What is a Botnet?
The term “botnet” refers to a collection of computers linked together to perform a specific task. Botnets themselves are not a threat to your network. For example, some botnets perform helpful tasks like managing chatrooms or keeping track of points during an online game. However, when botnets are misused for malicious purposes, they can be very dangerous. This is because a botnet can control your computer and also use it to carry out attacks.
A botnet is a network of computers infected by malware that are under the control of a single attacking party, known as the “bot-herder.” Each individual machine under the control of the bot-herder is known as a bot.
Why Are Botnets Created?
Initially, botnets were created to make time-consuming tasks easier. An example was proctoring chatrooms and ejecting people who did things that went against the room’s policy, such as the use of inappropriate language. But because of a botnet’s ability to execute code inside another computer, people began to use them in the theft of passwords or to keep track of a user’s keystrokes. Botnets were then created to use other people’s computers to launch attacks against unsuspecting devices.
Botnets' popularity have been growing because they can be used for financial gain, attracting the efforts of greedy criminals. To gain the respect of others, cyber criminals use botnets to infect and control as many computers as they can. In this way, they construct a “resume” they use to show off their hacking skills.
Different Models of Botnet
Like most internet-based systems, botnets are designed according to strict structures. Botnet structure is typically either based on a client/server or peer-to-peer model.
With the client/server botnet model, a network gets established and a single server works as the botmaster. This server then exerts control over how information is sent between clients, establishing a command and control (C&C) over the client computers. The client/server model operates using specialized software that enables the botmaster to maintain its control over all of the clients under it.
It is fairly easy to locate a client/server botnet structure. It has just one central control point, so some cyber criminals may choose other models that are harder to detect and destroy.
Star Network Topology
With a star network, a spoke-hub structure is used within a computer network. Each host is connected to a hub at the center of the network. The hub functions as a conduit to send messages to the computers within the star network. The data on the star network is channeled through the central hub before it gets sent to where it is going.
Multi-server Network Topology
With multi-server network topology, the structure is similar to that of a star network, except there is more than one server sending and receiving data to each of the bots.
Hierarchical Network Topology
In a hierarchical network topology model, a server sits at the top of a hierarchy of machines. That server then sends and receives data using bots, which then send and receive data to other bots lower in the hierarchy. There is at least one degree of separation between the server and the lowest hierarchy of bots.
Peer-to-peer (P2P) botnets involve each device connected to the network operating independently as both a client and a server. The devices then coordinate with each other to transmit and update information across the system. Because there is no centralized control, a P2P botnet structure is stronger and harder to detect.
Types of Botnet Attacks
There are several types of botnet attacks, and each has its own characteristics. The attacks use botmasters, zombie computers, spamming, spyware, click fraud, dial-up bots, and web crawling.
A botmaster refers to an individual that runs the C&C of botnets. They can execute the botnets’ functions remotely to launch distributed denial-of-service (DDoS) and other types of attacks. The botnets the botmaster uses are usually installed on computers using various types of remote code installation techniques. The botmaster conceals their identity using proxies, an Internet Protocol (IP) address, or The Onion Router (Tor) Project, which works in conjunction with the dark web.
The bots the botmaster deploys are set up to enable the C&C to manage them once a key or password is entered. When these keys get compromised, hackers can “hack” the botnets of their criminal competitors and then initiate DDoS attacks—and other types of attacks—of their own.
In a zombie attack, a computer that is connected to the internet is being controlled by a hacker or malware. The bot may be installed in the target computer using a Trojan horse. The computer becomes “mindless,” like a zombie, as the person or malware controls it, making it execute malicious tasks.
A spamming botnet, otherwise known as a spambot, refers to a machine that distributes spam emails to computers. These emails tend to have advertisements for products such as pornography, fake antivirus software, or counterfeit goods. The emails may also have computer viruses hidden within them.
Spammers may buy a botnet that has already infected many computers and then send out spam emails in an attempt to infect devices. With this method, it is harder to figure out where the attack originally came from.
A botnet hacker that uses spyware uses a botnet that can automatically click on links for online advertising or on webpages. Because these clicks often generate revenue for advertisers, spyware botnets can be used by enterprising criminals to earn a steady income.
Dial-up bots work by connecting to dial-up modems and forcing them to dial numbers. In this way, they can tie up a phone connection, which may force the user to switch numbers. In other cases, the botnet may call a premium phone number, which results in the target user getting a high phone bill. However, because dial-up modems are getting less and less common, these types of attacks are shrinking in popularity.
A web crawler, also known as a web spider, is a bot on a search engine that downloads and indexes website content. The objective of this kind of bot is to figure out what each website is about. In this way, that site can be matched to a searcher’s query when necessary. They “crawl” the web, grabbing information off websites, organizing, and categorizing it using software.
How to Disable Botnets
In addition to understanding what a botnet attack is, it is important to know how to stop them. Because botnets can infect so many devices and be dispersed across many devices, it is hard to take down an existing network of botnets with one single approach. The best way is to target specific aspects of the botnet’s operation and individual devices, and secure all facets of your network that could be attacked by botnets.
There are several ways of addressing a botnet problem. Disabling a botnet’s control centers involves cutting off the “head” of the botnet, while eliminating infection focuses on addressing individual, compromised devices. You can also limit the type of third-party code allowed to run on your devices, which keeps dangerous code from gaining a foothold in the first place.
In addition, monitoring data as it flows in and out of devices can detect botnets as they try to invade your computers or those connected to them. Finally, it is always a good idea to use more secure passwords to keep invaders from accessing your system through weakly protected devices.
Here is a more detailed description of these protective measures.
Disable a Botnet's Control Centers
Botnets that make use of a C&C structure are fairly easy to disable if you can identify the control center. As you cut off the head at identified points of failure, the entire botnet can be taken offline. With this approach, administrators and law enforcement can close down the control centers, possibly preventing future attacks.
The ability to intervene may depend on the country in which the control center lies. In some jurisdictions, it is more difficult to interfere with control center activity than in others.
Eliminate Infection on Individual Devices
With individual devices, there are several ways to regain control. These include reinstalling the operating system from a backup, running antivirus software, or reformatting the system and doing a clean install. Similar to traditional devices, with an IoT device, you can regain control by reformatting or doing a factory reset, and you may also be able to flash the firmware.
Allow Only Trusted Execution of Third-Party Code
To use only trusted third-party code, you have to start with secure, trusted supervisor software, also referred to as a kernel. Once this is in place, software that is not trusted can be excluded from running on the device. Using this method, you do not have to know every botnet floating around the internet. You only have to maintain a list of trusted applications that will be allowed to execute on the device.
Implement Good Ingress and Egress Filtering Practices
Ingress refers to traffic sent into your network while egress is traffic sent out of your network. With good ingress and egress filter practices, you can catch botnets before they capture your computers, and if they are already inside, stop them from spreading from one computer to another.
Ingress filtering examines data packets as they enter your network, eliminating or stopping malicious data from getting inside. Egress filtering is applied to data as it leaves a computer or network, and if malicious software is found, the data stream can be stopped, and the problem can be addressed by the IT team.
Tips to Protect Yourself Against Botnets
Avoiding botnets in the first place is a fairly simple process, especially if you know what to look for. Keep in mind that a botnet cannot do any damage if it cannot get inside your devices. In many cases, an unsuspecting user lets the botnet in by taking a specific action.
For example, a user may end up clicking on a link embedded in a message. Once the link is clicked, the botnet gains access to the user’s device. Avoiding these kinds of links can nip the problem in the bud.
Avoid Buying Devices with Weak Security
Devices with weak security can be like a half-open door for botnets. Often, devices have default passwords that are easy to guess. Further, if a hacker has access to a list of default passwords that a device manufacturer tends to use, they may not have to do any deciphering at all. It is best to purchase devices with more advanced security features and then be meticulous about protecting each one with an adequately strong password or multi-factor authentication (MFA) system.
Be Wary of Any Email Attachments
Email attachments put bots a click away from target devices. Anytime you get an email with an attachment, you should make sure the attachment is safe. Some email apps come with filtering capabilities that can scan attachments to verify their safety.
When in doubt, if you think the attachment is necessary, it may be safer to open it in a sandboxed environment to prevent any bots from infecting your system. A sandbox keeps devices and areas of the network away from the rest of the system to limit and contain threats.
Never Click Links in Any Message you Receive
Treat every link within a message as suspicious. If the link is a tool of a botnet, it cannot harm your computer unless you click it. If you feel a link may contain vital information, you can right-click or long-press the link (depending on your device) to see where it leads without activating it.
Install Effective Antivirus Software
Antivirus software, when properly configured, can be a powerful botnet deterrent. Many antivirus apps have been programmed with lists of botnets that may pose a danger to your system. They also update automatically, collecting the names and attributes of new botnets as they are detected.
How Can Fortinet Help?
The FortiGuard botnet solution protects your system by blocking access to all known C&C databases, as well as social networking sites using FortiGuard security services. In addition, you can use FortiGuard to apply a static domain filter to prevent access from sites that botnets like to use, such as Facebook.com, and their subdomains. You can also apply Domain Name System (DNS) filtering to specifically target botnets, focusing on each category or site that could expose your system to them.
Fortinet also enables you to set up custom firewall filters that you can design to stop botnets. You can determine your settings, test to see how effective they are, and then continue adding more sites to your blocked list as necessary. Once you know the sites that may pose a danger, it only takes a few clicks to protect your system from them.