A botnet is composed of a number of Internet-connected devices, like computers or IoT devices, each of which is running one or more bots. Botnet owners control them using command and control (C&C) software to perform a variety of (typically malicious) activities that require large-scale automation. These include:
Distributed denial-of-service (DDoS) attacks that cause unplanned application downtime
Validating lists of leaked credentials (credential-stuffing attacks) leading to account takeovers
Web application attacks to steal data
Providing an attacker access to a device and its connection to a network
Note that botnets are increasingly rented out by cyber criminals for a variety of purposes and are a threat to any Internet-facing business. This means that attackers no longer must have the expertise to construct their own botnets, but can utilize botnets already created by other parties.
Understanding the Botnet problem
How Many Bots Are In a Botnet?
The number of bots will vary from botnet to botnet and depends on the ability of the botnet owner to infect unprotected devices. Some examples:
A DDoS attack in August 2017 against an Akamai customer was observed to have originated from a botnet comprising more than 75,000 bots
When the Mirai botnet was discovered in September 2016, Akamai was one of its first targets. Our platform continued to receive and successfully defend against attacks from the Mirai botnet thereafter. Akamai research offers a strong indication that Mirai, like many other botnets, is now contributing to the commoditization of DDoS. While many of the botnet’s C&C nodes were observed conducting “dedicated attacks” against select IPs, even more were noted as participating in what would be considered “pay-for-play” attacks. In these situations, Mirai C&C nodes were observed attacking IPs for a short duration, going inactive, and then re-emerging to attack different targets. Learn more about the Mirai botnet here.
The PBot Malware
The PBot DDoS malware re-emerged as the foundation for the strongest DDoS attacks seen by Akamai during the second quarter of 2017. In the case of PBot, malicious actors used decades-old PHP code to generate a massive DDoS attack. Attackers were able to create a mini-DDoS botnet capable of launching a 75 gigabits per second (Gbps) DDoS attack. Interestingly, although the PBot botnet was composed of a relatively small 400 nodes, it was able to generate a significant level of attack traffic. Learn more about the PBot malware here.
Protecting Against Botnets
It is important to understand that a botnet is just a collection of Internet-connected devices under the command and control of a botnet owner. As such, a botnet can be used to launch different types of attacks, each of which may require a different type of protection. Akamai provides several Cloud Security Solutions for detecting and protecting against botnets. These include: