Botnets have infiltrated millions of users' computers and wrecked incalculable damage. This white paper lifts the veil on botnets and on the cyber-criminals behind them. It analyzes the history, growth, and economics behind botnets. It then investigates one of the most common attacks executed by botnets: the Distributed Denial of Service (DDoS) attack.
Unblocking The Main Thread Solving ANRs and Frozen Frames
Botnets at the Gate: Stopping Botnets and DDoS Attacks
1. White Paper
Botnets at the Gate:
Stopping Botnets and Distributed Denial of Service Attacks
Over the past several years, botnets like BlackEnergy, Illusion, Pushdo, and Zeus
have dominated news headlines. They have infiltrated millions of users’ computers
and wrecked incalculable damage – unleashing powerful Denial of Service attacks,
exposing national security secrets, and compromising individual victims’ credit
card numbers and bank account credentials. Virtually all online users have been
affected by botnets, either as hapless recipients of spam email or as frustrated users
attempting to visit an unavailable Website. However, millions of users have suffered
a much worse fate, recruited unknowingly into a botnet army. The numbers are
staggering. The Bredolab botnet alone had infected over 30 million computers and
sent an estimated 3.6 billion virus-laden emails every day in late 2009.1 As of early
December 2010, over 5,400 botnet command and control servers were identified
and active.2
This paper attempts to lift the veil on botnets and the cyber-criminals behind them.
It analyzes the history, growth, and economics behind botnets. It then investigates
one of the most common attacks executed by botnets: the Distributed Denial of
Service (DDoS) attack.
To help combat automated attacks, this paper proposes a number of security
measures that include processes, technologies, and services. While organizations
must heed the growing specter of botnets, there are a number of tools at their
disposal that can mitigate botnet security threats.
1
“Dutch National Crime Squad announces takedown of dangerous botnet,” October 25, 2010, OpenBaar Ministerie
2
Shadowserver Foundation
2. Botnets at the Gate
Introduction
DatabaseFileWeb
Millions of computers around the world are controlled by cybercriminals. These computers have been infected
with software robots, or “bots”, that automatically connect to command and control servers. The command and
control servers then instruct the bots to carry out illicit activity, such as performing denial of service attacks or
harvesting application content. Building these networks of bots, or botnets, has become a lucrative business
for botnet operators, who rent out their bots to the highest bidder. But before examining the botnet business
model, we will investigate how they are formed.
Botnet Propagation
Botnet operators, also known as “bot farmers,” use a variety of different methods to build their networks of bots.
Common methods include email viruses, Internet worms, drive-by downloads of malware, Trojans distributed
on portable storage devices, and more. As a case in point, a sweeping report about the Koobface botnet3
reveals how its architects infected more than 2.9 million computers. The Koobface operators used social
networking tactics on the world’s leading social network platforms – Facebook, Twitter, and MySpace – to
spread the botnet malware.4
Koobface primarily targeted Facebook. Its main means of propagation was through fraudulent Facebook
messages that enticed recipients to watch a video, such as an embarrassing video captured by a hidden
camera. Once users clicked on an embedded link in the message, they would be taken to a compromised site
hosting the malware. Then, when users tried to view the video, they would be instructed to update their Adobe
Flash Player or download a new codec.
Figure 1: A Christmas variant of a Koobface malware-hosted Web page5
3
“Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor
4
Affected sites also included Bebo, Friendster, Fubar, Hi5, Live Journal Netlog, Tagged, and Yearbook
5
“Koobface botnet enters the Xmas season,” Zero Day blog
Imperva White Paper
< 2 >
3. Botnets at the Gate
If users agreed to install the fake update, they would unwittingly download the Koobface malware. Then when
DatabaseFileWeb
these users logged into their Facebook accounts, the Koobface malware would send malicious messages to a
new host of victims.
In contrast, BredoLab, the largest known botnet to date, relied on email messages with malware attachments to
compromise computers. When these attachments were opened by users, the malware would infect the users’
computers, turning them into zombies. While email was the main form of distribution, BredoLab’s operators
also used drive-by downloads, downloading malware to users’ computers without the users’ knowledge. The
techniques used to propagate Koobface and BredoLab are typical of the entire botnet industry: viruses, worms,
and Trojans spread through application and system vulnerabilities or social engineering tactics.
Botnet Communications
After computers have been compromised with a botnet agent, the agents will automatically connect to botnet
command and control servers. Bots have traditionally communicated with these servers using Internet Relay
Chat (IRC), a real-time chat and instant messaging protocol. While botnets are synonymous with IRC, botnet
operators are increasingly turning to Web-based communications because they are easier to set up and harder
to detect. Web-based botnet kits often include user-friendly Web user interfaces, simplifying management.
Today, botnet operators are even turning social networking sites into command and control channels,
disseminating attack instructions through Twitter or Facebook accounts. In fact, recent research indicates that
Web-based botnets now outnumber traditional IRC botnets by a factor of five.6 While IRC botnets are by no
means dead, this shift illustrates the rapid evolution of botnet architectures as botnet operators attempt to stay
ahead of authorities and ahead of one another.
Botnet Development
Botnet development also has evolved; instead of lone hackers laboring to develop botnet command and
control servers, botnet operators increasingly rely on off-the-shelf botnet toolkits. Criminals with little to no
programming experience can obtain kits such as BlackEnergy or Butterfly for as little as $700, make a few minor
modifications, and then distribute their bot agents through online forums and Bit Torrents. Many of these
botnet toolkits today even include graphical user interfaces, dashboards, and report statistics.
Figure 2: A command and control interface for the Zeus botnet
6
“The Death of the IRC Botnet,” eSecurity Planet, November 18, 2010
Imperva White Paper
< 3 >
4. Botnets at the Gate
The Imperva Application Defense Center (ADC) discovered an off-the-shelf hacking toolkit that exemplifies
DatabaseFileWeb
today’s crimeware trends.7 While it was a phishing toolkit, it shares many similarities with current botnet toolkits.
The toolkit offers a simple GUI dashboard and provides “cloud storage” for stolen credentials – completely
automating all aspects of the criminal campaign. The credentials are ostensibly stored in a location that can
only be accessed by the individual toolkit user. However, unbeknownst to toolkit users, the toolkit creator
created a backdoor that provided full access to all of the stolen credentials. The toolkit has purportedly been
downloaded over 200,000 times, providing the creator with countless user names and passwords. This toolkit
illustrates today’s trends to automate cybercrime. And although this toolkit was distributed for free, it shows the
profits that hackers can reap by developing off-the-shelf hacking tools.
Botnet toolkits help build the botnet infrastructure – the botnet command and control servers. In addition,
botnet development also includes the malware that infects computers and transforms them into zombies. And
like botnet toolkits, a slew of malware toolkits have emerged to service the needs of botnet operators.
To increase infection rates, malware developers must check that their malware won’t be detected by computer
anti-virus software. Many malware scanning portals have sprung up to simplify this process. Malware
scanning portals allow malware developers to test their malware against anti-virus software. For example, one
commercial malware QA service, Virtest.com, allows malware developers to test their malware against 26 anti-
virus engines. Sites like Virtest.com exemplify the “Industrialization of Hacking” that has transformed hacking
into an efficient, scalable, and profitable enterprise.
Figure 3: Malware scanning portal Virtest.com
7
For more information, see “An Inside Look at Hacker Business Models,” Noa Bar-Yosef, Security Week, October 19, 2010.
Imperva White Paper
< 4 >
5. Botnets at the Gate
The Economics of Botnets
DatabaseFileWeb
Botnet ownership can be even more lucrative than botnet development. Botnets are a key component of
the overall hacking “industry,” an industry estimated to garner $1 trillion per year.8 Botnet operators have
multiple ways to capitalize on their botnet armies; perpetrating pay-per-click fraud and renting out botnets for
distributed attacks are just two examples. The Koobface botnet owners netted over $2 million dollars in less
than twelve months using pay-per-click and pay-per-install schemes.9
For operators renting out their botnets, the primary value of a botnet is its size. However, other factors can
impact the money-making capabilities of a botnet, including the type of attack to be carried out, the target,
and its geographic location. According to Imperva research, renting a botnet to spam one million emails ranges
in cost from $150 to $200. A 24-hour DDoS attack can range from $50 to several thousand dollars for larger
attacks. With so much money to be made, it is not surprising that botnets are increasing in size, number, and
sophistication every year.
Botnets as Weapons
So far, this paper has profiled the spread, communications, development, and financial business model of
botnets. However, the major concern for most organizations is the damage that can be wrought by botnets.
Botnets can be used as instruments to carry out any number of malicious activities; sending spam email,
logging keystrokes to capture online user credentials, scanning computer files for sensitive data, pay-per-click
fraud, and distributed password cracking are just a few examples.
One of the most dangerous botnet threat is the DDoS attack. Harnessing the aggregate power of thousands
or tens of thousands of bots, DDoS attacks can inflict tremendous damage on Websites, slowing down or even
completely disabling them. And DDoS attacks are not isolated, but a regular issue for many organizations.
According to a recent survey of IT decision makers, 74% reported suffering one or more DDoS attacks in the
past 12 months. Of these, 31% said that the attacks disrupted service.10 Whether the motivation is political,
financial or just random, DDoS attacks can be extraordinarily costly for the targeted organizations.
The Imperva ADC has tracked numerous application DDoS attacks conducted through botnets. They have
also investigated underground forums and hacker sites to uncover new DDoS attack methods. Based on this
research, this paper will examine application DDoS attacks and recommend mitigation techniques.
8
“Fatal System Error: The Hunt for the New Crime Lords Who Are Bringing Down the Internet,” Joseph Menn, 2010
9
“Koobface: Inside a Crimeware Network,” November 2010, Information Warfare Monitor
10
“The Trends and Changing Landscape of DDoS Threats and Protection,” Forrester
Imperva White Paper
< 5 >
6. Botnets at the Gate
Application DDoS
DatabaseFileWeb
A Distributed Denial of Service (DDoS) attack is an attack initiated from multiple machines that is designed to
disrupt normal operations. Traditional Denial of Service (DoS) attacks attempt to exploit server or application
weaknesses to cause it to stop responding. DDoS attacks amplify the effects of DoS attacks by using thousands
of machines to launch their assaults. These new attacks may not necessarily exploit vulnerabilities, they may just
unleash a flood of requests, overwhelming the bandwidth and server processing power of the targeted site.
The End Game for DDoS
DDoS attacks have targeted a diverse range of organizations, from government institutions and banks, to social
networking companies and even root name server operators. The motivations for DDoS attacks vary: financial,
political, religious, entertainment, or even personal notoriety. Many organized cyber criminals use DDoS to
extort money from online sites. Authorities convicted a Russian gang of blackmailing over 50 organizations,
extracting over $4 million from British companies, typically online gambling sites.11 In 2008, a wave of DDoS
attacks brought down 10 online gambling sites, also purportedly targets of extortion schemes.
Hacktivism is another key motivation for DDoS attacks. Whether driven by national patriotism or the desire to
squelch the opinions of an ideological foe, DDoS is the weapon on choice. Examples of hacktivism in action
include DDoS attacks targeting Georgian Websites before the Ossetia War in 2008 and the Iranian government’s
Website during the 2009 Iranian election protests. Government Websites representing the US, Korea, Myanmar,
Estonia, and many others have been targeted. In fact, a persistent DDoS attack on Burmese Websites during the
Burma’s 2010 national elections actually caused the entire country’s Internet connectivity to go down. More
recently, WikiLeaks has found itself in the center of a DDoS hacktivism war. Hacktivists attacked the MasterCard,
Visa and PayPal Websites in retaliation after these companies stopped processing donations to WikiLeaks.
DDoS Botnets-for-Hire
While the WikiLeaks-inspired “Operation Payback” attack used a combination of voluntary hackers and bots,
almost all DDoS attacks are executed by criminal botnet services. DDoS rental fees typically start at $50 for
small attacks, but some researchers have seen DDoS prices as low as $9. To attract customers, botnet owners
advertise their services, continually seeking to outclass their botnet brethren. Owners promote their services
in underground forums and mailing lists. In the case of the powerful IMDDOS botnet, the owners actually set
up a public Website to showcase their offering.12 On a message board, one botnet operator touted that his
botnet offered “the best combination of quality and service” and special pricing for regular customers. Options
included HTTP attacks, downloading flood, POST flood, and ping commands “tuned to perfection.”13 Like slick
advertising executives, botnet operators and even bot malware creators promote their offerings with carefully
fine-tuned messaging.
DDoS 2.0
DDoS attacks traditionally are carried out by computer-based bots. The Imperva ADC uncovered a new breed of
DDoS attacks in May 2010 that uses Web servers as payload-carrying bots. Imperva discovered a 300-server strong
botnet that set a new standard for power, efficiency and stealth. Using a basic software program equipped with a
dashboard and control panel, hackers could configure the IP, port, and duration of the attack. Hackers simply need
to type the Website URL they wish to attack and then they can instantly disable targeted sites.
11
“Online Russian blackmail gang jailed for extorting $4m from gambling websites”,
http://www.sophos.com/pressoffice/news/articles/2006/10/extort-ddos-blackmail.html
12
“Damballa Discovers New Wide-Spread Global Botnet Offering Commercial DDoS Services,” Damballa, September 2010
13
“BlackEnergy competitor – The ‘Darkness’ DDoS Bot,” Shadowserver calendar entry for December 5, 2010
Imperva White Paper
< 6 >
7. Botnets at the Gate
DatabaseFileWeb
Figure 4: The user interface for managing DDoS attacks from Web servers.
A single Web server could unleash the same damage as fifty or more PCs. With such powerful attack weapons
at their command, it is not surprising that DDoS rental services keep increasing the strength of their attacks. The
largest observed DDoS attack reached an all-time high of 49 Gbps in 2009.14
Advanced Application DDoS Attacks
Many organizations witnessed an increase in application-based attacks in 2009 compared to previous years.
While application-based attacks still only account for 26% of all DDoS attacks,14 they are more sophisticated
and much more challenging to stop. There are several reasons why application-based attacks are the most
dangerous type of DDoS. Network firewalls today can detect the majority of flood and network DoS attacks.
Many ICMP and UDP flood attacks can also be identified using intelligent packet filtering and source and
destination access control lists. However, application DDoS attacks usually bypass most traditional network
security devices.
Application DDoS exploit vulnerabilities in application servers or application business logic. For example,
application DDoS attacks may simply flood a Web application server with seemingly legitimate requests
designed to overwhelm Web application servers. An attacker may also attempt to exploit an application
vulnerability, such as sending Web requests with extremely long URLs. More sophisticated attacks exploit
business logic flaws. For example, if an application’s Website search mechanism is poorly written, it could
require excessive processing by a back end database server. An application DDoS attack could exploit this
vulnerability by performing thousands of search requests using wildcard search terms to overwhelm the back
end application database.
“Slowloris” emerged as a perilous application DDoS attack in 2009. This attack disrupts application service by
exhausting web server connections. In the Slowloris attack, the attacker sends an incomplete HTTP header
and then periodically sends header lines to keep the connection alive, but never sends the full header. Without
requiring that much bandwidth, an attacker can open numerous connections and overwhelm the targeted
Web server. While multiple patches have been created for Apache to mitigate this vulnerability, it nonetheless
demonstrates the power of more sophisticated DDoS attacks.
14
“Worldwide Infrastructure Security Report,” Arbor Networks, Volume V.
Imperva White Paper
< 7 >
8. Botnets at the Gate
Application DDoS Mitigation Techniques
DatabaseFileWeb
There are a number of measures that organizations can undertake to mitigate the risks of a DDoS attack.
Organizations with mission-critical Web applications can:
» Over-provision bandwidth to absorb DDoS bandwidth peaks – Although this is one of the most
common measures to alleviate DDoS attacks, it is also probably the most expensive. Allocating extra
bandwidth can be an effective way to manage small-scale DDoS attacks, but it won’t solve advanced
application attacks that target application vulnerabilities and flaws.
» Implement black hole routing – When an attack occurs, the victim can work in conjunction with its
ISP(s) to re-route DDoS traffic. There are two types of black hole routing: source-based and destination-
based. With source based black hole routing, a null route is created to discard traffic from known
malicious sources. This is effective if the DDoS attack is coming from a limited number of users. With
destination-based black hole routing, the attack target is null routed, basically taking the Website offline.
Obviously, this is a solution for ISPs and not for DDoS victims.
» Secure Application and Server Management – If organizations’ development teams follow secure
application coding best practices, they can prevent many buffer overflow attacks. In addition, system
administrators should harden systems, apply the latest patches, and configure the Web server to close
idle connections.
» Apply application-level controls – Because application DDoS attacks mimic regular Web application
traffic, they can be difficult to detect through typical network DDoS techniques. However, using a
combination of application-level controls and anomaly detection, organizations can identify and stop
malicious traffic. Measures include:
• Detecting an excessive number of requests from a single source or user session – Automated
attack sources almost always request Web pages more rapidly than standard users.
• Recognizing known attack sources, such as malicious IP addresses, anonymous proxies and TOR
networks. Known attack sources account for a large percentage of all DDoS attacks. Because malicious
sources constantly change, organizations should have an up-to-date list of active attack sources.
• Identifying known bot agents – DDoS attacks are almost always performed by an automated
client. Many of these client or bot agents have unique characteristics that differentiate them from
regular Web browser agents. Tools that recognize bot agents can immediately stop many types of
DDoS sources.
• Implementing CAPTCHAs to block automated clients – CAPTCHAs can hinder automated DDoS
attacks. However, bots are increasingly finding ways to circumvent CAPTCHAs. Up to 60 percent of
bots can crash through CAPTCHAs, according to recent security research.15 Nevertheless, CAPTCHAs
are still an effective defense against application DDoS attacks.
• Distinguishing attributes, and aftermath, of a malicious request – Some DDoS attacks can be
detected through known attack patterns or signatures. In addition, many malicious Web requests do
not conform to HTTP protocol standards. For instance, the Slowloris DDoS attack included redundant
HTTP headers. In addition, DDoS clients may request Web pages that do not exist. Attacks may also
generate Web server errors or slow Web server response time.
The aforementioned techniques are just a few of the measures that organizations can undertake to combat
DDoS attacks. They should be combined with processes, such as developing an internal rapid response team
that can quickly and adeptly analyze and address DDoS attacks. If organizations undertake effective security
measures, they will be well equipped to fight application DDoS attacks.
15
“Botnets Target Websites with ‘Posers’,” Dark Reading, June 1, 2010.
Imperva White Paper
< 8 >
9. Botnets at the Gate
A Practical Approach to Mitigate Botnet and DDoS Threats
DatabaseFileWeb
Botnets have become enemy number one for most IT security departments. They are responsible for virtually
every large-scale, distributed attack today, including spam email, phishing attacks, and screen scraping. Botnets
also carry out automated Distributed Denial of Service (DDoS) attacks so powerful that they have brought
down Twitter, Facebook, Yahoo, and Google. And almost three quarters of all organizations have suffered from a
DDoS attack in the past twelve months.
Detecting and mitigating botnet threats requires multiple tools and processes. One layer of defense is a Web
Application Firewall (WAF). A WAF can monitor application activity for unusual activity, detect unexpected
spikes in bandwidth, and block offending packets. With advanced Web application intelligence, a WAF can
detect botnet activity and distinguish between legitimate Web traffic and attacks.
The Imperva SecureSphere Web Application Firewall provides organizations with an ironclad defense against
botnet threats and application DDoS attacks. SecureSphere offers unique detection techniques that can
identify and stop automated attacks like DDoS. In addition, SecureSphere offers flexible customization, allowing
organizations to fine tune security rules based on application-specific requirements.
SecureSphere Protection against Application DDoS
Imperva SecureSphere offers multiple layers of protection to identify botnet threats like application DDoS
attacks. The SecureSphere fortifies Web applications using:
» Automatic learning of applications and user behavior – Imperva’s patented Dynamic Profiling
technology learns the structure and elements of protected Web applications. In addition, it profiles user
interaction with the application. This allows SecureSphere to detect unusually long form field values,
parameter tampering and session abuse. It also allows SecureSphere to identify requests to Web pages that
do not exist, abnormal traffic flows and other atypical behavior. Most application DDoS attacks will generate
profile violations that can be used alone or in conjunction with other identifiers to stop the attacks.
» Protection against automated attacks through ThreatRadar – Imperva’s industry-first reputation-
based security service recognizes known attack sources, such as malicious IPs, anonymous proxies,
and TOR networks. ThreatRadar receives near real-time feeds of known bad users from global defense
research organizations. These feeds are not just lists of known bots, but bots that are currently active and
perpetrating attacks. With ThreatRadar, SecureSphere can stop a large percentage of malicious users even
before they can execute an attack.
» Bot agent detection – Bots are automated clients. They typically do not access Web sites using a
standard Web agent, like Firefox or Internet Explorer. Instead, they use scripts or unique botnet browser
agents. SecureSphere can identify and stop hundreds of the most common bot agents. In addition,
SecureSphere can recognize unique characteristics of traffic activity indicative of botnet zombies.
» HTTP protocol validation – SecureSphere detects traffic that does not conform to the HTTP RFC
standard. This protocol validation quickly uncovers a significant portion of application DDoS attacks,
buffer overflow attempts and evasion techniques.
» Up-to-date Web attack signatures – SecureSphere identifies many known application DDoS attacks,
including attacks to IIS, Apache, PHP, and Coldfusion, through attack signatures. Driven by research from the
Imperva ADC, SecureSphere’s attack signatures offer comprehensive protection against the latest threats.
Imperva White Paper
< 9 >
10. Botnets at the Gate
» Application error and response analysis – One of the main indicators of DDoS attacks is Web
DatabaseFileWeb
application errors and slow response times. SecureSphere can inspect outbound Web responses for error
codes or code leakage. It can also monitor Web page response times, pinpointing requests that required
excessive application processing.
» Custom security rules – SecureSphere offers flexible policy configuration, enabling organizations to
build security rules based on over two dozen match criteria. Security administrators can, for instance,
block an attack if it observes many requests from a single IP address over a period of time and the
requests generate application errors. SecureSphere can block the individual request or block the IP
address, session, or user for a period of time.
Figure 5: Configuring a custom security policy in SecureSphere
» Real-time monitoring and analytics – For current analysis of attack trends, SecureSphere offers detailed
security alerts. The alerts identify the source address, time of day, type and severity of the alert, the entire
Web request, and a quick link to the policy that triggered the violation. In addition SecureSphere tracks
the Web server response code and optionally the entire response for forensics investigations. Clear,
comprehensive alerts provide IT security administrators instant visibility into DDoS attack sources.
Imperva White Paper
< 10 >