On the Internet today, DDoS attacks are common. You probably already know how to protect your network against them. (If not, more information is here.)
However, there is another dangerous aspect to DDoS attacks that is often ignored: the botnets used to wage them. It’s possible to be part of a botnet attack without your knowledge (or, obviously, your consent).
What is a Botnet Attack?
Botnets are created by cybercriminals, in order to wage DDoS attacks. A DDoS (Distributed Denial of Service) requires the attacker to send massive volumes of traffic to the targeted network, to overwhelm it and prevent it from providing normal service to its intended users. The massive volume of traffic has to be generated from somewhere; this is the job of the botnet.
Simply put, “A botnet is a number of Internet-connected devices, each of which is running one or more bots.” Botnets allow attackers to control large numbers of Internet-connected devices, each of which can send traffic to the victim.
In a botnet, few if any of the devices are actually owned by the attacker. Most are owned by people or organizations who have no idea that their devices have been hijacked and are being (partially) controlled by someone else. Usually, the compromised device or system will still seem to operate normally, most of the time. (However, when an attack occurs, it takes up memory and compute cycles. As a result, system performance can be significantly degraded.)
Is my system at risk?
The short answer is yes.
Any Internet-facing device and/or system is at risk of being used as a slave in a botnet attack. However, the danger is actually much more serious than that. If an attacker successfully plants a bot on one of your machines, then your network was severely compromised. It is very likely that you have a hole in your security that can, and will, be exploited in many additional ways.
Five signs indicating your device is part of a botnet
There are many ways to tell if one or more of your devices are part of an active botnet. If you have a robust security solution in place, most likely it will also have extensive monitoring and reporting features that constantly evaluate your traffic for irregular activity. In this case, your security solution will alert you about the activity, and will block it.
If you do not have this type of security solution in place, here are five signs that should raise your suspicions. (Note that this list provides indications, not proof, that your device is part of a botnet. If you see one or more of these signs, you should investigate immediately.)
- Abnormally high web-server CPU load: This indicates there is an aberrant process on your server using excessive resources. Find out what it is, and verify that it’s a legitimate service and not something planted by an intruder
- Excessive network traffic causing full or partial network blockage: If your users cannot access your web-based resources (i.e., they are receiving error codes 404, 408, 502, 503 and/or 504, whether continuously or intermittently), check the amount of incoming and outgoing traffic. If there is excessive incoming traffic, you might be under a DDoS. If incoming traffic is normal, but unexplained outgoing traffic is clogging up your pipe, then perhaps your system has been hijacked
- Excessive memory usage: A botnet process can use large amounts of system resources. It might consume much, if not most or even all, of available system memory
- Non-native traffic profiles: Is there network traffic over interfaces, protocols, or ports, that are not implemented in your services? Suspicious activity across your network could indicate that a malicious actor is using it
- Outgoing traffic towards a single, or few, destinations: If there is a considerable amount of traffic going out to very few destinations, and you don’t recognize those destinations, then there’s probably an attacker using your system
My device is part of botnet: what to do?
As the great Douglas Adams said: “Don’t Panic!”
If you suspect that one or more machines in your system are slaves in a botnet, there are several steps to take. First, turn off the machine(s) in question.
Next, isolate the network that contains the suspect machines. You might even consider shutting it down completely. If a hacker was able to penetrate one machine, then there’s a good chance that other machines in the network were compromised too. Therefore, you need to mitigate other risks (for example, a ransomware attack).
In other words… “Don’t Panic, just pull the plug off!”
Next, call the experts. As with all things in life, you need the right tool for the right job. A quick Google search will show many companies that can help determine if your devices are part of a botnet, and can help you mitigate the problem.
Lastly, if this problem occurs, it means that your security system has failed to protect you. Once the immediate botnet problem has been solved, this is the next situation to address. Look for a holistic solution: one that can solve not only this problem (keeping hackers out) but can also provide protection against DDoS attacks, hostile bots, API abuse, and other web-based threats. Search for a company that can offer you a complete and unified solution to protect your system and your web assets from malicious actors.
For more information and/or immediate support, you can contact one of our security specialists that will be happy to assist you: support@reblaze.com
