Enterprise Botnet Defense

version of this report

You must have Adobe Acrobat reader to view, save, or print PDF files.
The reader
is available for free

Botnet Defense

by Geoff Keston

Docid: 00021158

Publication Date: 2006

Report Type: TUTORIAL


Botnets rank among today’s
biggest IT security threats, both in their impact across the world and
the danger
they pose to individual enterprises. But while security firms and law
enforcement agencies attack botnets at their core command servers,
individual organizations are left to fend for themselves.
Fortunately for enterprises, there are tools and processes that can
provide reasonable protection against botnets – if they are used
wisely and vigilantly.

Report Contents:


to top
of this report]

Botnets are groups of
secretly infected
computers connected over the Internet, working together under the
command of hackers interested in theft and other malicious


Related Faulkner Reports
Security Best
Cybersecurity Best
Practices Tutorial

If just one computer
in an enterprise gets infected, a bot can propagate to other clients
on the network, multiplying the potential damage and making eradication
the infection difficult. A good defense
strategy for an enterprise entails steps to prevent infection and
steps to mitigate the effects of an infection if it occurs.

infections and the damage they cause are most effectively thought of as
problem affecting both individual network clients and networks as a
whole. At both levels, many of the most effective tools and techniques
will be those already in place to guard against other malware. The most
important of these are securing browsers, using
anti-virus and intrusion detection tools, and educating users about
social engineering attacks. But botnets have some unique
characteristics that administrators must keep in mind if
they are to effectively protect their networks.


[return to top
of this report]

bot is a
software program that
secretly installs itself on a computer and then joins a
large group of infected systems. The infected
that make up a botnet can be spread across many enterprises in many
countries, and their
target is often a distant network to which they do not otherwise have
an affiliation. Botnets enable hackers to conduct spam campaigns,
launch DDoS attacks, steal personal information such as banking data,
and perform a variety of other harmful operations. (It is worth noting
that some botnets are designed for work that is essentially harmless.)

And this list of attack goals continues to grow. The
business of botnets has created, in effect, marketplace
innovations, leading to the emergence of attack types including
“credential stuffing, brute-force password cracking, cryptomining, and
even as a ticket bot to scoop up the best seats for resale.”1 Botnet
services are sold online, often on the Dark Web, making their use
widespread and lucrative.2

Bot infections
in stages. The best
defense strategies stop bots before the first stage, which is infecting
a system, but enterprises would be wise to develop defense strategies
for each stage because there is no way to guarantee that an infection
will not occur.

Table 1
describes each
major stage of an
enterprise bot infection and outlines the steps that can stop the
progress or mitigate its damages. (Prevention and mitigation steps are
discussed in further detail in the Recommendations section below.)

1. Fighting Botnet Infections
at Each Stage
and Mitigation Steps

first step in an
infection is for a bot to be loaded onto one or a handful of computers
on a network. This small piece of software adds the host computer to a
botnet, which is a group of computers spread across many networks. The
bot may
also replicate itself on other computers in an enterprise. A bot in an
active botnet is often called a “drone” or “zombie.”

Most of the steps
an organization can take to prevent
bots from landing on enterprise clients in the first place are the same
as those used to guard against other types of malware, such as
educating users about social engineering attacks, running anti-virus
software, and conducting intrusion detection scans. This is good news
for network administrators who may fear needing a whole new set of
tools and techniques to protect themselves.

organizations would
be unwise
to rest easily; bots are their own category of malware, and just as
Trojan horses are different from worms, bots are different from other
species in the field. With this in mind, organizations can consider
updating their administrative practices and user education programs to
cover the specific characteristics of popular bots.


Once a
bot is loaded on
computer, it begins communicating with, and taking instructions from,
botnet’s command and control server. The command and control server may
be located anywhere, but typically it is not physically controlled by
the person who controls the botnet. Instead, it is often another
secretly infected system, just like a bot-infected client.

person who controls
botnet, called a “herder,” can remotely log into the command and
control server
to operate it.

The communication
between a bot and a command and control
server is most often performed over Internet Relay Chat (IRC) or
Hypertext Transfer Protocol (HTTP).3 Blocking
IRC and HTTP traffic on a network can go a long way toward preventing
from doing serious damage to an enterprise.

these protocols are not the only way
bots communicate. In particular, peer-to-peer botnets are a threat
because they do not use a centralized server, so there is not a target
to dismantle their command mechanism.4


Bots and
botnets are
and they can re-emerge even after an enterprise has thoroughly cleaned
its systems and after an ISP or a law enforcement agency has shut down
command and control server.

Efforts to
identify and
combat bot infections will be most
effective if they are regular parts of an enterprise’s security
routine, not one-time projects done in response to a particular threat.
In addition to anti-virus and intrusion detection scans, these efforts
will include timely patching of systems and ongoing employee education
covering social engineering techniques.

organization that
suffers a
botnet attack can also consider reporting its experiences to law
enforcement, security firms, and its ISP. By enlisting help from other
organizations, an enterprise may be able to attack the root of a botnet
to which it is vulnerable.

Current View

to top
of this

are a significant and widespread threat. Botnet command and
control servers are proliferating, numbering 17,602 worldwide in 2019
compared with 10,263 in 2018.5 Some attacks have
lasted over
12 days and used “amplification” techniques to cause more damage.6
And even moderate-sized attacks can cause hundreds of thousands of
dollars in business losses.7 This prevalence of
botnets is driven by profits. One estimate determined that a network of
30,000 bots can earn $26,000 monthly for denial-of-service attacks or
$18 million a month for fraud against banking sites.8

Finally, as is the case
in other segments of the
security landscape, hackers are making it easier for non-experts to
become cyber criminals by selling tools and expertise that make
sophisticated botnet attacks relatively simple to launch.9


[return to top
of this report]

are an effective and versatile attack methodology, and hackers will
continue to find new applications and targets for them. 

New Targets

The diversifying of the types of devices connected to the
Internet has given botnets more targets to attack:

  • Mobile Devices – Bot
    infections of mobile devices are
    increasing, with one study finding that 5.8-percent of phones had bot
    malware.10 But unlike bots infecting desktops
    servers, mobile infections tend to focus on retail activity, such as
    cashing in an infected user’s reward program points or helping a
    competing retailer identify the prices that other sites are charging
    to particular customers.
  • Cloud Servers
    Cloud servers have become a popular target for
    botnet infections. For example, one botnet that first came to the
    public’s attention in late 2018 infects environments using Hadoop, a
    platform for managing groups of cloud servers.11
    And cloud hosting providers are now often infiltrated to host cloud
    control software.12
  • The
    Internet of Things
    – The
    Internet of Things is providing yet another target for
    botnets. The
    sheer number of new devices online makes the Internet of Things a
    ripe target, and because many of these devices are simple, they are often not well secured.13

A New Goal: Cryptojacking

Today, cryptomining — the practice of using computing power
to earn Bitcoins or similar assets — is a large international
business. When performed on one’s own computers, it is a legal and
legitimate activity. But hackers are aggressively using the computers
of others, a practice called “cryptojacking.”

The growth of cryptojacking botnets relates directly to the
greater focus on cloud servers. Cryptojacking’s earning potential is
directly related to the amount of processing power used, and cloud
datacenters have large amounts of resources to exploit.14 But
ordinary desktop computers in enterprises are often used to mine
currency too, with infections sometimes going years without detection.15

A New Technique: Artificial Intelligence

To make their botnets more effective and dangerous, hackers
are predicted to take more advantage of artificial intelligence. “A
machine does not stop, get tired, lose
concentration or panic,” writes security expert Matt Conran.16
“AI-based attacks keep their cool maintaining
constant momentum while under pressure from defense mechanisms.”

But while AI is becoming a tool for hackers, it is also becoming a tool
for IT administrators.17 AI can be used to
establish baselines of data
traffic or system performance, for example, and then it can identify
anomalies and trigger responses. The introduction of AI into the botnet
attack-and-response battle will likely create an arms race for who has
the better technology. Large organizations may be able to defend
themselves against sophisticated hackers, but smaller organizations may
find themselves out-gunned.


to top
of this

Understand IRC

Many botnets communicate
through IRC, a
technology most often used for text chatting. Enterprises that are
defending against botnets can improve the effectiveness of their botnet
defense efforts by understanding IRC modes, commands, and operations.

An organization can also
decide to block IRC
unless it has a clear business purpose, without a viable alternative. A
network firewall configured to block IRC will typically be the most
effective tool for this job. If an organization determines that it
needs to use IRC, it may consider allowing its use on a small number of
computers that are isolated on a separate network, thus guarding
against widespread bot propagation across the entire network. 

But it is important to
remember that IRC is only
the most popular method of botnet communication. Blocking IRC does not
block all potential botnet activity. For example, HTTP is popular for
botnet communication but is unlikely to be a candidate for blocking.

Keep an Eye Out for
Bot Infections

Bots can be hard to detect. For instance, a botnet of three
million dummy twitter accounts went unnoticed for several years.18
But there are some ways to help detect bots. In addition to running
routine anti-malware and
intrusion scans, spotting any
of the
following issues can help an
organization identify a botnet infection:

  • Unexpected volumes of data being uploaded to the
  • Spikes
    in network traffic
  • A group of network clients
    communicating with a particular IP
    address on the Internet
  • A group of network clients
    performing DNS queries directed at a
    particular Internet domain name
  • Network performance problems
  • Network reliability problems
  • Changes in network traffic
  • Suspicious processes running
    in the Windows Task Manager
  • Programs set to “autoload”
    in the HKEY Local Machine section of a
    Windows registry

are not sure
of a problem, as there
are harmless causes for each that can be investigated
before concluding
that there is an infection. But they are worthy of a close look.

Follow Core Best Practices

For enterprises, protecting against botnet-based attacks
primarily involves dealing with bots that might infect their networks.
Large-scale takedowns of botnets are beyond the capabilities of a
typical enterprise. (For more information on such actions, which are commonly
taken by law enforcement and major security agencies working together,
see “Organized Botnet Takedowns” in the November 2015 Faulkner
Security Management Practices.20) Handling
bot infections is, in most respects, like dealing with other
types of malware. A combination of anti-malware software, intrusion
prevention systems, and frequent software patches will be the core of
most enterprises’ protection strategy. “[T]he
majority of reported attacks are neither sophisticated nor advanced,”
says a 2016 report by the European Police Office. “While it is true
that in some areas cybercriminals demonstrate a high degree of
sophistication in the tools, tactics and processes they employ, many
forms of attack work because of a lack of digital hygiene, a lack of
security by design and a lack of user awareness.”21

Another useful reference source is the 2018 report “Enhancing
the Resilience of the Internet and Communications Ecosystem
Against Botnets and Other Automated, Distributed Threats,” published
by the US Department of Commerce and the US Department
of Homeland Security.22
The report recommends 20 steps for defending against botnets and
discusses larger goals for the overall security of the Internet and
federal government.


to top
of this

Europol: https://www.europol.europa.eu/

About the Author

to top
of this


is the author of more
than 250 articles that
help organizations find opportunities in business trends and
technology. He also works directly with clients to develop
communications strategies that improve processes and customer
relationships. Mr. Keston has worked as a project manager for a major
technology consulting and services company and is a Microsoft Certified
Systems Engineer and a Certified Novell Administrator.

to top
of this report]