A botnet is a structure of many compromised machines, often home PCs, managed from an Internet Relay Chat (IRC) channel. Botnets are highly customizable and can be used for many types of abuse, including spamming, sniffing traffic, keylogging, spreading new malware, Google AdSense abuse, attacking IRC Chat Networks, manipulating online polls and mass identity theft.
As an ISP, it’s crucial that your network abuse team is able to identify if one of your customers’ servers are being used in a botnet attack.
Common uses of botnets
- Distributed Denial of Service attacks: Distributed Denial-of-Service (DDoS) attacks are one of the most common uses of botnets. In the first quarter of 2015 23,095 botnet-assisted DDoS attacks were reported, targeting web resources in 76 countries.
- Spamming: An attacker can use a botnet to send massive amounts of bulk email. Some botnets take this even further and have a special function to harvest email addresses. This spam is often proxied through an unknowing owner of an old unprotected Windows computer sitting at home on your ISP’s network.
- Sniffing Traffic: Botnets can use a packet sniffer to search for sensitive information like usernames and passwords. If a machine is part of more than one botnet, it can also sniff key information from the others.
- Spreading new malware: Botnets are generally used to spread new bots, but they can also be used to spread email viruses. A botnet with 10,000 hosts can cause a significant amount of damage in a very short time.
- Mass identity theft: Botnets will often combine many of these actions to commit mass identity theft. An example of this is the Zeus Botnet, which used millions of compromised PCs to target banks to grab account logins and private user data. This was then used in thousands of cases of online identity fraud. In 2010, the FBI disclosed that Zeus botnets were used to steal over $70 million dollars from bank accounts over the United States.
How to detect botnets
MIT Technology Review reports that a spam study showed that if the top 50 ISP networks in the world were to shut down or block malicious machines on their network, it could cut worldwide spam by half. The report also showed that while there is a relationship between the size of an ISP and the number of infected machines connected to the Internet through its network, some providers had 100 times more infections than others of the same size. Botnet detection can be difficult, but here are some ways you can tell if a customer’s server is being used for a botnet attack:
- Increased IRC traffic as botnets and bot masters use IRC for communications
- Multiple machines on your network making identical DNS requests
- Connection attempts with a known bot herder’s command and control server
- High outgoing SMTP traffic due to sending spam
- Unexpected pop-ups as a result of click fraud activity
- Complaints of slow computing
- Spikes in your network traffic, particularly Port 6667, which is used for IRC, Port 25, which is used in email spamming, and Port 1080, which is used by proxy servers
- Reports of outbound messages including email, social media and instant messages that weren’t sent by the user
- Reports of problems with internet access
There are several measures an ISP can take to prevent botnet infections in their network, including network baselining to monitor any irregular behavior, firewalls, network sniffers and Network Intrusion Detection Systems (NIDS).
AbuseHQ from Abusix performs continuous integrated abuse and threat processing both in real-time and retrospectively, allowing you to gain insights from deep inside your network’s abuse data, regardless of the network resources that your customers are using. AbuseHQ automatically classifies 31 events, including bot-infection and all the other abuse events related to botnet attacks.
To learn more about how you can proactively protect your ISP from network abuse, download this free eBook from Abusix: