Hakin9 - Hard Core IT Security Magazine

Access:

» Robot Wars - How Botnets Work

Related categories: Security | Bots

Massimiliano Romano, Simone Rosignoli, Ennio Giannini
Viewed: 9574 | Article date: 2006-03-23 17:53:58

We discuss the concept of bots and botnets, then explain how they operate and how victim computers are infected. A practical example of creating a botnet using one of the available tools is presented. We also teach how to protect a computer from being exploited by a botnet.

One of the most common and efficient DDoS attack methods is based on using hundreds of zombie hosts. Zombies are usually controlled and managed via IRC networks, using so-called botnets. Let's take a look at the ways an attacker can use to infect and take control of a target computer, and let's see how we can apply effective countermeasures in order to defend our machines against this threat.

About the Authors

Massimiliano Romano's main interests are computer science and networks. He works as a freelancer in one of the largest Italian mobile telephony companies. He spends much of his spare time on Ham Radio, studying and decoding digital radio signals.

Simone Rosignoli is a student of the University La Sapienza in Rome. He is currently completing a degree in Computer Science Technologies (Systems and Security). His interests range from programming to computer security.

Ennio Giannini works as a system analyst. He spends his free time experimenting in GNU/Linux environments. He is a strong supporter and promoter of Open Source.

What you will learn...

what are bots, botnets, and how they work,
what features most popular bots offer,
how a host is infected and controlled,
what preventive measures are available and how to respond to bot infestation.

What you should know...

how malware works (trojans and worms in particular),

mechanisms used in DDoS attacks,

basics of TCP/IP, DNS and IRC.

The late nineties and the beginning of a new millennium brought a new strategy of attack against network systems. The notorious Distributed Denial of Services (DDoS) was born. Many important dotcoms felt the rage. The reason why such attacks are so widespread is mainly their simplicity and difficulties in tracking down the parties involved. This type of attacks, despite our vast experience and knowledge, still represent a severe threat today, and still give an attacker the edge. Let's see what these attacks are all about and let's look into the product of their evolution: botnet attacks.

Distributed DoS Attacks (DDoS)

A DDoS attack is a variation of a Flooding DoS attack; its aim is to saturate a target network, using all the available bandwidth. That being said, and presuming that an attacker should have huge total bandwidth available in order to saturate the targeted site, it is clear that the best way to launch this type of an attack is to have many different hosts under control. Each host introduces its own bandwidth (ex. PC ADSL users), and they are used all at once, thus distributing the attack on the target site. One of the most popular attacks performed with the use of the TCP protocol (a connection oriented protocol), is called TCP syn flooding. It works by sending a large number of TCP connection requests to the same web server (or to any other type of service), overloading the server's resources and leading to its saturation, preventing other users from opening their own connections. How simple and dangerously efficient! We can achieve the same by using the UDP protocol (a connectionless protocol).

Attackers have spent a lot of time and effort on improving such attacks. We are now facing even better techniques, which differ from traditional DDoS attacks. They let malicious users control a very large number of zombie hosts from a remote workstation, by using, for example, the IRC protocol.

Page: 1 2 3

Buy article		Buy subscription

Standard price: 2€/$3		Standard price: 25€/$30
Buy article for as little as (2€/$3) each allow access to individual articles.		Buy a full access to our Hakin9 archive portal. You will be able to read the articles from all archive issues from year 2005 and 2006. For just 25€/$30 you get unrestricted access to the entire website for the whole year.