With the ever-growing base of IoT (internet of all things), it is a fact that sophisticated cyber criminals are finding newer routes to spread e-terror. However, before understanding the evil design of cyber criminals let us have a look at what botnet is, briefly. An internet bot is basically a software application, which is programmed to perform designated tasks, over the internet. Bots can perform simply as well as repetitive tasks, like web indexing. Therefore, a botnet is a number of interconnected computers, which are designated to execute specific bots. This workhorse of the internet can be used for many positive and value-added task, which benefits the network or the user. However, the same can be programmed to create havoc over the internet, by hacking classified business information.
Some serious threats developed from botnet
- Distributed denial of service attack
- Click fraud
- E-mail spam
- Secretly staking victim
The botnet is extensively used for DDoS (denial of service attacks), spam attacks and data theft of highly classified business information. The owner of the botnet can control the same, with the help of command and control software. Botnets are becoming the larger part of the discussion about cyber security protocol. However, there are no single defence mechanisms that can give protection from the botnet. A bot infection starts from downloading a virus-laden file, where the individual can control the system with the help of the IRC server. The botnet can also play havoc by spreading fake news in social media. It is also used to mine crypto currencies like bitcoins, by highly sophisticated cyber criminals.
To create a botnet, botmasters need to have as many connected devices like computers, laptops, smartphones, etc as possible. More the number of devices or bots connected bigger is the malicious net. Now when they wish to attack the chosen devices, they just have to unleash the army of bots, to overload the website with malicious contents, to the point that it stops working. Trojan horse virus is a common carrier for botnet attacks, which affects millions of machines at one go. More advanced bots are programmed to find out devices automatically and self propagate. They constantly search the web for vulnerable devices, which does not have proper antivirus system. It is very tough to detect botnet, as the same uses a very small amount of computer power, which may disrupt normal device function. Advance botnets can also adapt and upgrade their behavior so that it becomes impossible to track and destroy them. This is where organizations need to have the power of the latest security measures, which can nullify even the most dangerous botnet design.
Some effective measures to search and destroy botnets
The botnet can be fought with the help of different active and passive measures, which includes the analysis of traffic between bot and botmaster. Some botnets using HTTP service are more difficult to detect, as the communication between the master and the bot is encrypted. Organizations must employ a technology partner who has extensive experience in fault monitoring tools, ITIL, Cloud product development, and application development.
- CISCO ASA (adaptive security appliance)- This is basically a Cisco proprietary firewall system, which offers extensive features like inspection, traffic policing, and threat prioritizing. It also has the ability to filter packets based on the ACLs or anti-X-protection.
- Botnet filtering- This is also commonly known as reputation-based filtering, which is nothing but a preventive measure taken to prevent botnet attack. With the help of Cisco Security intelligence operations, they have created a detailed list of IP/domains around the world which is blacklisted. This is maintained in a database format, which is accessed by Cisco ASA as and when required.
Some components of Cisco botnet filters
- DNS (Domain name system) snooping- This is used by botnet traffic filter, in order to map IP addresses that are contained in dynamic databases. DNS snooping is also used in conjunction with DNS inspection, to build a DNS reverse cache, which is used to map IP addresses and configured by modular policy framework.
- Traffic classification and reporting system- It is also configured via the dynamic filter, which compares the source and destination addresses, against the reported IP addresses.
- Dynamic and administered blacklist data- This is like a database of malicious domain names and IP addresses, which helps the Cisco intelligence to plan their combat operations.