Battling the Botnet Armies

Botnet armies have become bigger, more active and more heavily armed than ever before.  In the first quarter of 2016, attacks launched by bots reached a record high of 311 million—a 300 percent increase compared with the same period in 2015 and a 35 percent increase compared with the final quarter of 2015.

Many botnets are used to launch distributed denial of service (DDoS) attacks, which are also becoming substantially stronger and more frequent. One report noted a near fourfold annual increase in global DDoS attack strength in the first quarter of this year while a report from Neustar found that 73 percent of respondents reported DDoS attacks in 2015, with 82 percent suffering repeated attacks.  Botnets are also used to launch sophisticated, insidious mass tests of stolen login details to probe systems for vulnerabilities that can be easily exploited.

This issue is being exacerbated by the wrangling of IoT devices into the hordes of infected devices being leveraged for these botnets. Recently, following an attack on security blogger Brian Krebs’ site by one of the largest DDoS attacks in recent history, it was confirmed that a massive botnet composed of routers, security cameras, printers and digital video recorder (DVRs) was responsible for leveraging the attack.

As the botnet armies step up their attacks, how can organizations better defend their networks? 

Who’s targeting you?

Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks. The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks.  Load balancing strategies based on real-world network testing can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even an effective load-balancing strategy can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt—and as we saw earlier, attacks are increasing in strength.

The second strategy relates to the actual security tools, such as firewalls, which focus on identifying and blocking malicious traffic. This is extremely effective, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high-capacity firewalls. Throw enough non-relevant traffic at them and the flood will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well. 

Intelligent IP filtering

However, there is a third strategy:  preventing malicious traffic generated by botnets from reaching your firewall in the first place, by intelligently pre-filtering it. This approach dramatically reduces the strength and impact of an attack while also improving the efficiency of your firewalls and related security solutions—making it easier for them to identify threats and reducing false positive alerts. 

This can be done using a specialized gateway that continually monitors and proactively filters out IP addresses under botnet control. The gateway is fed with real-time, constantly updated threat and application intelligence feeds on known bad IP addresses—that is, addresses that are known to be infected with bots or are known to harbor malware. Then, when traffic from these known, malicious addresses is received by the gateway, it is automatically filtered out at up to 10 GB line speeds—it never touches your networks.     

This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests or are known to harbor threats.

Finding leaks

There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify bot infections already on your network that could be stealthily sending sensitive data to criminals. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically, cutting off the data leak permanently. 

Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks from botnets and stopping data leaks by existing internal bot infections. But this approach has other benefits as well.  Your existing security infrastructure and your IT teams will function more efficiently. A typical enterprise receives around 17,000 malware alerts per week, and spends $1.27 million annually tracking down false positive alerts. IP address filtering can reduce the numbers of alerts and false positives by 30 percent or more, freeing up IT teams’ resources, reducing the processing overhead on existing solutions such as firewalls, antivirus and sandboxes, and boosting the business’s ability to respond to targeted attacks.

Intelligent IP filtering using a threat intelligence gateway gives organizations policy-driven control over the traffic to and from their networks, enabling them to keep out unknown, unwanted visitors and to stop damaging data leaks from pre-existing infections. It’s a critical step in nullifying the weapons used by botnet armies.