What is a botnet attack, and how do you stop one? A botnet (derived from ‘robot network’) is a large group of malware-infected internet-connected devices and computers controlled by a single operator. Attackers use these compromised devices to launch large-scale attacks to disrupt services, steal credentials and gain unauthorized access to critical systems. The botnet command and control model allows the attacker(s) to take over operations of these devices in order to control them remotely. A botnet’s strength is in the number of infected machines it contains. Attackers can control botnets remotely and receive software updates from them, using those updates to quickly shift their behavior.

What Is a Botnet Attack?

A botnet attack is a large-scale cyber attack carried out by malware-infected devices which are controlled remotely. It turns compromised devices into ‘zombie bots’ for a botnet controller. Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time. Botnet attacks are akin to having a threat actor working within the network, as opposed to a piece of self-replicating malware.

They are becoming more sophisticated than other malware attack types since they can be scaled up or changed on the fly to inflict even more damage. Malware delivered via botnet often includes network communication features that allow attackers to use the botnet to route communications with other threat actors through the vast network of compromised machines.

Attackers use botnets to compromise systems, distribute malware and recruit new devices to the brood. A botnet attack may be mostly for disruption or a means of blazing a path to launch a secondary attack.

More articles on botnets

What Are the Most Common Types of Botnet Attacks?

1. Brute Force Attack

An attacker will choose to use a brute force attack when they don’t know the target password(s). This attack method uses a rapid, repetitive password guessing tech. During a brute force attack, malware directly interacts with the affected service for real-time feedback on password attempts. A brute force attack may also make use of leaked credentials or personally identifiable information for password attempts.

2. Distributed Denial of Service (DDoS) Attacks 

A botnet DDoS attack is a very common botnet attack. In this case, DDoS floods a service with web traffic to crash it and interrupt service. In 2016, the Mirai botnet brought down domain name service provider Dyn in two phases, causing performance degradation and outages of major client sites such as Twitter and Soundcloud in some regions.

3. Spam and Phishing

Attackers use email spam for phishing campaigns designed to trick employees into sharing sensitive information or login credentials. Phishing is also used to gain access to even more devices to grow the botnet.

4. Device Bricking

Attackers launch bots for a device bricking attack over multiple phases. Bricking happens when a device is infected with malware that deletes its contents, often to remove evidence of a primary attack. Bricking causes a device to stop working, rendering it useless.

Is There Strength in Numbers for Botnet Attacks?

Botnets are such a major threat because they deploy in large numbers. However, the total number of bots within a botnet does not determine the amount of damage it can inflict.

Despite that, DDoS botnet attacks are rising. In 2010, the Kneber botnet commanded 75,000 machines from high-profile companies and government agencies. The botnet attack netted over 68,000 stolen login credentials and 1,972 digital certificates. Recent botnet attacks use fewer machines and tend to focus on launching DDoS attacks. In 2021, Cloudflare thwarted the largest reported DDoS botnet attack, which the attackers launched with 20,000 bots in 125 countries.

Malware-as-a-service is another popular tool related to botnet attacks. Attackers can use rented botnets to carry out these attacks. Any attack type that can be automated has the potential to become a resalable botnet service.

Why Does a Botnet Attack Happen?

The growing number of connected devices enables more botnet attacks. After all, IoT devices are everywhere. More than 31 billion IoT devices are active around the world, including smart home and enterprise devices. Consumer IoT devices are used at home to control appliances, lights, door locks, cameras, thermostats, smart plugs, digital assistants and more. Health care and critical infrastructure also have their own suites of connected devices. Any device connected to the internet could be recruited as a zombie bot. Defending against an attack on these begins with prevention.

After all, any device that connects to the internet is at risk. More unsecured IoT devices widen the attack surface by providing ready access to large numbers of devices.

Misconfiguration of IoT devices and poor security configuration protocols have contributed to the growing popularity of botnets. Increased employee remote access to corporate networks from personal devices and home networks has also been a contributing factor.

How Do I Defend Against a Botnet Attack Before it Happens?

Experts predict IoT device adoption will increase over time, with the total number of connected devices worldwide reaching 43 million by 2023. The sheer range of devices on the market today already presents a challenge for device management and monitoring. As the total number of connected devices grows, so too does the complexity of securing them.

Phishing and social engineering remain the top methods for gaining access to systems and devices. The 2021 Cost of a Data Breach report found phishing to be the second-costliest method of initial attack.

To prevent this, adopt cybersecurity hygiene best practices and provide ongoing cybersecurity awareness training for employees at all levels. Add new devices to the network only once you’re sure their security settings meet minimal standards for the organization.

Botnet attack prevention requires regular proactive attention. First, ensure system and device software is up-to-date. In particular, monitor lesser-used devices for security updates. Apply those updates as soon as the developer releases them.

IoT device configuration is important, too. Always change default device login credentials. Retiring (removing) older, unused devices from the network also removes them as an attack vector.

You can also prevent a botnet attack by limiting access to suitable host devices. Monitor and restrict access to IoT devices on the network. Segregating or air-gapping IoT devices from other critical systems can help lessen the effects of an attack as well. Enable multi-factor authentication on devices and limit the number of users with access to them.

Gaining better visibility into network operations makes a difference as well. Network monitoring and analytics tools can provide insight into the devices and traffic patterns. If needed, deploy artificial intelligence network monitoring to determine baseline usage and monitor for anomalies. This can help detect the start of an attack and allow security teams to respond.

How Do I Stop a Botnet Attack?

Stopping a botnet attack begins with regaining control of the compromised device(s). You can stop botnet attacks running on the command and control model by disabling access to the central server which works as the main resource for the malware-infected brood.

Relatedly, another way to cut off a bot from the net is to sever connections to control servers. Scan affected devices for malware and reformat or reinstall systems software as required. IoT devices may require a fresh installation of device firmware (a full factory reset) to restore proper functionality and remove malware.

Large-scale botnets can be a challenge to shut down completely. In the case of Trickbot, multiple command and control central servers could communicate with one another. This allowed them to quickly spin up new instances as the defenders took servers offline.

With Botnet Attacks, Early Detection Is Key

The evolution of sophisticated botnet attacks continues to wreak havoc on systems and networks. New IoT devices with questionable security will only add to the overall attack surface. Prevention and early detection remain key in preventing serious damage to systems and devices.

More from Application Security

What’s up India? PixPirate is back and spreading via WhatsApp

8 min read - This blog post is the continuation of a previous blog regarding PixPirate malware. If you haven’t read the initial post, please take a couple of minutes to get caught up before diving into this content. PixPirate malware consists of two components: a downloader application and a droppee application, and both are custom-made and operated by the same fraudster group. Although the traditional role of a downloader is to install the droppee on the victim device, with PixPirate, the downloader also…

PixPirate: The Brazilian financial malware you can’t see

10 min read - Malicious software always aims to stay hidden, making itself invisible so the victims can’t detect it. The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan (RAT) malware that heavily utilizes anti-research techniques. This malware’s infection vector is based on two malicious apps: a downloader and a droppee. Operating together, these two apps communicate with each other to execute the fraud. So far, IBM Trusteer researchers have observed this…

From federation to fabric: IAM’s evolution

15 min read - In the modern day, we’ve come to expect that our various applications can share our identity information with one another. Most of our core systems federate seamlessly and bi-directionally. This means that you can quite easily register and log in to a given service with the user account from another service or even invert that process (technically possible, not always advisable). But what is the next step in our evolution towards greater interoperability between our applications, services and systems?Identity and…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today