What is a botnet attack, and how do you stop one? A botnet (derived from ‘robot network’) is a large group of malware-infected internet-connected devices and computers controlled by a single operator. Attackers use these compromised devices to launch large-scale attacks to disrupt services, steal credentials and gain unauthorized access to critical systems. The botnet command and control model allows the attacker(s) to take over operations of these devices in order to control them remotely. A botnet’s strength is in the number of infected machines it contains. Attackers can control botnets remotely and receive software updates from them, using those updates to quickly shift their behavior.

What Is a Botnet Attack?

A botnet attack is a large-scale cyber attack carried out by malware-infected devices which are controlled remotely. It turns compromised devices into ‘zombie bots’ for a botnet controller. Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time. Botnet attacks are akin to having a threat actor working within the network, as opposed to a piece of self-replicating malware.

They are becoming more sophisticated than other malware attack types since they can be scaled up or changed on the fly to inflict even more damage. Malware delivered via botnet often includes network communication features that allow attackers to use the botnet to route communications with other threat actors through the vast network of compromised machines.

Attackers use botnets to compromise systems, distribute malware and recruit new devices to the brood. A botnet attack may be mostly for disruption or a means of blazing a path to launch a secondary attack.

More articles on botnets

What Are the Most Common Types of Botnet Attacks?

1. Brute Force Attack

An attacker will choose to use a brute force attack when they don’t know the target password(s). This attack method uses a rapid, repetitive password guessing tech. During a brute force attack, malware directly interacts with the affected service for real-time feedback on password attempts. A brute force attack may also make use of leaked credentials or personally identifiable information for password attempts.

2. Distributed Denial of Service (DDoS) Attacks 

A botnet DDoS attack is a very common botnet attack. In this case, DDoS floods a service with web traffic to crash it and interrupt service. In 2016, the Mirai botnet brought down domain name service provider Dyn in two phases, causing performance degradation and outages of major client sites such as Twitter and Soundcloud in some regions.

3. Spam and Phishing

Attackers use email spam for phishing campaigns designed to trick employees into sharing sensitive information or login credentials. Phishing is also used to gain access to even more devices to grow the botnet.

4. Device Bricking

Attackers launch bots for a device bricking attack over multiple phases. Bricking happens when a device is infected with malware that deletes its contents, often to remove evidence of a primary attack. Bricking causes a device to stop working, rendering it useless.

Is There Strength in Numbers for Botnet Attacks?

Botnets are such a major threat because they deploy in large numbers. However, the total number of bots within a botnet does not determine the amount of damage it can inflict.

Despite that, DDoS botnet attacks are rising. In 2010, the Kneber botnet commanded 75,000 machines from high-profile companies and government agencies. The botnet attack netted over 68,000 stolen login credentials and 1,972 digital certificates. Recent botnet attacks use fewer machines and tend to focus on launching DDoS attacks. In 2021, Cloudflare thwarted the largest reported DDoS botnet attack, which the attackers launched with 20,000 bots in 125 countries.

Malware-as-a-service is another popular tool related to botnet attacks. Attackers can use rented botnets to carry out these attacks. Any attack type that can be automated has the potential to become a resalable botnet service.

Why Does a Botnet Attack Happen?

The growing number of connected devices enables more botnet attacks. After all, IoT devices are everywhere. More than 31 billion IoT devices are active around the world, including smart home and enterprise devices. Consumer IoT devices are used at home to control appliances, lights, door locks, cameras, thermostats, smart plugs, digital assistants and more. Health care and critical infrastructure also have their own suites of connected devices. Any device connected to the internet could be recruited as a zombie bot. Defending against an attack on these begins with prevention.

After all, any device that connects to the internet is at risk. More unsecured IoT devices widen the attack surface by providing ready access to large numbers of devices.

Misconfiguration of IoT devices and poor security configuration protocols have contributed to the growing popularity of botnets. Increased employee remote access to corporate networks from personal devices and home networks has also been a contributing factor.

How Do I Defend Against a Botnet Attack Before it Happens?

Experts predict IoT device adoption will increase over time, with the total number of connected devices worldwide reaching 43 million by 2023. The sheer range of devices on the market today already presents a challenge for device management and monitoring. As the total number of connected devices grows, so too does the complexity of securing them.

Phishing and social engineering remain the top methods for gaining access to systems and devices. The 2021 Cost of a Data Breach report found phishing to be the second-costliest method of initial attack.

To prevent this, adopt cybersecurity hygiene best practices and provide ongoing cybersecurity awareness training for employees at all levels. Add new devices to the network only once you’re sure their security settings meet minimal standards for the organization.

Botnet attack prevention requires regular proactive attention. First, ensure system and device software is up-to-date. In particular, monitor lesser-used devices for security updates. Apply those updates as soon as the developer releases them.

IoT device configuration is important, too. Always change default device login credentials. Retiring (removing) older, unused devices from the network also removes them as an attack vector.

You can also prevent a botnet attack by limiting access to suitable host devices. Monitor and restrict access to IoT devices on the network. Segregating or air-gapping IoT devices from other critical systems can help lessen the effects of an attack as well. Enable multi-factor authentication on devices and limit the number of users with access to them.

Gaining better visibility into network operations makes a difference as well. Network monitoring and analytics tools can provide insight into the devices and traffic patterns. If needed, deploy artificial intelligence network monitoring to determine baseline usage and monitor for anomalies. This can help detect the start of an attack and allow security teams to respond.

How Do I Stop a Botnet Attack?

Stopping a botnet attack begins with regaining control of the compromised device(s). You can stop botnet attacks running on the command and control model by disabling access to the central server which works as the main resource for the malware-infected brood.

Relatedly, another way to cut off a bot from the net is to sever connections to control servers. Scan affected devices for malware and reformat or reinstall systems software as required. IoT devices may require a fresh installation of device firmware (a full factory reset) to restore proper functionality and remove malware.

Large-scale botnets can be a challenge to shut down completely. In the case of Trickbot, multiple command and control central servers could communicate with one another. This allowed them to quickly spin up new instances as the defenders took servers offline.

With Botnet Attacks, Early Detection Is Key

The evolution of sophisticated botnet attacks continues to wreak havoc on systems and networks. New IoT devices with questionable security will only add to the overall attack surface. Prevention and early detection remain key in preventing serious damage to systems and devices.

More from Application Security

Kronos Malware Reemerges with Increased Functionality

The Evolution of Kronos Malware The Kronos malware is believed to have originated from the leaked source code of the Zeus malware, which was sold on the Russian underground in 2011. Kronos continued to evolve and a new variant of Kronos emerged in 2014 and was reportedly sold on the darknet for approximately $7,000. Kronos is typically used to download other malware and has historically been used by threat actors to deliver different types of malware to victims. After remaining…

Self-Checkout This Discord C2

This post was made possible through the contributions of James Kainth, Joseph Lozowski, and Philip Pedersen. In November 2022, during an incident investigation involving a self-checkout point-of-sale (POS) system in Europe, IBM Security X-Force identified a novel technique employed by an attacker to introduce a command and control (C2) channel built upon Discord channel messages. Discord is a chat, voice, and video service enabling users to join and create communities associated with their interests. While Discord and its related software…

A View Into Web(View) Attacks in Android

James Kilner contributed to the technical editing of this blog. Nethanella Messer, Segev Fogel, Or Ben Nun and Liran Tiebloom contributed to the blog. Although in the PC realm it is common to see financial malware used in web attacks to commit fraud, in Android-based financial malware this is a new trend. Traditionally, financial malware in Android uses overlay techniques to steal victims’ credentials. In 2022, IBM Security Trusteer researchers discovered a new trend in financial mobile malware that targets…

Twitter is the New Poster Child for Failing at Compliance

All companies have to comply with privacy and security laws. They must also comply with any settlements or edicts imposed by regulatory agencies of the U.S. government. But Twitter now finds itself in a precarious position and appears to be failing to take its compliance obligations seriously. The case is a “teachable moment” for all organizations, public and private. The Musk Factor Technology visionary and Silicon Valley founder and CEO, Elon Musk, bought social network Twitter in October for $44…