Bots Gone Bad

An ascending DDoS threat

Black background with a grey bubble floating on the left and right a design out of different shapes resembling human head.

Among the many distributed denial-of-service (DDoS) threats targeting internet service providers (ISPs) and enterprises, botnets are one of the most dangerous. Direct-path bot attacks have greatly accelerated since 2021, driving up throughput rates at an alarming pace. They’re quickly becoming the “choix du jour” in an adversary’s attack toolkit.

Botnets contain anywhere from hundreds to millions of connected devices with the ability to generate massive attacks that are difficult to stop. Once infected, devices are remotely directed by an adversary who controls their behavior. The attacks may originate from data centers or malware-infected devices connected to a network, and they’re often used to take down websites or hold them, hostage, for ransom.

Between statistics about network bandwidth (the maximum number of packets that could be transferred) and throughput (the actual number of packets being transferred) lies the ever-present threat of direct-path botnet attacks. Because network performance is better measured by throughput than bandwidth, it’s an important consideration when you look at the statistics of this growing threat.

How Are Enterprises and ISPs Affected?

At NETSCOUT, we’ve seen enterprises receive the largest portion of bot-based attacks, although this certainly doesn’t mean ISPs are off the hook. Bot-sourced attacks against enterprises peaked in the latter half of 2022 at approximately 2,500, while ISP attacks reached about 700 over that same period, according to our research.

For the enterprise, there were more than 350,000 security-related alerts in the second half of 2022 and an average impact per bot node of approximately 5 Gbps, with the top target countries being the United States, Mexico, and Spain. The top targeted industries in these attacks were government organizations at the federal, state, and regional levels, as well as banking-related companies.

In the latter half of 2022, there were approximately 60,000 botnet attacks on ISP networks, with the top target countries being South Korea, the United States, and Italy. The most common botnet-sourced attacks involved TCP SYN floods and reflection/amplification attacks.

What Is a TCP SYN Attack?

Also known as a SYN flood, this DDoS attack exploits the three-way handshake that makes up a TCP connection. When a TCP connection is established, the client sends a SYN (connection request), a SYN/ACK (acknowledgment) is received, and an ACK is sent to acknowledge the completed connection. In this way, the loop is closed.

To attack this three-way handshake in a TCP SYN attack, adversaries send TCP connection requests at such a massive and rapid scale that a target device can’t process them, and the network becomes overwhelmed. It’s designed to consume resources at such a rate that the server becomes unresponsive.

What Are Some Common Botnets?

We tracked approximately 1.35 million bots in 2022 from malware families Meris, Dvinis, and Mirai. Most of the direct-path attacks we’ve monitored originated from DDoS botnets and proxy servers being leveraged by groups such as Killnet, a pro-Russian hacking collective known for DDoS attacks directed mainly at government institutions around the world.

Botnets have been around for more than 20 years—starting with EarthLink Spammer, which appeared in 2000 and sent some 1.25 million emails in a phishing scam designed to appear to originate from legitimate websites. Botnets have been making ISPs and enterprises miserable ever since. In the case of Mirai, which first appeared in 2016, much of the U.S. east coast was left without internet access. It was also the first major botnet that infected Internet of Things (IoT) devices, with more than 600,000 affected at its peak.

The Passion Botnet

On January 27, 2023, the U.S. Department of Health and Human Services Cybersecurity Coordination Center sent an alert out warning that Killnet and Anonymous Russia were targeting the U.S. healthcare sector with DDoS attacks. Although it didn’t cause significant damage, the Passion botnet did result in website outages that lasted several days and the public release of personal health information. The Passion botnet is openly for sale to any adversary who wishes to purchase it.

Learn More

How can you protect your network when bots go bad? NETSCOUT just released our fifth anniversary DDoS Threat Intelligence Report, “Unveiling the New Threat Landscape,” with findings from the second half of 2022. Take a closer look at the report and use it as a baseline to consider your current defenses against botnets and other threats.
Check out the latest NETSCOUT Threat Intelligence Report.