Botnets have always posed risks to enterprise IT, but over the last decade they have spiked in both number and sophistication. In 2006, security researchers at Microsoft and McAfee foresaw the rise of high-bandwidth distributed denial-of-service attacks, after monitoring millions of bots overwhelming the electronic infrastructure of a nation in Central America. They warned of the threat to analogous assets the U.S., while noting the increasing capabilities and coordination of the cybercriminals behind the botnets.
Today's botnets: Ubiquitous and available in many varieties
More recently, do-it-yourself kits and vendors who advertise on the Internet have enabled even novices to get the resources required for DDoS. Highly organized cyberattacks, as well as advanced malware that enlists endpoints into command-and-control infrastructure, are still dangerous, but now enterprises must also be mindful of schemes that could originate with lone wolves. The botnet issue has come to the fore recently, highlighted by incidents such as:
- Record-breaking DDoS: Prolexic called the first quarter of 2013 a "landmark" one for DDoS, and if anything the bar has been continually raised since then. An early 2014 attack against CloudFlare's content delivery network not only reached 400 Gbps, but took the novel route of exploiting the legacy Network Time Protocol rather than conducting DNS reflection.
- Reanimated and reengineered threats: The ZeuS botnet has long been a thorn in the side of network security teams. In recent iterations like GameOver ZeuS, it has returned to push the envelope for botnet features, pioneering encrypted peer-to-peer communications as well as strong encryption malware in the mode of CryptoLocker.
- Potential government action: Even government bodies have realized the mounting pressure that botnets are putting on cybersecurity. U.S. Senator Sheldon Whitehouse, citing the ability of botnets to marshal millions of unsuspecting users into a "virtual army," may soon propose a bill that addresses the threat.
Moreover, new approaches to DDoS are emerging all the time, putting the onus on enterprises to continue educating users and upgrading endpoint security. Last year, Trend Micro senior threat researcher Robert McArdle examined DDoS attacks that could emanate from HTML5 in a Web browser. Other threats on the cutting-edge include the BrutePOS botnet that targets point-of-sale terminals.
Such technical sophistication is only part of the problem, though. The global, decentralized structure of the Internet and the availability of new age tools means that mitigating the risk of being hit by a DDoS attack – or enlisted into its associated botnet – requires that numerous stakeholder work together. Hence the public sector call for more attention to the threat.
"[C]ybercrime and botnets are a borderless crime," Cheri McGuire, vice president at Symantec, told SCMagazine.com. "[Mitigation] requires the cooperation and coordination – between the government and the private sector, between governments, and within the private sector itself."
Microsoft's efforts show difficulty of dealing with sprawling botnets
How have these parties tackled the escalating botnet issue? In early July, Microsoft, historically a prominent player in DDoS analysis and reduction, obtained a court order to seize selected domains from a Nevada-based provider of free dynamic IP service. The software giant's actions have had unintended consequences, demonstrating the complications that can arise when battling today's botnets.
Microsoft was seeking to disrupt a pair of malware families that were using dynamic IP addresses from company No-IP. Infected endpoints may have been using No-IP's infrastructure to receive additional instructions. The operation successfully blocked malicious traffic, but it also
- Interrupted service for legitimate users, spurring a widespread response on social media organized by the #FreeNoIP hashtag. Users of home automation systems, security cameras and online gaming matchmaking services all noted the issues via Twitter.
- Revealed advanced targeted attacks and cyberespionage campaigns, which were redirected to the sinkholes that Microsoft had set up. Malware such as Flame was found on compromised computers.
Going forward, botnet setup and DDoS strategies will almost certainly evolve in response to this incident. For example, direct IP changes may become preferable to dynamic IP service. In this context, enterprises must stay prepared for the prospect of massive botnets directing malware and spam-like traffic their ways. Endpoint security and APT protection will be essential for identifying risks before they get out of hand.