Bots were created in the early 1990s by IRC users who wanted to protect and defend against "net split" attacks, among other tasks. While attackers were using bots to knock IRC users out of their favorite channels and deny them access to their user names, the users fought back with their own bots to preserve the integrity of user names and to keep channel access open.
By 1999, an arsenal of nascent DDoS tools had emerged: Trinoo, Tribe Flood Network, Stacheldraht and Shaft. These tools, which were used to launch attacks against IRC hosts, were only semi-automatic, required significant manual tuning, and didn't use IRC for communications. Canadian hacker MafiaBoy used these types of tools in his 2000 attacks that brought down Yahoo!, eBay, CNN and Amazon.com Web sites.
In 2000, the need for automation and larger compromised networks led bot developers to merge their DDoS tools with worms and Trojan kits. For example, Stacheldraht was bundled with versions of the t0rnkit rootkit and a variant of the Ramen worm, and the Lion worm included the TFN2K agent. This convergence enabled attackers to compromise vast numbers of machines faster.
Command and control
By 2002, DDoS attackers transitioned to IRC-controlled bots that implemented with greater efficiency the same attacks as Stacheldraht. Since many attackers were familiar with IRC and bot programming, it made sense to stick with IRC-based DDoS bots. Today, the majority of DDoS tools use IRC as a communication protocol and means of control (even if not directly using IRC networks as control channels).
Since 2003, bot creators have focused on truly blended threats -- malware, spam, spyware, DDoS -- that use IRC channels as control mechanisms. Modern bots, such as Phatbot and Agobot, use viruses and worms to build networks of hundreds of thousands of machines. The 2004 Witty worm was launched simultaneously without warning from 4,200 points, making it nearly impossible to trace.
- Learn these five steps for beating back the bots.
- Listen to David Dittrich's webcast to learn how to respond to botnet attacks.
- Review these resources for tips on rooting out compromised machines and safeguarding your network from botnet attacks.
About the author
David Dittrich is an Information Assurance researcher at the University of Washington Information School, and has over 20 years of programming, system administration and information security-related experience. Dittrich is also a founding member of the Honeynet Project and co-author of "Internet Denial of Service: Attack and Defense Mechanisms."
Note: This article originally appeared on Information Security magazine.