DataDome
Bot Protection Guide

How to stop and prevent botnet attacks on your website and server.

Table of contents
22 Sep, 2021
|
min

Among the many different cybersecurity threats that occur on the internet, DDoS attacks are among the deadliest and the most difficult to contain. The number of DDoS attacks around the world are continuously rising, 2020 being a particularly bad year due to the major shift to more online activity. This left many businesses wondering how to stop bot attacks.

DDoS attacks typically use botnets, which are computers or other devices that have been infected by malware and are now under the control of the hacker. Hackers can also use these botnets for various other cybersecurity threats like data theft, account takeover, web content scraping, ticket scalping, and more.

In this guide, we are going to discuss how to stop and prevent botnet attacks on your website and server. We will discuss the different types of botnet attacks, and how we can effectively prevent and mitigate incoming botnet attacks.

However, let us begin by discussing the concepts of botnets and botnet attacks.

What is a botnet?

First things first: a bot is an automated software program that is designed to perform a specific task over the internet. A content scraping bot, for example, is designed just to save content on many different web pages.

A botnet is a network or cluster of such bots, typically using a group of computers (or other devices) that have been infected by malware and are now under the control of the malware owner. These botnets are being used to attack (and often infect) other computers and devices.

Typically, hackers will do all they can to ensure that the victims aren’t aware of the infection, which will allow them to exploit the botnet for as long as possible.

How are botnets created?

To create a botnet, hackers begin by creating a piece of malware (or getting a ready-to-use malware that can be modified) that can be used to remotely control an infected host computer or other device.

A notable thing about a botnet is that after a computer has been compromised, it can then infect other devices it interacts with, for example by automatically sending spam emails. With this method, hackers can get hundreds, thousands, and even millions of computers under their control.

The malware in question is often Trojan-type viruses, which disguise themselves as harmless files, tricking users into clicking the executable file. For example:

  • A seemingly harmless email attachment like an attractive image, seemingly important document (invoice, special offer), and so on. Clicking to download the attachment will trigger the malware’s installation

  • Software (or .exe file) downloaded from an untrustworthy source, which might be a botnet malware

  • Pop-up advertising or notification, where clicking on the ad will download an executable file

It’s also important to note that botnet malware isn’t only infecting personal computers and laptops, but also smartphones and even IoT devices like surveillance cameras, gaming consoles, and so on.

Botnets can ‘spread’, that is, infect other devices, in both active and passive ways:

  1. Active: the botnet can spread itself without needing any user intervention. Typically an active botnet has a designed mechanism to find other potential hosts on the internet (i.e. computers with known vulnerabilities) and will infect them when possible.
  2. Passive: the botnet can only infect other devices with the help of human intervention. For example, the botnet may run a phishing or social engineering attack to infect other devices.

What is a botnet attack?

Simply put, a botnet attack is any malicious activity attempted by a hacker or cybercriminal using the botnet.

The most common form of botnet attack is the DDoS (Distributed Denial of Service) attack. The hacker will use the botnet to send a massive amount of requests and/or traffic to a website or web server to overwhelm it, which prevents it from serving its real users (hence, denial of service).

However, there are also other forms of malicious attacks that can be performed by botnets, including but not limited to:

  • Spam attacks: when a web server with SMTP or POP3 is turned into a part of a botnet, it can be used to send spam and fraud emails in an attempt to fraud the recipient, infect the device with malware, and other means.

  • Cryptocurrency mining: a common type of cybersecurity threat in recent years, the botnet is hijacked to mine cryptocurrency for the attacker’s financial gain

  • Fraud traffic: generate fake web traffic or fraud-clicking ads to drive revenue

  • Ransom: infect devices with ransomware and ask for money to ‘release’ the device, or coerce payment from users to remove their device from the botnet

  • Spyware: the botnet spies for user’s activities like passwords, credit card information, and other sensitive data, and then reports it to the botnet’s owner. The attacker can then sell this sensitive data on the illegal market.

Also, the botnet can be sold or rented out to other hackers.

Different types of botnets

We can differentiate various types of botnets based on how they are controlled by the attacker. There are actually various methods the hacker can use to command and control the botnet; some are more sophisticated than other methods.

Typically for a bigger botnet, a main ‘herder’ or owner can control the whole botnet from a central server, while other, smaller herders can control a smaller portion of the botnet.

While there are various different types of botnets, here are some of the most common ones:

  1. Command and Control (or C&C): in this type, all devices in the botnet communicate with one central herder or server
  2. IRC: or, Internet Relay Chat. This type of botnet focuses on using low bandwidth and simpler communication (like mIRC) to mask its identity and avoid detection.
  3. Telnet: in this type of botnet control, all devices in the botnet are connected to the main command server, so it is a subtype of C&C. The main difference is that new computers are added to the botnet via a scanning script that runs on an external server. Once login is found by the scanner, it is then infected with malware via SSH.
  4. Domains: an infected device accesses web pages or domains that distribute commands. The botnet owner can update the code from time to time.
  5. P2P: In this type, the botnets are not connected to a central server but instead are connected peer to peer. Each infected device in the botnet acts as both a server and a client.

Challenges in stopping and preventing botnet attacks

With so many botnets circulating on the internet today, protection is essential—but it’s not easy. Botnets are continuously mutating to take advantage of vulnerabilities and security flaws. Thus, each botnet can be significantly different from the others.

Botnet operators know that the more IP addresses and devices they use in their attacks, the harder it is for bot defense technologies to confidently screen out bad requests for access to websites and APIs, and to confidently allow access to valid requests from customers or partners.

The explosion of IP-addressable IoT devices has made it easier than ever for botnets to spread their tentacles. IoT devices are typically more vulnerable than personal computers, with weaker protective measures. Infected IoT devices make it easy for attackers to stage low and slow attacks, where vast numbers of IP addresses make only a few requests. This type of botnet attack is exceptionally difficult to screen and protect against at the IP or network behavior level.

Simply put, preventing and stopping bot attacks requires sophisticated detection capabilities.

How to stop and prevent botnet attacks

1. Keep your software up to date

New viruses and malware are created every single day, so it’s very important to ensure your whole system is also up-to-date to prevent botnet attacks.

A lot of botnet attacks are designed to exploit vulnerabilities in apps or software, a lot of them have potentially been fixed in the form of security updates or patches. So, make a habit of updating your software and OS regularly. You wouldn’t want to get infected by malware or any other types of cybersecurity threats just because you neglected to update software.

2. Closely monitor your network

Closely monitor your network for unusual activities. This will be much more effective if you have a better understanding of your typical traffic and how everything typically behaves ordinarily.

24-hour monitoring of the network should be the policy if possible, by using analytics and data-collection solutions that can automatically detect anomalous behavior, such as botnet attacks.

3. Monitor failed login attempts

One of the biggest threats to online companies is account takeover, or ATO. Botnets are often used to test large volumes of stolen username and password combinations in order to gain unauthorized access to user accounts.

Monitoring your usual rate of failed login attempts will help you establish a baseline, so that you can set up alerts to inform you of any spikes in failed logins, which may be a sign of a botnet attack. Do note that “low and slow” attacks coming from vast numbers of different IP addresses may not trigger these botnet attack alerts.

Read More

4. Implement an advanced botnet detection solution

The best approach to protecting your website and web server from botnet attacks is to invest in an advanced botnet detection software like DataDome, that can perform real-time botnet detection and employ top-level bot mitigation methods.

While botnet operators are now very sophisticated in masking the botnet’s identity, DataDome’s AI-powered solution can perform real-time behavioral analysis to detect botnet traffic and block all botnet activities before they even reach your web server. Implementing bot management and protection can even improve your initial server response time.

DataDome pools data from thousands of sites, analyzes billions of requests every day, and uses advanced machine learning to continuously update the algorithm. In this way, the botnet prevention solution can detect both familiar botnets and new threats in real time.

Best of all, DataDome requires no active botnet mitigation or other daily intervention on your part. Just set up your allow list of trusted partner bots, then DataDome will take care of all your unwanted traffic while you focus on more valuable projects.

End words

Botnet attacks can be extremely dangerous. Using the above methods, you can implement an effective defense against botnet and malware attacks. In general, however, investing in a real-time anti-botnet detection software such as DataDome remains the best approach to protect your site from botnet attacks and malware infestation.

Datadome

Experience everything DataDome

Schedule a demo of the DataDome platform to see how you can start blocking bots and preventing cyberfraud.