Information Security

Defending the digital infrastructure


Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Invasion Force

Botnets are sweeping across the digital frontier. Prepare to repel the horde.

Evolution: Rise of the Bots

Channel Wars
Bots were created in the early 1990s by IRC users who wanted to protect and defend against "net split" attacks, among other tasks. While attackers were using bots to knock IRC users out of their favorite channels and deny them access to their user names, the users fought back with their own bots to preserve the integrity of user names and to keep channel access open.

Open Floodgates
By 1999, an arsenal of nascent DDoS tools had emerged: Trinoo, Tribe Flood Network, Stacheldraht and Shaft. These tools, which were used to launch attacks against IRC hosts, were only semi-automatic, required significant manual tuning, and didn't use IRC for communications. Canadian hacker MafiaBoy used these types of tools in his 2000 attacks that brought down Yahoo!, eBay, CNN and Web sites.

Automated Animation
In 2000, the need for automation and larger compromised networks led bot developers to merge their DDoS tools with worms and Trojan kits. For example, Stacheldraht was bundled with versions of the t0rnkit rootkit and a variant of the Ramen worm, and the Lion worm included the TFN2K agent. This convergence enabled attackers to compromise vast numbers of machines faster.

Command & Control
By 2002, DDoS attackers transitioned to IRC-controlled bots that implemented with greater efficiency the same attacks as Stacheldraht. Since many attackers were familiar with IRC and bot programming, it made sense to stick with IRC-based DDoS bots. Today, the majority of DDoS tools use IRC as a communication protocol and means of control (even if not directly using IRC networks as control channels).

Dangerous Convergence
Since 2003, bot creators have focused on truly blended threats--malware, spam, spyware, DDoS--that use IRC channels as control mechanisms. Modern bots, such as Phatbot and Agobot, use viruses and worms to build networks of hundreds of thousands of machines. The 2004 Witty worm was launched simultaneously without warning from 4,200 points, making it nearly impossible to trace.

Botnets, vast armies of compromised, robot-like machines, are massing on the digital frontier, waiting for their masters' command to attack.

These hacker-controlled networks--some numbering in the hundreds of thousands of machines--are the fastest-growing menaces on the Internet. They have powerful weapons--overwhelming DDoS attacks, untraceable spam relays and ubiquitous malware distribution. When unleashed, they deliver punishing blows that devastate their targets.

Hackers, malware writers and organized crime groups love bots--the foot-soldier programs infecting PC networks--for their power and cloaking abilities. Some bots, such as Agobot and Phatbot, have characteristics similar to Trojans and rootkits, opening backdoors to systems and giving attackers control over compromised machines. Attackers only require rudimentary programming knowledge to create and control a botnet army.

Botnet commanders can start with just a handful of compromised computers that are mustered manually by sending targeted, virus-laden e-mails to broadband/ DSL users, vulnerable enterprise desktops and mobile machines. Some bot-carrying worms will even patch the vulnerability they exploited. Infected hosts automatically show up in a preprogrammed IRC channel, where they sit in a virtual holding pattern until dispatched. Attackers can "herd" their bots from channel to channel, sifting out the low-bandwidth connections to maximize the machines with the best throughput.

Their ubiquity, power and ease of use make them looming threats on both sides of the enterprise firewall. Understanding botnets will help enterprises defend against in-filtration and, perhaps, survive an invasion.

Multipronged Attack
Enterprises face botnet threats on two fronts: Attackers are trying to compromise their machines and use them for malicious purposes (a breach of integrity) or coordinated attacks such as DDoS (risk of downstream liability).

Once the computer is compromised, bots need to "phone home" to their controller. Generally, this is done through a private channel on a public IRC server or network, with communications running in the clear over the default TCP port 6667. (A prudent botnet defense is blocking and monitoring outbound TCP 6667 traffic.) Also, attackers can use IRC protocols to communicate instructions to their bots.

Attackers can use the bots and their hosts for a variety of purposes, some seemingly innocuous to the compromised enterprise. For in-stance, botnets have become the distribution method of choice for spam and phishing attacks. According to e-mail security service provider MessageLabs, nearly 70 percent of all spam and phishing e-mails now originate from botnets. Tracing these attacks is difficult due to the many layers between the source machines and the attacker.

Botnets are the ideal mechanism for unleashing malware. Conven-tional worms are released from a single point and can take hours to circle the globe. Worms released from botnets can appear from multiple points simultaneously without warning, giving enterprises and AV vendors little time to react. Last spring's lightning-quick Witty worm was launched from a relatively small botnet of 4,200 nodes.

The more visible and devastating attack type is the DDoS attack. More than just simple SYN floods, botnet-controlled DDoS attacks can flood a network with seemingly legitimate requests, clogging the pipes, overloading services and denying all legitimate traffic. A moderate-sized botnet could completely disable Web, mail and VoIP communications; a DDoS attack directed at your DNS server could make your enterprise disappear from the Internet.

Your enterprise will most likely become aware of a botnet infiltration through user reports of performance issues; third-party reports of attacks originating in your IP address space; victims' reports of DDoS floods; and the detection of high inbound and outbound scanning, outbound flooding or traffic passing through hosts that should be acting like desktop clients.

To stay ahead of botnets, you need stay current with prevention tools and techniques (e.g., proactive vulnerability scanning, patch management, appropriate use of firewalls and VPNs, user education, and policy enforcement). You also need to have sufficient computer forensics and incident response capabilities to adequately deal with compromises when they occur, and to return compromised machines to a trusted state as quickly as possible.

Lifecycle: Preventing, Detecting & Removing Bots
The most effective means of guarding against botnets are preventing attackers from planting bots on your network and removing them once they're detected. Enterprises need to harden systems against botnet infiltration and restore compromised machines to trusted states to prevent further compromises.

   Harden end hosts. Make sure your servers, desktops and mobile machines have up-to-date patches; harden your TCP/IP stack (e.g., using syncookies and maximizing TCP queue handling capacity); eliminate unnecessary services; partition required services as much as possible; and make use of backdoor networks for things like file services and DNS to limit externally exposed points of attack.
   Overprovision hosts and networks. Make sure your servers have more than enough RAM and the fastest hard drives, drive interfaces and interface cards (possibly using multiple interfaces to segregate front-end network services from back-end file services, and DNS from internal hosts); and tune/monitor system performance on a regular basis.
   Leverage IPSes/IDSes and firewalls. Restrict all externally exposed access to only those services that are absolutely necessary (e.g., only allow TCP ports 80 and 443 on Web servers, TCP/UDP ports 53 on DNS servers, etc.). Use your IDS/IPS to monitor access attempts on any open ports, and tune it to look for specific OS-version and patch-level vulnerabilities. Also, monitor what services are running--there's no need to check for Windows/x86-based IIS attacks aimed at a DNS server running BIND on Solaris/SPARC.

   Monitor and respond to incidents. Security managers should dedicate human and automated resources to check their IDS/IPS and other network monitoring devices for anomalous activity, such as spikes in traffic, unusual protocols, unauthorized connection attempts and large volumes of e-mail. Security managers should monitor ports and protocols commonly used by bots, such as TCP port 6667.
   Watch network traffic. Flow-level monitoring and logging, even for short periods--a few days or weeks--is critical for addressing multifaceted network attacks. Botnets are great at concealing the source of attacks, making host-based logging ineffective for diagnosis. In DDoS attacks, having a full picture of traffic to and from the victim host can often lead you closer to the attackers by noticing when they check to see if their attacks are succeeding.

   Filter the flood. In many cases, filters can drop incoming traffic from some or all of the attacking hosts in a DDoS attack. Attackers can, and usually do, vary their attack methods, so change your filters frequently. Bots can be blocked with enough precise information about command and control traffic patterns, ports, protocols, peers and servers. (Note: It's risky to do this with routers, as you may disrupt legitimate traffic. It's even riskier to use firewalls, since a failure will open your entire network to attack.)
   Remediate and recover. If you aren't already using integrity-checking software that fingerprints files and file system metadata, it can be extremely difficult to clean up bot-infested hosts. Effective cleanup requires detailed knowledge of the specific bots, how they're used and how their variants are altered or configured. Some antivirus/antispyware applications may be able to remove bots, but nastier variants require manual removal of both the software and registry keys. The most resilient bots and rootkits require wiping the hard drive and reinstalling the OS.
   Preserve the evidence. This is tricky; doing the "right thing" by preserving evidence is costly, while "wipe-and-reinstall" is cheap. Victims may soon not have a choice, since downstream liability cases and law enforcement efforts are compelling enterprises to preserve any and all evidence. Victims should attempt to get a hard drive image of at least one bot-compromised system to assist investigations.

But, there's no effective defense for a botnet attack--your only hope is survival. (See "Preventing, Detecting and Removing Bots".)

Anticipating Bot Attacks
Before you connect to the Internet, there are some things you can do to mitigate the effects of botnet attacks. The following are some prudent steps all enterprises should consider:

Define service requirements with ISPs. You should define for your ISP what your expectations and response requirements are in the event of a DDoS attack. This includes network address agility (or switching your address block), which makes it harder to target your network and can reveal attacker reconnaissance; topological changes to compartmentalize your network, protect high-value assets and preserve connectivity to specific network segments; and traffic capture and analysis for tracing attacks and--perhaps--prosecuting attackers. Traffic filtering by your ISP or upstream traffic sources (sometimes called traffic blocking or null routing) can also help.

Manage out-of-band network. When your primary (or secondary) network interfaces are flooded, you may lose all ability to communicate with your network devices. If your provider can establish an out-of-band control mechanism--be it a network connection through a peering point or a DSL line to a terminal server within your network perimeter--you can regain remote access and reroute critical traffic, such as e-mail, even if your main network paths are unavailable.

Coordinate with peers. Cases of DDoS attacks that involve source-address forgery and traffic reflection off widely distributed servers (e.g., DNS reflection, SYN-ACK reflection off routers and firewalls) may require manual traceback to determine the source. Getting the cooperation of peers using the same upstream provider to block traffic and perform traceback may be very difficult; persuading your upstream provider to commit to working with you, even if the problem is difficult, is the first step.

While not fully effective against botnet DDoS attacks, several open-source and commercial products can provide some measure of response capabilities. Each has some value, but is only one soldier in the information assurance/availability army.

Most defenses are directed at either the host or network level, but rarely both. Host-level defenses, including personal firewalls, antivirus and host-based IDSes, are designed to protect computers, OSes and applications, and to detect and possibly contain intrusions.

Commercial applications from Arbor Networks, Captus Networks, Cisco Systems, Lancope, Mazu Networks and Top Layer identify anomaly traffic and irregular volume flows to detect DDoS attacks. These same applications have had some success in filtering floods by dropping traffic based on source IP address and protocol. But, their success is limited by the size and scope of a botnet flood. DDoS attacks, especially those launched via massive botnets, have a numerical advantage that may overwhelm these tools.

Security solutions that maintain the trusted state of machines, such as those from Tripwire, can monitor deviations in configurations. When a machine falls out of compliance, it can be rapidly detected and restored to a trusted state.

Network-level defenses focus on large sets of computers on a network or routing infrastructure. They may monitor individual or aggregate traffic flows between computers looking for anomalous activity, filter suspicious traffic, manage device configurations or patch systems to prevent exploitation.

Being a Good 'Netizen
Botnets are marauders waiting at the edge of every network for the one vulnerable machine that will become their key through enterprise fortifications. And, eradicating botnets after an invasion is nearly impossible because their numbers and growth are too great to effectively eradicate.

So, what can be done to shield your network from botnets? Formulate a good defensive strategy by safeguarding and protecting your network and mobile computers, and preventing attacks before they happen. For those enterprises already under attack, systematically rooting out compromised servers and PCs is essential.

Only through vigilance and best practices will enterprises stay ahead of, or at least keep pace with, the botnet threat.

Article 2 of 6
This was last published in March 2005

Dig Deeper on Emerging cyberattacks and threats

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.

Get More Information Security

Access to all of our back issues View All