to come up with C&C again.
This is where 3rd generation comes. In this gen, HTTP protocol is used to publish the commands on certain web servers. Instead of remaining in connected mode, the HTTP bots periodically visit certain web servers to get updates or new commands. Using this method botmaster can easily hide his activities and avoid firewalls. Therefore HTTP botnet attacks are more powerful and dangerous than IRC and P2P.
Let’s see whether you are infected or not. Here are some botnet symptoms.
- Computer becomes slow.
- Internet connection becomes slow.
- Receives unexpected emails.
- Computer crashes frequently.
- Takes so much time to shutdown and start up.
- Access to computer security websites is blocked.
How to avoid bonnet attacks
- Do not Install any suspicious softwares.
- If the sender is not reliable of any email do not click on the links that are mentioned in the email.
- Install valid plug-in keep them up to date.
- Scan USB devices using a up to date Virus scanner whenever you plug them in to your computer.
- Install a windows Firewall
- Use a proxy server.
- Disable AutoRun.
In this blog post I discussed about one of very popular network security threats. Comment section is right down there if you have any questions or suggestions . Cheers 😀
No comments:
Post a Comment