Attackers Show New Affinity for Server-class Botnets

Blue gradient background with darker blue paint splotches

Although it’s sometimes easy to think about threat actors as evil geniuses, the reality is that they’re like any other group of people whose goal is to make money with as little effort as possible.

That’s clearly seen throughout NETSCOUT’s 2H 2021 Threat Intelligence Report, which highlights several examples in which threat actors have improved the efficacy of long-established attack methods via new modifications and strategies. Such is the case for botnets, which have been around since the 1980s.

Innovation Throughout History

Indeed, a quick history of botnets illustrates how attackers have modified their strategies for using them over the course of 20 years. The first botnets were deployed on server-class computers. Later, attackers began building distributed denial-of-service (DDoS)-capable botnets by compromising personal computers (PCs)—and attackers continue using compromised PCs to create botnets for launching DDoS attacks today.

Today, Internet of Things (IoT) botnets are common, with attackers generally launching DDoS attacks via IoT devices through a common command and control (C2) infrastructure. These botnets soared in popularity after the source code of the Mirai IoT botnet was leaked in 2016.

What we’re now seeing is that threat actors have changed up their botnet strategy yet again by increasing the size of IoT botnets while also conscripting high-powered servers into larger botnets. Servers are being leveraged to launch targeted DDoS attacks against high-value targets. But what we saw in 2H 2021 is that attackers have once again changed strategies to create powerful Mirai botnets. 

What’s Happening Now?

The result is new server-class Mirai botnets that are being used to launch high-impact DDoS attacks. For instance, two direct-path packet-flooding attacks of more than 2.5 Tbps were launched using server-based botnets in 2H 2021. These are the first terabit-class, direct-path DDoS attacks that have been discovered, and we expect to see more of such attacks. 

But attackers aren’t satisfied with just server-based DDoS botnets. What we’re also seeing is growth in direct-path DDoS attacks in relation to reflection/amplification attacks. Several trends will likely create ample reason for attackers to continue along this path. These include the introduction of multigigabit consumer internet connectivity, 5G broadband, increasingly powerful home computers, and the continued proliferation of IoT devices. 

Learn more about how attackers use botnets and how that behavior will impact networks around the world in the 2H 2021 Threat Intelligence Report.