Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Network Security

Battling the Botnet Armies

Botnet armies have become bigger, more active and more heavily armed than ever before.  In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 201

Botnet armies have become bigger, more active and more heavily armed than ever before.  In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 2015.

Many botnets are used to launch distributed denial of service (DDoS) attacks, which are also becoming substantially stronger and more frequent. One report noted a near fourfold annual increase in global DDoS attack strength in the first quarter of this year while a report from Neustar found that 73 percent of respondents reported DDoS attacks in 2015, with 82 percent suffering repeated attacks.  Botnets are also used to launch sophisticated, insidious mass tests of stolen login details to probe systems for vulnerabilities that can be easily exploited.

This issue is being exacerbated by the wrangling of IoT devices into the hordes of infected devices being leveraged for these botnets. Recently, following an attack on security blogger Brian Krebs’ site by one of the largest DDoS attacks in recent history, it was confirmed that a massive botnet composed of routers, security cameras, printers and digital video recorder (DVRs) was responsible for leveraging the attack.

As the botnet armies step up their attacks, how can organizations better defend their networks? 

Who’s targeting you?

Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks. The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks.  Load balancing strategies based on real-world network testing can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even an effective load-balancing strategy can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt—and as we saw earlier, attacks are increasing in strength.

The second strategy relates to the actual security tools, such as firewalls, which focus on identifying and blocking malicious traffic. This is extremely effective, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high-capacity firewalls. Throw enough non-relevant traffic at them and the flood will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well. 

Intelligent IP filtering

Advertisement. Scroll to continue reading.

However, there is a third strategy:  preventing malicious traffic generated by botnets from reaching your firewall in the first place, by intelligently pre-filtering it. This approach dramatically reduces the strength and impact of an attack while also improving the efficiency of your firewalls and related security solutions—making it easier for them to identify threats and reducing false positive alerts. 

This can be done using a specialized gateway that continually monitors and proactively filters out IP addresses under botnet control. The gateway is fed with real-time, constantly updated threat and application intelligence feeds on known bad IP addresses—that is, addresses that are known to be infected with bots or are known to harbor malware. Then, when traffic from these known, malicious addresses is received by the gateway, it is automatically filtered out at up to 10 GB line speeds—it never touches your networks.     

This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests or are known to harbor threats.

Finding leaks

There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify bot infections already on your network that could be stealthily sending sensitive data to criminals. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically, cutting off the data leak permanently. 

Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks from botnets and stopping data leaks by existing internal bot infections. But this approach has other benefits as well.  Your existing security infrastructure and your IT teams will function more efficiently. A typical enterprise receives around 17,000 malware alerts per week, and spends $1.27 million annually tracking down false positive alerts. IP address filtering can reduce the numbers of alerts and false positives by 30 percent or more, freeing up IT teams’ resources, reducing the processing overhead on existing solutions such as firewalls, antivirus and sandboxes, and boosting the business’s ability to respond to targeted attacks.

Intelligent IP filtering using a threat intelligence gateway gives organizations policy-driven control over the traffic to and from their networks, enabling them to keep out unknown, unwanted visitors and to stop damaging data leaks from pre-existing infections. It’s a critical step in nullifying the weapons used by botnet armies.

Written By

Marie Hattar is chief marketing officer (CMO) at Keysight Technologies. She has more than 20 years of marketing leadership experience spanning the security, routing, switching, telecom and mobility markets. Before becoming Keysight’s CMO, Marie was CMO at Ixia and at Check Point Software Technologies. Prior to that, she was Vice President at Cisco where she led the company’s enterprise networking and security portfolio and helped drive the company’s leadership in networking. Marie also worked at Nortel Networks, Alteon WebSystems, and Shasta Networks in senior marketing and CTO positions. Marie received a master’s degree in Business Administration in Marketing from York University and a Bachelor’s degree in Electrical Engineering from the University of Toronto.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Cybersecurity Funding

Network security provider Corsa Security last week announced that it has raised $10 million from Roadmap Capital. To date, the company has raised $50...

Network Security

Attack surface management is nothing short of a complete methodology for providing effective cybersecurity. It doesn’t seek to protect everything, but concentrates on areas...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Cyberwarfare

Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet