Botnets / DDoS

Author: DarkKnightH20

What is DoS/DDoS?

DoS stands for Denial of Service. As the name states, it’s a condition in which an application or service becomes unavailable, hence denial of service. This condition can be induced through many ways, such as bad programming, which often leads to vulnerabilities that cause CPU usage to skyrocket, as well as crashing, lag, and freezing. For our article’s purpose, we’ll count DoS-like conditions as being achieved through more common means–through the flooding of packets.

So…We’ve got DoS down, but what is DDoS?

DDoS, or Distributed Denial of Service, uses DoS methods, but expands on the concept by making many computers at once attack the target. DDoS, however, focuses on flooding the victim’s port(s) to (A) Lag them (B) Crash them (C) Stop legitimate traffic from reaching the port/service. Though individual computers can be DDoS’ed, websites and IRC servers are primary targets.

Bots?

DDoS can be a group effort done by friends, or, most commonly, through a botnet. A botnet has usually one commander that talks to all the “friendly” computers to tell them what to do. Called “bots”, these computers are often infected with a “backdoor” that allows the commander of the botnet to easily execute commands, download/execute files, etc. Majority of the time, these computers don’t even know they’re infected with a backdoor.

How are the bots controlled?

They can be controlled through a variety of ways. However, the most common method is through IRC. Each infected computer connects to an IRC server and joins a channel (that’s likely password protected). The commander logs in to the bots through writing a command to the room, and then does as he/she wishes, often issueing commands to initiate a DDoS on a remote target.

What type of flooding methods are there?

There are many different flooding methods that can be used–

General TCP Flooding — AKA the bots connect to a given remote port, then simply flood until disconnected, in which case they reconnect and start over again.

HTTP — Done through TCP as well, this method works web servers hard (on port 80 generally) by requesting many files at once via bots in an attempt to (A) Waste bandwidth (B) Lag the website (C) Stop legitimate traffic. Depending on how the attack is carried out, you can flood with HTTP Post Requests. HTTP Post Requests are done when submitting a form (i.e. a tagboard message, forum post, registration page, or even a blog comment). Flooding using HTTP Post Requests not only cause normal HTTP disruption, but also can cause the script being flooded to create huge logs. If the script is also tied to a SQL database, then it’s even more deadly.

UDP — This method doesn’t use a direct connection, as UDP does not really require one. As with the other methods, flooding is used to disrupt service on the port in question.

IRC Flood — All bots connect to the IRC server, then have several different flooding methods available -> Private Message (PM) flooding, room creation flood, file sending flood, join room and spam text flood, etc. (excuse my lack of a good name for each of these sub-IRC methods )

Ping Flood — As with normal pinging, once Computer A pings Computer B, Computer B sends a reply. This causes incoming and outgoing flooding when applie to a botnet, as the victim is recieving many requests over and over again, while attempting to respond to them all. This method is easily blocked.

Syn Flood — One of the most well-known methods out there, this method involves sending a “SYN Request” to the target. The target then replies to it to acknowledge the request, then waits for more data. Generally, there is no more data afterward, causing the server to wait a little bit until timing out. Though not usually a problem, issues can arrise when applied to a botnet. The victim will have many of these partial connections, causing a waste of resources and disruption of possible traffic.

How are botnets made?

Botnets are created through many ways. Sometimes, people bind a botnet client to another exe, then send it to people or post it on websites (usually in the disguise of a hack). Spam in email inbox’s can contain these files as well. However, using vulnerabilities is the most preferred way. Some use internet browser exploits or email software vulnerabilities to cause the automatic downloading (and executing) of a file (i.e. bot client/backdoor). Some use Instant Messaging (IM) software (including IRC and other chatting software). However, OS vulnerabilities are the most commonly used. Worms are created to exploit these vulnerabilities and often spread bots (and the worm) while doing so. This creates a nice army for a botnet. In fact, many botnets are self-spreading. A plugin is simply installed on the clients (pre-installed or installed via an update through a bot command) that allows allows for scanning and exploiting of IP ranges. When victims are found, these self-spreading bots pass themselves along, creating a rising army. However, self-spreading bots is a nice way of getting bots destroyed. A raise in suspicion is caused by this and leaves a long trail of activity leading to the owner.

Other uses of a Botnet

Botnets don’t have to be used only for flooding. They can be used for spamming (E-mail, forums, IM, Net Sending, etc.) and cracking/bruteforcing passwords, which can significantly cut down the time it takes for a successful crack. They can also be used to crack encryptions, a very useful concept for those who do not have their own super computers. They can be used to P2P files, as well as distribute files in general as well.

Disadvantages of a Botnet

Generally speaking, paper trails are left with a botnet. When performing an attack on a website for example, server logs capture loads of data that can be used to find the attacker. Even personal computers have firewalls to grab IP addresses that they can report to their ISP, of which is likely to have a much better log of the attack. If you’re adept in the field of security, then keep this in mind if a “friend” of yours attacks you with a botnet — bots are commonly created through infecting a computer that lacks security updates. If that computer was so easily infected with a backdoor, chances are, that you too may be able to hack it and grab the bot client. After doing so, you can do a number of things, such as send a copy to your ISP/authorities or even reverse engineer it to grab the password/server info/etc. If you get the username and password, you may in fact be able to hijack the entire botnet (or break it up). Packet sniffing can even grab this data for you.

Protecting Bots

Bots should be packed, encoded, or altered a lot to avoid detection. Custom-made clients are the most undetectable type, however, as attempts to avoid detection can also RAISE detection (i.e. most virus scanners recognize packers such as UPX). To avoid firewall detection, bots should add their server’s IP to the firewall’s “trusted” or “accepted” list. Bots should also have a login system of their own so that they’re unusuable by anybody other than the person logging in to them. If the bots communicate with the owner through an IRC server (or even other means of communication), then a backup server should be available for them to connect to incase the server is ever down . Also, if using a public IRC server to communicate, bots should not have random names derrived from random letters and numbers. A dictionary list should be used to avoid suspicion, as well as fake version info (i.e. they use random versions of mIRC), and join a secret, password-protected channel.

Protecting Against Bots

People should update their OS with the latest patches to avoid being infected through worms and vulnerabilities, while also avoiding unfamiliar websites, odd emails, and making sure to have the latest anti-virus protection (and definitions). Firewalls should be used (hardware and software) to increase security.

How to Protect from a Botnet Attack

Protecting yourself can be difficult and often happens before you get the chance to do much about it. A great computer with a great internet connection can take a beating without issues depending on the size of the botnet. If you have a server, a backup computer or connection that kicks in if the primary server/connection is having issues is a great fail switch. Blocking the IP of the attacking computers is helpful, but still requires your computer to work itself a bit, as it has to look at the IP still, then ignore it. Plus, IPs can be spoofed (changed to show a different IP). Filtering has the same issue. If being DDoSed/DoSed on your home computer, you can call your ISP and request a new IP address. If you have a dynamic IP, then simply disconnect and wait for a new IP (release and renew via IPConfig can do this usually). Also, there are services offered online for those who wish to protect their website form DDoS attacks, as well as server applications to help with the load.

Misc

Most bots are coded in C++ and are more known to infect Windows users. However, Java bots that work on Windows, Mac, and Linux/Unix aren’t entirely uncommon.
When a new big vulnerability is out, a botnet is likely to be using it relatively soon. Sometimes though, bots use unknown vulnerabilities. When this is the case, they’re eventually discovered, reverse-engineered, then dissected until the exploit is found and an attempted patch is made.
Botnets can spread through networks too. Though I have not seen this done yet, bots can be given the ability to spread through wireless access points, especially if the acess point is insecure.

Note: I do not support the creation of botnets. They’re illegal.

Related posts

• Securing Your Computer
• Peer Guardian users!
• Kaspersky Internet Security 2010 Free for 1 Year (Starting 10-22-09)
• Hacking WEP Wireless Keys Via Backtrack Video
• GSM Call Intercepting/Hacking Software Released
• Google Pays $1337 for Chrome Vulnerabilities
• Geek Montage Kaspersky Internet Security 2010 License Contest!
• Free Download + 1 Year License for Trend Micro Internet Security 3.0

3 Comments

• 

  By dkraft, November 30, 2009 @ 4:08 PM

  illegal ?
  How about some supporting references ?
  so far all you’ve done is requote wikipedia.
  http://en.wikipedia.org/wiki/Ddos#Distributed_attack

• 

  By DarkKnightH20, November 30, 2009 @ 8:20 PM

  Yes, illegal. Especially if the bots are people infected against their own will.

  References? I don’t know too many people who reference themselves, but if you want me to I’ll be more than gladly to do so. I didn’t use Wikipedia, but thank you for your comment and sorry to hear you disliked my article.

• 

  By Sammy, November 30, 2009 @ 10:26 PM

  lol! Sounds like dkraft doesn’t know what DOS’ing is. NOOOB!

Other Links to this Post

RSS feed for comments on this post. TrackBack URI

Leave a comment

*Name

Website