The botnet is then used by the attacker (or sold or rented) to accomplish some sort of malicious activity. Denial of service attacks are very common, but bots can also steal user passwords, send spam or phishing e-mails, sniff traffic, steal identities, or affect the outcome of online polls (some people believe that's how Ruben won over Clay).
A 30,000-bot network can easily generate 1GB/s of malicious traffic, as CastleCops unfortunately knows. How many Web sites can withstand that type of attack? Not many, but there are defenses beyond simply ramping up bandwidth.
The most common defense is to filter out bad traffic at the Web site router or upstream neighbor. By the time it is filtered out at the Web site, the DDoS attack is usually already affecting all other servers and clients sharing the same ISP bandwidth pipe, so upstream filtering is better for all. Unfortunately, that takes additional coordination, and not all ISPs have the resources to deal with DDoS attacks.
Furthermore, it can be difficult to differentiate between legitimate and malicious traffic, and bots often used spoofed origination IP addresses to make it even more difficult. DDoS attacks using spoofed IP addresses can be stopped with ISP egress filtering as detailed in RFC 2827, written in May 2000 by my friend Paul Ferguson.
Unfortunately, it's been seven years, and the majority of ISPs have yet to implement RFC 2827's basic instructions. I don't have hope that they ever will without government regulation.
A botnet can also use legitimate IP addresses or send requests that mimic legitimate requests. Some DDoS attacks are known as HTTP recursion attacks because they pretend to be a legitimate customer but request every possible Web page, thereby overwhelming the server.
These attacks are specifically customized for the Web site target, requesting pages that actually exist on the server. They also send requests at a slow pace, from one per second to one per minute, of course multiplied by tens of thousands of malicious requesting clients. The idea is to force very legitimate-looking requests, which are difficult to mass filter out without affecting legitimate customer requests.
Spend your time protecting against HTTP attacks, and the attacker will just take out your DNS services or the upstream router. Catch the criminal, and odds are they are likely to be treated more harshly for a DUI than for disrupting your business.
I’m surprised, and saddened, that our anti-DDoS defenses haven't improved significantly over the last decade. Sure, there are many anti-DDOS vendors and solutions, but they, like many other defenses, have a hard time implementing a solid solution across the board. The real weakness is our unauthenticated Internet. But as Paul and Robin of CastleCops said, "We're in this for the long haul. We aren't going to be intimidated. We aren't going to go away."