Bots and DDoS attacks: a primer

My friends Paul and Robin Laudanski at CastleCops have been under a huge DDoS attack for over a week. The attack has initiated sustained malicious loads over 1GB/s.

[ RogerGrimes's column is now a blog! Get the latest IT security news from the Security Adviser blog. ]

While that number is incredible in itself, it’s just on the high side of average. Some DDoS attacks come in at 10 GB/s and last for months. Many Web sites, including those dedicated to fighting spam, phishing, and malware in general, have been completely pushed off the Internet forever by DDoS attacks. The bad guys have often won.

I talked to VeriSign about the latest DNS root server attack in last week's column and mentioned that I was surprised to learn that the DNS infrastructure still isn’t more inherently resistant to DDoS attacks, even after all these years and attacks. With this information and CastleCops' situation in mind, I figured that now is a good time to cover botnets and DDoS attacks.

Bots on the Brain

Bots are the more intelligent C&C (command-and-control) versions of yesterday’s remote-access Trojan. There is a definitive architecture to bots, bot nets, and their damage. Bots are coded by either an individual or a team. Several recent disassembled bots revealed a development architecture that rivals legitimate application projects with phases, testing, bug fixing, and development forks.

Most bots use one or more attacks to break into remote machines. Patched and unpatched Microsoft vulnerabilities are popular on the client side; flawed PHP programs are a common target to compromise Web servers. The bot is often coded to a particular specification (what it will do, how it breaks in, etc.) from a malicious requestor or created and sold speculatively like housing investments in the physical world.

Once coded, the bot is used to compromise multiple machines and make a bot network (or botnet). The number of exploited PCs in a botnet may range from a few thousand to over 100,000 machines, all under one person's (or one team's) command and control. Several experts have speculated that up to one-fourth of all computers on the Internet could be under the control of a bot at one point or time.

Bots are auto-updating and always moving. When they break into a computer, they immediately maliciously modify the host and then contact another previously exploited site (called a "mothership") to download more code. The newly downloaded program then contacts another server, and the whole cycle continues over and over again until the final program receives its instructions (DDoS, spam, password stealing, etc.).

All of the bots in a botnet are run from a handful of mothership servers, known as C&C servers. Hackers connect to the C&C servers to issue instructions to the compromised computers. Take down the C&C servers, and you’ve effectively killed the botnet or the hacker's control of the botnet -- at least temporarily.