Some attackers are interested in causing as much downtime as possible. In this video, you’ll learn about denial of service attacks and how bots and botnets are used to create network service outages.
A very broad description of a denial of service is when someone has forced a particular service to fail. Usually, this is due to the service being overloaded and unavailable for others to use. This might be someone taking advantage of a flaw in the design of this service or there might be a security vulnerability. To avoid this type of denial of service, you would need to keep all of your systems patched so that no one can take advantage of those issues.
Sometimes, the third party causing the service to fail is a direct competitor of your organization and they know if you’re not able to provide the service that the customers will come to their site instead. Or perhaps causing a denial of service in one part of your data center sets up a smokescreen and redirects your attention so that they can then take advantage of a different vulnerability on another service. And of course, denying a service doesn’t have to be a complex process where hackers get into a system through a series of known vulnerabilities and exploit it to a point where the service is no longer operating.
The hackers could get exactly the same effect by going up to the power switch on the side of your building and turning off the power to the data center. Sometimes, we cause a denial of service to ourselves. This unintentional denial of service is one where we make a mistake with configurations or settings and suddenly we’re no longer able to use a particular service. For example, if you’re not running spanning tree protocol and you connect two switches together causing a loop, you could certainly cause your service to be unavailable.
Or perhaps someone’s using all of the bandwidth for your internet connection to transfer other files, effectively creating a denial of service for your other systems. Or this could be a facilities problem. If you have a water line break in the middle of your data center, that could potentially cause a denial of service. However, I think most people think of a denial of service as a third party that is causing one of your services to fail. Often, this is accomplished by creating a series of robot devices on the network and having all of those robot devices attack one center point all at once.
We commonly refer to these as bots. Whenever a system has been turned into a bot, they are now at the control of a third party. This is often done by infecting your system with malware and then having that malware download and install the bot software. Many times, the devices that are infected with the bot software have no idea that this bot is running on their system.
It’s very easy for a third party to get someone to install the software. For example, they might do it through a Trojan horse, where someone clicks through and installs software. Maybe you think you’re installing legitimate software, but in fact, you’re installing software that happens to contain one of these bot malware’s. Or perhaps your operating system or the applications you’re using have a known vulnerability and the attackers take advantage of that vulnerability to install the bot software on your computer.
The bot will usually sit on your system idle, and occasionally, we’ll check in with a C&C server. It stands for command and control. This is a central server that’s responsible for giving out the orders to all of this bot software wherever it might be installed. So it’s usually waiting for those instructions and then as soon as they’re given those instructions, they begin performing the denial of service against a third party.
Having all of those remote bots suddenly get the command to start attacking a third party can easily cause the site to have a denial of service. Whenever you have a denial of service being created by all of these different devices that are located around the globe, we refer to that as a distributed denial of service, or DDoS. These bots can do much more than simply attack a third party.
You might use some of the bots as a relay for spam so that you can send email messages without any type of authentication or perhaps they’re being used to proxy network traffic so that all of the traffic appears to be coming from the bot instead of the original source. Or if you’d like these bots to perform the calculations required to mine cryptocurrency, you could have all of those systems begin that process. You’ll often find that these Botnets are for sale.
This is Botnet as a service where you can purchase a certain number of bots and have those bots perform whatever function you’d like. There are many different threat maps that you can review that will show real time communication. This is one from Looking Glass that shows us the number of infections per second, the number of live attacks occurring, and you can see everywhere around the world where these bots may be attacking systems and the type of Botnets that might be in use.
There are things that you can do to stop these bots from running on your system. The first thing is to prevent the bots from being installed from the very beginning. You want to make sure that all of your operating systems and applications are patched to the latest version and make sure that your antivirus or anti-malware software is running the latest signatures.
Of course, it’s still possible for malware to find other ways around your existing security, so you will want to perform on demand scans and monitor the network for any unusual activity. We know that these Botnets communicate back to a central command and control, and if you know what that command and control is, you can block that communication at the firewall or install a host-based intrusion prevention system so that you can constantly monitor for this type of communication.