Botnet (Robot Network) is one of the most serious network security threats which home user, organizations and government can meet. A botnet is a group of many infected machines communicating with each other, called zombies, managed by a malicious entity called the botmaster. In other words, bots represent software programs that run on a host device permitting the botmaster distant control of the host actions. Botnets use command and control channels (C&C) to communicate with each other. C&C channels can use different communication protocols and can work over wide range of logical network topologies. Control and channel architecture determines the manner in which bots are controlled it can be HTTP, DNS or P2P-based [90].
Botnets are used to perform a cybercrimes, for example, stealing personal data, sending spamming emails or launching denial-of-service attacks. They are commonly named after malicious kits used in their establishment. Nevertheless, not all of the kits are detectable as botnet herders operate in anonymity. Frequently used DDoS botnets are [91]:
- Nitol / IMDDOS / Avzhan / ChinaZ - Nitol / IMDDOS / Avzhan / ChinaZ
This is a periodically transformed DDoS botnet family, works mostly in China. Once is installed, Its malware commonly attach to the botnet`s C&C; server using a TCP socket and after that sends information of the effectiveness from the victim`s device.
- MrBlack - MrBlack
This malicious software aim to compromise the Linux platform, but is also applicable for different platforms and architectures. It is also known as Trojan.Linux.Spike. It sends system information by contacting a remote server. Furthermore, by receiving a control commands it accomplished various type of DDoS attacks against a certain target, download a file and implement it, and then terminate a process.
- Cyclone - Cyclone
DDoS malware which is develop in the U.S.A. The command and control specifications are blurred and it is IRC-based. It is known to eliminating off other bots on contaminated host. Attacks comprise plurality HTTP floods, Apache remote memory exhaustion (ARME) and SlowLoris.
- Pushdo / Cutwail - Pushdo / Cutwail
This is a botnet mainly focused at sending spam e-mails. In most cases the bot represent a computers that are infected running Microsoft Windows in the form of Trojan component called Pushdo. There is a statement from 2015, which describes how Pushdo botnet affect the computer user in more than 50 different countries.
DDoS attack using stationary botnets DDoS attack using stationary botnets
The fast development of botnet technologies allows the generation of different types of DDoS attacks. In the past years the most complex ones have been launched using botnet technology. There are several reasons why most of the attackers choose to use this technology:
given the similarity with the normal traffic they are difficult to be catch in real time; the identification of the real attacker is very complex; formation of powerful flooding attack due to the large number of zombies included in the network and bypassing security mechanisms by using protocols. Figure 4.5 illustrates simple example of DDoS attack which is launched by the use of botnet. There is a short description of the botnet parts below.
ATTACKER ATTACKER
Controls Controls
Botnet Controller Botnet Controller
...
... BotsBots
Victim Victim
Figure 4.5 Botnet Attack
- Attacker - to launch an attack the attacker configures the bots. The first thing is to access the machine and set a malicious code and earn control of the machine once it connects the control server.
- Botnet controller - it can send and receive communication commands from the connected parties, because it operates like a command and control server.
- Compromised host - operates as a bot in a botnet after the malicious code have been installed in the machine.
- Victim - in that network environment we can categories the host that receive a huge number of attack packets as a victim(s).
Mobile Bonet Mobile Bonet
The vast and fast development of mobile device had leads to evolution of mobile botnets. They represent a set of threatened smartphones, which are remotely managed by a botmaster through C&C channel. Mobile botnets attract attention of the attackers to use them as platform for starting DDoS due to the fact that mobile devices can communicate with Internet services via different techniques like Universal Mobile Telecommunication System (UMTS), Evolution Data Optimized or Enhanced Voice Data Only (EVDO), General Packet Radio Service (GPRS), High Speed Downlink Packet Access (HSDPA), Enhanced Data Rates for GSM Evolution (EDGE). The limited battery power, non-fixed IP address and limitation of the network are reasons why most of the intruders use the mobile platform during the first steps of starting a DDoS attack. Figure 4.6 illustrates a mobile botnet architecture.
Internet Internet Wi-Fi
Wi-Fi
3G 3G
GPRS GPRS
Figure 4.6 Mobile botnet architecture
The specific characteristics of mobile environment represent some challenges to malicious software and mobile botnet due to the fact that they are normally less secure. The botmaster is liable for managing the channels of affected nodes in a mobile botnet. The botnet could not be capable to operate if we can block the botmaster channel. In the general case a mobile botnet use three types of C&C mechanism- Internet-based or IP-based, GSM – based and Local Wireless C&C [90].
Transferring commands from the botmaster to the mobile bot is typically liability to C&C channel. During mobile attack the design of this channel is essential and should be done carefully.
Normally, throughout the communication a mobile botnet use four different channels [90]: SMS C&C channel, Bluetooth C&C Channel, HTTP C&C Channel and Hybrid C&C Channel.