The modern-day botnet attack is comprised of many machines, often home PCs, managed from an Internet Relay Chat (IRC) channel. These computers are held hostage and are used to create the Botnet. Botnets can be manipulated to perform many different types of abuse, including spamming, traffic sniffing, keylogging, spreading malware, Google AdSense abuse, attacking IRC Chat Networks, manipulating online polls, and mass identity theft. Designed to evade detection, botnets are one of the most sophisticated tools that cybercriminals have at their disposal. Fortunately, there are a number of ways service providers can stop or limit the damage of a botnet attack.
See also: The Ins and Outs of Network Security
How To Identify A Botnet Attack
A leading study by Delft University of Technology reports that, on a global scale, 5 to 15 percent of all domestic computers are linked to botnets. Michael O’Reirdan, chair of Messaging Anti-Abuse Working Group (MAAWG), a group initially set up by US net firms to tackle spam, says “there’s a great desire amongst large ISPs to tackle botnets”. In order to do this, service providers need to identify when a customer’s computer or server is being used as a ‘zombie’ in a botnet attack. If a machine has been compromised, it will start to execute the botmasters instructions. Look out for:
- Increased linking to established Command and Control (C&C) servers for instructions
- Increased generation in Internet Relay Chat (IRC) traffic via a specific range of ports
- Increased generation of simultaneous identical domain name system (DNS) requests
- Increased generation of Simple Mail Transfer Protocol (SMTP) traffic/emails
- Reduced workstation performance and internet access speed
- Unexpected popups as a result of click fraud activity
- Spikes in your network traffic, particularly Port 6667, which is used for IRC, Port 25, which is used in email spamming, and Port 1080, which is used by proxy servers
- Be aware that the entire port range (from 6660–6669 and 7000) might be utilized by bots
Prevent Your Clients From Becoming Botnet Slaves
One of the first steps in preventing these attacks is educating your customers on how they can prevent themselves from becoming part of a botnet. Good advice includes encouraging them not to click on any suspicious links, both in email and online. Advise them not to download any attachments they didn’t request. Encourage them to install good antivirus and spyware software from a reputable source. Ensure they have internal firewalls operating and encourage them to run the most up-to-date software.
Even with all these precautions in place, computers can still be compromised. As a service provider, you need to have the right abuse handling system in place to prevent a botnet attack or stop it in its tracks.
How To Prevent Botnet Attacks
There are several ways to handle botnet attacks. Your abuse handling environment should tick these boxes:
- Acquire all data sources capable of telling you something about your network and compromised hosts within. Also, use internal data sources such as honeypots – these are false infiltration opportunities and are the ideal traps if your service provider is protecting valuable information that a botnet master would want to get their hands on
- Analyze and aggregate these pieces of information to make them actionable in the fastest way possible.
- Act on the information you have gathered in the way it works best for your environment. Notifying customers, shutting down ports, lowering bandwidth, and quarantining networks, are all possibilities that can be used to keep the network abuse under control until it’s solved.
Botnet attack detection and prevention generally fall into two categories – static analysis and behavioral analysis. The static analysis includes looking at your IP Abuse Report for specific triggers, like a malware signature or C&C connection address. However, static analysis is not enough on its own. Behavioral analysis is also needed. This included looking at the timing of attacks. Bots are usually given orders to take actions at times when there is a lot of network activity. Your IP Abuse Report will reveal this and show if your network has experienced an increase in failed connection attempts, which is another indication that a botnet attack could be taking place. Port scanning the local network for infiltration opportunities is also classic bot behavior.
Use AbuseHQ To Gain Clarity And Take Faster Action
Protecting your service provider’s network from botnet attacks is an ongoing task. AbuseHQ from Abusix integrates into existing infrastructures to provide the insight necessary to identify and shut down network abuse at its source. AbuseHQ automatically classifies over 30 events, including bot infection and all other abuse events related to botnet attacks.
To find out more about how AbuseHQ can help your abuse desk perform at their best, download The Ultimate Guide To Abuse Desk Setup, here