With active devices no longer limited to specific geographies like Eastern Europe and Asia as they were in the past, botnets are causing more harm than ever before
A few months ago, Ticketmaster, an American online ticket sales and distribution company based in Beverly Hills, California, handling the ticket sales of an incredibly popular singer Talyor Swift’s show, suffered a massive meltdown as fans couldn’t get book tickets online. The disaster made international headlines. Only later it was found that Ticketmaster was hit by a botnet attack, a large-scale cyber-attack carried out by malware-infected devices which are controlled remotely. The Botnets were blocking ticket sales and buying in bulk denying genuine fans a fair opportunity. The incident even sparked a hearing in the US Senate.
In March 2023, Deepfield, a part of Nokia focusing on software applications for IP network analytics and distributed denial-of-service (DDoS\) security, conducted a study examining thousands of DDoS attacks recorded in 2022 and 2023. study found two major trends that mark a departure in how DDoS attacks have typically been done for the past 20 years: (1) The emergence of botnets as the main sources of DDoS traffic and (2)The “weaponization” of DDoS attacks, including signs of larger and more powerful botnets being co-opted into geopolitical conflicts. According to Internet security firm, Kaspersky, botnets are networks of hijacked computer devices used to carry out various scams and cyberattacks. The term “botnet” is formed from the word’s “robot” and “network.”
BadBots take over the Internet
Bots, which are software programs designed to do specific tasks, now make up 47% of all internet traffic, while human beings account for just over half. They hold the internet together and define how it looks and works from a human perspective. Bad bots, programmed to make things fail or work in favour of bad actors, are causing more harm than ever before.
Assembly of a botnet is usually the infiltration stage of a multi-layer scheme. The bots serve as a tool to automate mass attacks, such as data theft, server crashing, and malware distribution. Botnets use your devices to scam other people or cause disruptions – all without your consent. You might ask, “what is a botnet attack and how does it work?” To expand this botnet definition, we’ll help you understand how botnets are made and how they are used.
Between 2000 and 2020, most DDoS attacks were based on spoofed traffic, using a variety of techniques (such as IP header modification) to hide the actual sources of the DDoS traffic. In a Nokia Deepfield study released in 2021, it was revealed that most DDoS traffic at that time was coming from fewer than 50 hosting companies and regional providers who were abusing open servers and hosts on the internet. That changed in 2022 and 2023, with botnets now generating most of the DDoS aggregate bandwidth (in bytes), as shown in the figure below– and representing the driving force in more than 90% of complex, multi-vector DDoS attacks.
Image: Botnet attacks as a percentage of all DDoS, Q2 2021 – Q2 2023; Source: Nokia Deepfield
Botnets proliferate the Internet
Botnet DDoS traffic has exhibited significant growth over the past two years. In March 2023, we observed between 500,000 and 1,000,000 IoT hosts, or Cloud server instances engaged globally in regular daily DDoS activity – compared to about 200,000 in 2022. These large-scale botnets have a combined aggregate capacity between 50–100Tbps, with most attacks across many networks worldwide showing 1–2Tbps peaks.
That said, most attacks employ fewer than 5,000 devices but still have significant (sometimes devastating) effects on target systems and applications. Today, DDoS attacks can come from inside (in many cases, from enterprise networks belonging to CSP customers) and outside of CSP networks (from the internet, across peering/transit links). Additionally, DDoS attacks can come from Cloud providers even when CSPs have a direct link that may be treated as “clean” and hence not monitored. Because of the many new origination and entry points and directions of DDoS traffic, a more comprehensive, holistic approach to DDoS security is needed.
Botnets are now a global issue, with active botnet devices no longer limited to specific geographies (such as Eastern Europe and Asia) as they were in the past. Some threat actors are using this broad distribution of bot devices to launch truly global attacks, with some telecom networks witnessing attacks involving more than 60,000 active devices. Still, at this point, the botnet threat is still somewhat limited: botnet-related DDoS bandwidth matches the DDoS bandwidth generated by all other attack types and varieties (e.g., amplification/ reflection, application DDoS). Also, more than 70% of all botnets use less than 50 Mbps per device. However, the race to gigabit speeds and symmetrical bandwidth is underway, increasing upstream capacity available with the adoption of PON, DOCSIS 4, 5G and FWA. This has the potential for individual bot speeds to reach more than 100 Mbps and multi-terabit levels for combined botnet attacks.
Gujarat in the cross-hairs of Botnet attacks
Gujarat is facing a string of malware and botnet attack attempts on its digital networks across offices in major cities and central data servers- both private and of the government. The attacks are exploiting vulnerabilities in systems and even running email phishing campaigns to penetrate networks. The Quick Heal Cyber Threat Weather (CTW) report for the first quarter of 2023 puts Surat and Ahmedabad cities on the sixth and eight positions in the country when it comes to malware attack attempts, registering 2.74 million and 1.83 million attempts respectively. At 8.81 million attack attempts, Gujarat ranks second in the country after Maharashtra, which registered 10.52 million attempts.
Weaponized in the Ukraine war
Botnets are the source of tens of thousands of DDoS attacks daily, each involving anywhere between several thousand and several million IP addresses. These attacks can bring to a halt many CSP networks – and in doing so, disrupt communications, services and infrastructure across an entire country. For that reason, they have been used as a cyber weapon in the ongoing conflict between Russia and Ukraine.
Since the beginning of military operations in February 2022, the Nokia Deepfield research team has seen increased DDoS activity aimed at targets on both sides of the conflict. DDoS attacks have been aimed primarily at government sites, CSPs and banks. Some of this DDoS activity was short-lived (less than five minutes), meaning it was likely used as a diversion for other malware and intrusion attack vectors.
Initial DDoS attack vectors were mostly amplification/reflection and flooding, followed by HTTP/DNS attacks. Additional attack vectors were added and combined, mostly employing botnet and amplification/ reflection attacks from sources located in other non-neighbouring countries. Consequently, some CSPs noticed increased upstream traffic to their peering and transit partners – in some cases, up to the point of noticeable degradation of downstream services. For several CSPs, the fact that devices in their networks (and from their customers) can be co-opted to participate in a conflict that is geographically constrained – but without limits in cyberspace – was a sign to start looking into new DDoS security solutions or multi-layer security models.
Turing to AI for defence
For more than 95% of DDoS attacks, defence is no longer about looking at what’s inside the packet. Instead, it’s about who/what is sending the packets – and better understanding the larger internet security context. Additionally, while CSPs have traditionally been guarding only the front door (i.e., peering/ transit links), attacks now come from many other entry points, including their customers, partners (e.g., Cloud providers) and even compromised devices in their own networks. Legacy-based solutions do not adequately monitor DDoS traffic originating from these new entry points.
An approach driven by big data analytics that correlates network traffic in real time with a broader internet context (e.g., which type of device is behind a source IP address), when combined with the programmability of the latest generation of IP network routers, is much more effective in detecting botnet DDoS activity (and with fewer false positives). It also enables more agile and granular network-based mitigation. Additionally, the progress of artificial intelligence and machine learning has resulted in the development of security models that can be trained on real-world data to result in even more advanced DDoS detection and mitigation.
Know more about the syllabus and placement record of our Top Ranked Data Science Course in Kolkata, Data Science course in Bangalore, Data Science course in Hyderabad, and Data Science course in Chennai.