How Hackers Use Botnets to Break Your Favorite Websites
Whatsapp Pinterest
Advertisement

The power of botnets is increasing. A sufficiently organized and globalized botnet will take down portions of the internet, not just single sites, such is the power they wield. Despite their huge power, the largest DDoS attack didn’t use a traditional botnet structure.

Let’s look at how a botnet’s power expands What Is a Botnet and Is Your Computer Part of One? What Is a Botnet and Is Your Computer Part of One? Botnets are a major source of malware, ransomware, spam, and more. But what is a botnet? How do they come into existence? Who controls them? And how can we stop them? Read More and how the next enormous DDoS you hear about What Exactly is a DDoS Attack and How Does it Happen? What Exactly is a DDoS Attack and How Does it Happen? Do you know what a DDoS attack does? Personally, I had no idea until I read this infographic. Read More will be the bigger than the last.

How Do Botnets Grow?

The SearchSecurity botnet definition states that “a botnet is a collection of internet-connected devices, which may include PCs, servers, mobile devices and internet of things devices that are infected and controlled by a common type of malware. Users are often unaware of a botnet infecting their system.”

Botnets are different from other malware types in that it is a collection of coordinated infected machines. Botnets use malware to extend the network to other systems, predominantly using spam emails with an infected attachment. They also have a few primary functions, such as sending spam, data harvesting, click fraud, and DDoS attacks.

The Rapidly Expanding Attack Power of Botnets

Until recently, botnets had a few common structures familiar to security researchers. But in late 2016, things changed. A series of enormous DDoS attacks The Major Cybersecurity Events of 2017 and What They Did to You The Major Cybersecurity Events of 2017 and What They Did to You Were you the victim of a hack in 2017? Billions were, in what was clearly the worst year in cybersecurity yet. With so much happening, you may have missed some of the breaches: let's recap. Read More made researchers sit up and take note.

  1. September 2016. The newly discovered Mirai botnet attacks security journalist Brian Krebs’ website with 620Gbps, massively disrupting his website but ultimately failing due to Akamai DDoS protection.
  2. September 2016. The Mirai botnet attacks French web host OVH, strengthening to around 1Tbps.
  3. October 2016. An enormous attack took down most internet services on the U.S. Eastern seaboard. The attack was aimed at DNS provider, Dyn, with the company’s services receiving an estimated 1.2Tbps in traffic, temporarily shutting down websites including Airbnb, Amazon, Fox News, GitHub, Netflix, PayPal, Twitter, Visa, and Xbox Live.
  4. November 2016. Mirai strikes ISPs and mobile service providers in Liberia, bringing down most communication channels throughout the country.
  5. March 2018. GitHub is hit with the largest recorded DDoS, registering some 1.35Tbps in sustained traffic.
  6. March 2018. Network security company Arbor Networks claims its ATLAS global traffic and DDoS monitoring system registers 1.7Tbps.

These attacks escalate in power over time. But prior to this, the largest ever DDoS was the 500Gbps attack on pro-democracy sites during the Hong Kong Occupy Central protests.

Part of the reason for this continual rise in power is an altogether different DDoS technique that doesn’t require hundreds of thousands of malware-infected devices.

Memcached DDoS

The new DDoS technique exploits the memcached service. Of those six attacks, the GitHub and ATLAS attacks use memcached to amplify network traffic to new heights. What is memcached, though?

Memcached DDoS

Well, memcached is a legitimate service running on many Linux systems. It caches data and eases the strain on data storage, like disks and databases, reducing the number of times a data source must be read. It is typically found in server environments, rather than your Linux desktop 5 Great Linux Desktop Environments You Haven't Heard Of 5 Great Linux Desktop Environments You Haven't Heard Of There are lots of Linux desktop environments out there -- including some great ones you probably haven't heard of. Here are five of our favorites. Read More . Furthermore, systems running memcached shouldn’t have a direct internet connection (you’ll see why).

Memcached communicates using the User Data Protocol (UDP), allowing communication without authentication. In turn, this means basically anyone that can access an internet connected machine using the memcached service can communicate directly with it, as well as request data from it (that’s why it shouldn’t connect to the internet!).

The unfortunate downside to this functionality is that an attacker can spoof the internet address of a machine making a request. So, the attacker spoofs the address of the site or service to DDoS and sends a request to as many memcached servers as possible. The memcached servers combined response becomes the DDoS and overwhelms the site.

Memcached DDoS reflection attack trends and botnets

This unintended functionality is bad enough on its own. But memcached has another unique “ability.” Memcached can massively amplify a small amount of network traffic into something stupendously large. Certain commands to the UDP protocol result in responses much larger than the original request.

The resulting amplification is known as the Bandwidth Amplification Factor, with attack amplification ranges between 10,000 to 52,000 times the original request. (Akami believe memcached attacks can “have an amplification factor over 500,000!)

What’s the Difference?

You see, then, that the major difference between a regular botnet DDoS, and a memcached DDoS, lies in their infrastructure. Memcached DDoS attacks don’t need an enormous network of compromised systems, relying instead on insecure Linux systems.

High-Value Targets

Now that the potential of extremely powerful memcached DDoS attacks is in the wild, expect to see more attacks of this nature. But the memcached attacks that have taken place already—not on the same scale as the GitHub attack—have thrown up something different to the norm.

Security firm Cybereason closely tracks the evolution of memcached attacks. During their analysis, they spotted the memcached attack in use as a ransom delivery tool. Attackers embed a tiny ransom note requesting payment in Monero 5 Reasons Why You Shouldn't Pay Ransomware Scammers 5 Reasons Why You Shouldn't Pay Ransomware Scammers Ransomware is scary and you don't want to get hit by it -- but even if you do, there are compelling reasons why you should NOT pay said ransom! Read More (a cryptocurrency), then place that file onto a memcached server. When the DDoS starts, the attacker requests the ransom note file, causing the target to receive the note over and over again.

Staying Safe?

Actually, there is nothing you can do to stop a memcached attack. In fact, you won’t know about it until it finishes. Or, at least until your favorite services and websites are unavailable. That is unless you have access to a Linux system or database running memcached. Then you should really go and check your network security.

For regular users, the focus really remains on regular botnets spread via malware. That means

Staying safe isn’t a chore—it just requires a little vigilance 6 Free Cyber Security Courses That'll Keep You Safe Online 6 Free Cyber Security Courses That'll Keep You Safe Online Puzzled about online security? Confused about identity theft, encryption, and how safe it is to shop online? We've compiled a list of 6 free cyber security courses that will explain everything, ready to take today! Read More .

Image Credit: BeeBright/Depositphotos

Enjoyed this article? Stay informed by joining our newsletter!

Enter your Email

Leave a Reply

Your email address will not be published. Required fields are marked *

  1. Davin Peterson
    March 30, 2018 at 11:21 pm

    Websites like CNET's Download.com have many ads on them, so you could accidentally click on the wrong link. So, it's best to download from the developer's website.

    One thinkg you didn't metion are those fake antivirus software pop-ups