A botnet is a collection of devices connected via the internet, each running a single bot or series of bots. DDoS attacks are the most common use of botnets, and in fact, everyone is using bots nowadays. Bots have become a legitimate tool for web applications and services, in almost all major fields, from banking to e-commerce, as consumers demand a more personal approach to their online activities, as in being available 24/7 while delivering exceptional customer experience.
But there are many cases of leveraging bots for malicious purposes. In such cases, the “bad bots” will mimic human behavior to wreak havoc in service or copy information to tarnish hurt revenue. But botnets are not bots.
Who Commands the Botnet?
A botnet is a network of computers infected by malware that is under the control of a single attacking entity, the “bot-herder.” Threat actors command every machine on their botnet to simultaneously carry out a coordinated attack, in most cases, a DDoS attack. The scale of a botnet can be comprised of millions of bots, which enables the perpetrator to launch attacks that were previously impossible with just one machine.
Botnets are under the control of a remote perpetrator in a method referred to as Command and Control (C&C), in which each machine receives updates to change its behavior on the fly. With this ability, the “bot-herder” can rent out their botnets to other perpetrators in underground markets and forums. One of the main advantages of a botnet is harnessing the computing power of hundreds or thousands of machines. Because attacks come from so many different devices, it hides the perpetrator’s origins, thus making them harder to block or trace.
Various reports indicate that 2022 saw a 20% increase in DDoS attacks, and most of these attacks naturally used botnets. In 2020, 25% of internet traffic was attributed to botnets, with 59% attributed to human activity. And in this worrying realm where a quarter of internet traffic is attributed to botnets, there was a 200% growth of activity attributed to Emotet, a known botnet. Emotet is both a botnet and malware that can extract data, often relating to finance, from infected devices. Emotet is operated by experienced threat actors and was shut down in January of 2021, the botnet returned at the beginning of 2023 and has been gradually increasing its activity since.
Are Veteran Botnets “Reliable” to DDoS Attackers?
A good example of a veteran botnet that is still a major threat is the Mirai botnet, known for co-opting IoT devices to launch DDoS attacks and is still affecting IoT devices nowadays. In February 2022, there was a spike in Mirai usage for an attack that allowed for unauthenticated remote code execution. Mirai is malware that was discovered back in 2016, with a source code that has become available for all. With new variants constantly emerging, Mirai is still a major threat in the cyber landscape. As the number of IoT devices naturally continued to rise in 2022, so did Mirai’s use by DDoS threat actors.
Mirai will most likely be the most common botnet in 2023, as manufacturers and users pay less attention to securing IoT devices, which results in increasing botnets. Official reports indicate that in 2022, over 70% of mobile devices were smart devices and that 99% of mobile data originated from these smart devices. These statistics indicate a fertile battleground for DDoS threat actors, and their leading weapon of choice in 2022 was the Mirai botnet, so Mirai is here to stay. Another prime example of a veteran botnet is the Mantis botnet, which hijacked virtual machines and servers hosted by cloud companies instead of relying on low-bandwidth IoT devices.
Mantis was used in a short but record-breaking DDoS attack in June of 2022 that peaked at 26 million HTTPS requests per second. During these attacks, Mantis was still considered “small but powerful”. The botnet consisted of 5,067 devices, with each node averaging about 5,200 requests per second. In 30 seconds, it generated 212 million HTTPS requests from over 1,500 networks in 120 countries. The Mantis botnet operates a small fleet of approximately 5,000 bots but can generate a massive force and is becoming more popular as time passes.
What Can You Do Against Botnet DDoS Attacks?
The only way to achieve true DDoS resilience and keep a network safe against botnet DDoS attacks is to continuously uncover blind spots and remediate the most relevant DDoS risks. To do that, a CISO must be well acquainted with the leading DDoS threats. This is why we’ve just published the full eBook on the top 5 botnets of 2023. Because even with the best DDoS mitigation solution in place, every organization suffers up to 75% exposure of their dynamic DDoS attack surface. Organizations are extremely vulnerable to DDoS attacks, and a perpetrator using one of the top 5 botnets to act out a DDoS attack will most likely succeed in his attempt. Get the eBook now to achieve true DDoS resilience.