What Is a Botnet?
A botnet is a network of bot-compromised machines that can be controlled and used to launch massive attacks by a bot-herder. Formed from the words robot and network, a botnet can be used for mass actions like distributed denial of service (DDoS) attacks, cryptomining, malware infections, or to crash a network.
What Is a Bot?
A bot is a software program that performs an automated task. These tasks are usually repetitive and run without interaction. According to CPO magazine, “Bot traffic made up 42.3% of all internet activity in 2021, up from 40.8% in 2020.”
Many bots are useful, like search engine bots that crawl websites to index content. However, in the hands of cybercriminals, bots can be a powerful tool to break into accounts, scrape private information, spread disinformation, infect networks with malware, or carry out attacks. And, when linked together into a botnet, they can carry out massive attacks that deal major damage.
What is a Bot Herder?
A bot herder is cybercriminal who infects devices with bots, links the infected devices together into a botnet, and manages the network of infected bots to launch attacks.
Types of Botnets
Bot herders rely on one of two main forms of architecture to manage their botnets. The form they select will depend on whether they’re looking for simplicity or security.
This is the most common type of botnet, and it falls back on the old idiom of the shortest distance between two points being a straight line.
In a centralised architecture the bot herder has direct lines of communication with each bot. This is essentially a client-server model, using a command and control (C&C) server to send commands to each infected device. Some bot herders will take things a step further by infecting a server as well, then linking each bot to the infected server before relaying all communication back to the bot herder.
The centralised model is the simplest way to control a botnet, which also makes it the least secure. As all communication is funneled through a central server, if that server fails the bot herder loses control of all their bots.
This more recent form or architecture uses the peer-to-peer (P2P) model, which turns each bot into both a client and a server, meaning each infected device can not only receive commands, but also issue them. This is a much more complicated architecture to create, but it is much more resilient, as a single point of failure does little to damage the overall botnet.
How is a Botnet Created?
Building a botnet is a matter of three key steps. However, the work that goes into these steps is significant and time-consuming.
1. Exploit: The first item on a bot herder’s to-do list is finding a weakness to exploit. That could be a weakness on a website, unguarded access to an application, or misconfigured software. The bot herder then uses this to their advantage, using it as a way to deliver their malware to devices.
2. Build a Bot: Once the malware has been delivered and the device has been infected, the bot herder gets to work turning the device into a zombie computer, ready to mindlessly follow the bot herder’s orders. The bot herder repeats this process over and over until they have enough devices under their control to begin step three.
3. Attack: Once they’ve infected hundreds, thousands, or even tens of thousands of devices, they link them all together using their chosen architecture and launch their attacks.
What Devices Are at Risk of Becoming Bots?
The short answer is anything that can connect to the internet. This means common targets like desktops and laptops, but also mobile devices, tablets and even IoT devices like smartwatches, televisions, and thermostats. As our homes, cars, and offices become ever more internet-connected and interconnected the options for bot herders swell, especially as many IoT devices don’t place a premium on security, but rather accessibility and lower costs.
Why Are Botnets so Dangerous?
Unlike many types of cyberthreats, bots can be difficult to defend against. Because there are both good bots and bad bots, it can be hard for your cybersecurity defenses to differentiate.
In addition, bots have become more sophisticated in their behavior. For example, advanced persistent bots (APBs) can do things like cycle through random IP addresses, switch identities, and mimic human behavior by simulating mouse events to appear as a legitimate user. Because bots are such a fundamental tool in hacker toolboxes, bots constantly evolve to overcome new cybersecurity defenses and tactics.
As a result, IT teams are often far behind bot herders in terms of security sophistication.
How to Protect Your Devices from Becoming Bots
There are steps you can take to keep malicious bots out of your network and prevent your devices and bandwidth from being used in a criminal botnet attack.
1. Enact strong endpoint security practices and keep your software and hardware up to date with all the latest patches.
2. Proactively prevent some bot traffic by blocking known bot hosting providers and proxy services. Keep in mind that bots can attack any endpoint, not just computers, so you want to make sure you also protect access points to things like IoT sensors, mobile apps, and APIs.
3. Train users to help them learn how to avoid bot infections through standard security practices, and strongly advise them not to click on or open suspicious emails, attachments, or links.
4. Should bots make it through your defenses, they can usually be discovered if you monitor your traffic sources for unusual activity, traffic spikes, junk conversions, or anomalous failed login attempts. Remember, however, bots are an ever-evolving threat— so what worked today might not be enough come tomorrow.