What is a botnet attack, and how do you stop one? A botnet (derived from ‘robot network’) is a large group of malware-infected internet-connected devices and computers controlled by a single operator. Attackers use these compromised devices to launch large-scale attacks to disrupt services, steal credentials and gain unauthorized access to critical systems. The botnet command and control model allows the attacker(s) to take over operations of these devices in order to control them remotely. A botnet’s strength is in the number of infected machines it contains. Attackers can control botnets remotely and receive software updates from them, using those updates to quickly shift their behavior.

What Is a Botnet Attack?

A botnet attack is a large-scale cyber attack carried out by malware-infected devices which are controlled remotely. It turns compromised devices into ‘zombie bots’ for a botnet controller. Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time. Botnet attacks are akin to having a threat actor working within the network, as opposed to a piece of self-replicating malware.

They are becoming more sophisticated than other malware attack types since they can be scaled up or changed on the fly to inflict even more damage. Malware delivered via botnet often includes network communication features that allow attackers to use the botnet to route communications with other threat actors through the vast network of compromised machines.

Attackers use botnets to compromise systems, distribute malware and recruit new devices to the brood. A botnet attack may be mostly for disruption or a means of blazing a path to launch a secondary attack.

More articles on botnets

What Are the Most Common Types of Botnet Attacks?

1. Brute Force Attack

An attacker will choose to use a brute force attack when they don’t know the target password(s). This attack method uses a rapid, repetitive password guessing tech. During a brute force attack, malware directly interacts with the affected service for real-time feedback on password attempts. A brute force attack may also make use of leaked credentials or personally identifiable information for password attempts.

2. Distributed Denial of Service (DDoS) Attacks 

A botnet DDoS attack is a very common botnet attack. In this case, DDoS floods a service with web traffic to crash it and interrupt service. In 2016, the Mirai botnet brought down domain name service provider Dyn in two phases, causing performance degradation and outages of major client sites such as Twitter and Soundcloud in some regions.

3. Spam and Phishing

Attackers use email spam for phishing campaigns designed to trick employees into sharing sensitive information or login credentials. Phishing is also used to gain access to even more devices to grow the botnet.

4. Device Bricking

Attackers launch bots for a device bricking attack over multiple phases. Bricking happens when a device is infected with malware that deletes its contents, often to remove evidence of a primary attack. Bricking causes a device to stop working, rendering it useless.

Is There Strength in Numbers for Botnet Attacks?

Botnets are such a major threat because they deploy in large numbers. However, the total number of bots within a botnet does not determine the amount of damage it can inflict.

Despite that, DDoS botnet attacks are rising. In 2010, the Kneber botnet commanded 75,000 machines from high-profile companies and government agencies. The botnet attack netted over 68,000 stolen login credentials and 1,972 digital certificates. Recent botnet attacks use fewer machines and tend to focus on launching DDoS attacks. In 2021, Cloudflare thwarted the largest reported DDoS botnet attack, which the attackers launched with 20,000 bots in 125 countries.

Malware-as-a-service is another popular tool related to botnet attacks. Attackers can use rented botnets to carry out these attacks. Any attack type that can be automated has the potential to become a resalable botnet service.

Why Does a Botnet Attack Happen?

The growing number of connected devices enables more botnet attacks. After all, IoT devices are everywhere. More than 31 billion IoT devices are active around the world, including smart home and enterprise devices. Consumer IoT devices are used at home to control appliances, lights, door locks, cameras, thermostats, smart plugs, digital assistants and more. Health care and critical infrastructure also have their own suites of connected devices. Any device connected to the internet could be recruited as a zombie bot. Defending against an attack on these begins with prevention.

After all, any device that connects to the internet is at risk. More unsecured IoT devices widen the attack surface by providing ready access to large numbers of devices.

Misconfiguration of IoT devices and poor security configuration protocols have contributed to the growing popularity of botnets. Increased employee remote access to corporate networks from personal devices and home networks has also been a contributing factor.

How Do I Defend Against a Botnet Attack Before it Happens?

Experts predict IoT device adoption will increase over time, with the total number of connected devices worldwide reaching 43 million by 2023. The sheer range of devices on the market today already presents a challenge for device management and monitoring. As the total number of connected devices grows, so too does the complexity of securing them.

Phishing and social engineering remain the top methods for gaining access to systems and devices. The 2021 Cost of a Data Breach report found phishing to be the second-costliest method of initial attack.

To prevent this, adopt cybersecurity hygiene best practices and provide ongoing cybersecurity awareness training for employees at all levels. Add new devices to the network only once you’re sure their security settings meet minimal standards for the organization.

Botnet attack prevention requires regular proactive attention. First, ensure system and device software is up-to-date. In particular, monitor lesser-used devices for security updates. Apply those updates as soon as the developer releases them.

IoT device configuration is important, too. Always change default device login credentials. Retiring (removing) older, unused devices from the network also removes them as an attack vector.

You can also prevent a botnet attack by limiting access to suitable host devices. Monitor and restrict access to IoT devices on the network. Segregating or air-gapping IoT devices from other critical systems can help lessen the effects of an attack as well. Enable multi-factor authentication on devices and limit the number of users with access to them.

Gaining better visibility into network operations makes a difference as well. Network monitoring and analytics tools can provide insight into the devices and traffic patterns. If needed, deploy artificial intelligence network monitoring to determine baseline usage and monitor for anomalies. This can help detect the start of an attack and allow security teams to respond.

How Do I Stop a Botnet Attack?

Stopping a botnet attack begins with regaining control of the compromised device(s). You can stop botnet attacks running on the command and control model by disabling access to the central server which works as the main resource for the malware-infected brood.

Relatedly, another way to cut off a bot from the net is to sever connections to control servers. Scan affected devices for malware and reformat or reinstall systems software as required. IoT devices may require a fresh installation of device firmware (a full factory reset) to restore proper functionality and remove malware.

Large-scale botnets can be a challenge to shut down completely. In the case of Trickbot, multiple command and control central servers could communicate with one another. This allowed them to quickly spin up new instances as the defenders took servers offline.

With Botnet Attacks, Early Detection Is Key

The evolution of sophisticated botnet attacks continues to wreak havoc on systems and networks. New IoT devices with questionable security will only add to the overall attack surface. Prevention and early detection remain key in preventing serious damage to systems and devices.

More from Application Security

X-Force Identifies Vulnerability in IoT Platform

4 min read - The last decade has seen an explosion of IoT devices across a multitude of industries. With that rise has come the need for centralized systems to perform data collection and device management, commonly called IoT Platforms. One such platform, ThingsBoard, was the recent subject of research by IBM Security X-Force. While there has been a lot of discussion around the security of IoT devices themselves, there is far less conversation around the security of the platforms these devices connect with.…

4 min read

Patch Tuesday -> Exploit Wednesday: Pwning Windows Ancillary Function Driver for WinSock (afd.sys) in 24 Hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities.Figure 1 — Exploitation timelineHowever, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack surfaces can…

12 min read

Backdoor Deployment and Ransomware: Top Threats Identified in X-Force Threat Intelligence Index 2023

4 min read - Deployment of backdoors was the number one action on objective taken by threat actors last year, according to the 2023 IBM Security X-Force Threat Intelligence Index — a comprehensive analysis of our research data collected throughout the year. Backdoor access is now among the hottest commodities on the dark web and can sell for thousands of dollars, compared to credit card data — which can go for as low as $10. On the dark web — a veritable eBay for…

4 min read

Direct Kernel Object Manipulation (DKOM) Attacks on ETW Providers

17 min read - Overview In this post, IBM Security X-Force Red offensive hackers analyze how attackers, with elevated privileges, can use their access to stage Windows Kernel post-exploitation capabilities. Over the last few years, public accounts have increasingly shown that less sophisticated attackers are using this technique to achieve their objectives. It is therefore important that we put a spotlight on this capability and learn more about its potential impact. Specifically, in this post, we will evaluate how Kernel post-exploitation can be used…

17 min read