Every now and then we keep hearing about the botnet attacks, one of the most significant network security threats that organizations are facing today. What are they and how are they a security threat?

A botnet comprises a bunch of computers that are under the control of a single “botmaster” machine, mostly known as command and control servers. In most cases, it all begins when a user downloads a bot program unsuspectingly. For example, this could happen when a user accidentally clicks an infected email attachment.

 

Once the bot gets installed, it contacts the public server which is controlled by the botmaster using various communication protocols including IRC, HTTP, ICMP, DNS, SMTP, SSL. Also, it is very difficult to detect botnets given their highly dynamic nature and ability to evade common security measures.

botnet_blog_thwack.jpg

 

The Impact:
A botnet attack can take different forms as they attack.
     • It may be a launch denial of service (DoS) attack on servers, bringing down sites as most attackers deploy UDP, ICMP, and TCP SYN floods. Some may even use application-layer attacks.
     • It may also infect several systems with spyware or steal data, send out huge chunks of spam.
     • Some botnet attacks have embedded programs which identify vulnerable servers that can redirect to host phishing sites. These happen mostly on banking sites in order to steal passwords and other customer personal data.

 

How to shield yourself:
It is indeed a tricky task to locate the botmaster. Proxy connections, as well as the control plane, are often changed to make it nearly impossible to track down the botmaster. The traditional packet filtering and port-based techniques are no more effective. One core area that you need to focus on is your DNS logs.  Botnets often tend to bank on DNS hosting services to point a subdomain to IRC servers taken over by the botmaster.  A typical botnet code tends to have hard-coded references to a DNS server, and you can spot them by deploying a DNS logfile analyzer tool. Thus by identifying these services, you can revise your policy definitions and baseline your IT environment for vulnerabilities, and shield them.

 

Also, the event log analyzer needs to correlate activities across your environment and use active responses to respond to critical events, shutting down threats immediately. Thus you can stay proactive and handle threats in real time, rather than being reactive.