Beautiful destruction: the inner workings of a botnet (and what it means for protection)

There is a long list of things in life that do not have an appearance that matches what they actually are. Like the cute and cuddly koala…that will tear you apart with a ruthless combination of its razor-sharp claws and teeth. Or the fun bouncing purple spheres of a close-up of staphylococcus aureus…a bacterium that will, in fact, kill you.

You can add to that list the botnet landscape as visualized through a social graph. This exploratory overview of the relationships between DDoS-attacking botnets may look like a series of whimsical watercolor swirl paintings, but it’s actually a visualization of the clusters of infected devices capable of causing untold millions of dollars in damages.

DDoS on-demand in demand

In years past the trend in DDoS attacks seemed to be for marathon attacks lasting 30 days or more. This began to shift in 2015, and by the second half of the year the weeks-long offensives perpetrated by skilled attackers had given way to the short burst, high volume attacks perpetrated by any ol’ internet user with some spare cash in a PayPal or Bitcoin account who felt like directing those dollars to a DDoS-for-hire service.

According to DDoS protection service providers Imperva Incapsula, they saw a 23.5% increase in network layer attacks in the fourth quarter of 2015 compared to the third quarter, and a full 82.9% of those network layer attacks lasted less than 30 minutes.

Lest you think these shorter attacks are easier to mitigate, consider that Incapsula also says Q4 2015 saw a massive number of repeated burst attacks, with multiple attacks launched over the course of one hour. These repeated burst attacks can actually be more dangerous than one attack of the same length, as concurrent attacks require a tricky combination of early detection, rapid activation and scalability.

Bad to the bot

A DDoS attack is a Distributed Denial of Service attack, meaning it comes courtesy of a large number of infected devices flooding or otherwise consuming the resources or bandwidth of a targeted website. Collectively, a connected group of infected devices is known as a botnet. So if the question is where do DDoS attacks actually come from, the shortest possible answer is a botnet. Or, as more accurately, multiple botnets.

While much research has gone into how botnets work and how attackers manage to assemble these zombie armies, largely without the owners of the infected computers and devices even knowing, there hasn’t been much information published on how botnets interact with and – horrifyingly enough – cooperate with each other. Until now, that is.

The botnet landscape

Imperva Incapsula took it upon themselves to gaze into the abyss of botnets in order to provide a better understanding of the relationship between botnet devices. To do so, they studied 57,034 IPs involved in attempted DDoS attacks against 560 of their own clients from January 1st to March 1st of 2016. They then exported that sample into an open source visualization software for centrality analysis. This is what they came up with.

The high-res version of this image, as well as a number of related images, is available in an Imperva Incapsula blog post on the subject that is well worth a read. Altogether this series of images illuminates how botnets interact as well as three unique attack scenarios.


Three attack scenarios, from the top

If you’ll refer to the image above, this article will take you through the three unique attack scenarios from top to bottom. Without further ado:

Script kiddies and the axes they grind

What you see at the top of the image are DoS tools being used by script kiddies. DoS attacks are denial of service attacks and can be accomplished by a single attacking device. In this case those single attacking devices seem to be manned by script kiddies, who attack websites for the lulz, as they say. This essentially translates to attacks made for fun or because of a grudge or to take revenge. These attacks can be motivated by political agendas and are often aimed at political blogs, news websites, or websites belonging to religious institutions or human rights organizations.

Hired guns and their private botnets

Things get a little more professional as you move down the image. The center square in the image represents the private botnets run by hired DDoS professionals. These botnets and their owners are not to be confused with the DDoS-for-hire services mentioned above. These are not services you can access for $30 per month, rather these are the big-money individuals that would be hired by a corporation or organization to take down a rival company’s website.

These botnets are organized and capable of launching complex, multi-factor advanced persistent denial of service attacks that can last for weeks at a time. The people running this kind of botnet are likely able to make a living doing so.

DDoS-for-hire and the hacker’s cloud

The bottom cluster in the image above is one of the most fascinating. It represents a large cluster of infected devices being used by a large number of individuals to attack unrelated websites.

This cluster is likely made up of a combination of botnets-for-hire, available to anyone willing to pay a monthly subscription for the ability to launch their own DDoS attacks, and devices taken over by multiple attackers. According to Imperva Incapsula, this is representative of the majority of DDoS landscapes. A multi-tenant botnet/giant hacker’s cloud.

Mitigation implications

As you may have been able to tell by the mess of purple attack traffic flowing from the bottom multi-tenant botnet, the bulk of attack traffic originates from a limited number of IPs associated with infected devices that are used repeatedly to launch DDoS attacks.

This is actually excellent news for DDoS protection services that track offending IPs. This reality allows DDoS mitigation services to have earlier detection based on traffic from suspicious IPs, create adaptive mitigation strategies with low tolerance for repeat offenders, and identify zero-day threats by monitoring botnet devices.

In the end, this pretty swirling visualization of an ugly thing (DoS and DDoS attacks) actually turned out to be a visualization of the roadmap to a wonderful thing: more effective DDoS mitigation. That’s great, but do remember that this is not a common outcome.