Assignment #4

Submitted By: Raja Muhammad Ali Basharat

Submitted To: Sir Raza
Subject : CCN
Roll No : 1361
Date : 7/30/19
DDOS and Botnet
What is DDOS?
A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt normal traffic of a
targeted server, service or network by overwhelming the target or its surrounding
infrastructure with a flood of Internet traffic. DDoS attacks achieve effectiveness by utilizing
multiple compromised computer systems as sources of attack traffic. Exploited machines can
include computers and other networked resources such as IoT devices. From a high level, a
DDoS attack is like a traffic jam clogging up with highway, preventing regular traffic from
arriving at its desired destination.

How does a DDoS attack work?

A DDoS attack requires an attacker to gain control of a network of online machines in order to
carry out an attack. Computers and other machines (such as IoT devices) are infected
with malware, turning each one into a bot (or zombie). The attacker then has remote control
over the group of bots, which is called a botnet.
Once a botnet has been established, the attacker is able to direct the machines by sending
updated instructions to each bot via a method of remote control. When the IP address of a
victim is targeted by the botnet, each bot will respond by sending requests to the target,
potentially causing the targeted server or network to overflow capacity, resulting in a denial-of-
service to normal traffic. Because each bot is a legitimate Internet device, separating the attack
traffic from normal traffic can be difficult.
What are common types of DDoS attacks?
Different DDoS attack vectors target varying components of a network connection. In order to
understand how different DDoS attacks work, it is necessary to know how a network connection
is made. A network connection on the Internet is composed of many different components or
“layers”. Like building a house from the ground up, each step in the model has a different
purpose. The OSI model, shown below, is a conceptual framework used to describe network
connectivity in 7 distinct layers.

While nearly all DDoS attacks involve overwhelming a target device or network with traffic,
attacks can be divided into three categories. An attacker may make use one or multiple
different attack vectors, or cycle attack vectors potentially based on counter measures taken by
the target.

The Goal of the Attack:

Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model),
the goal of these attacks is to exhaust the resources of the target. The attacks target the layer
where web pages are generated on the server and delivered in response to HTTP requests. A
single HTTP request is cheap to execute on the client side, and can be expensive for the target
server to respond to as the server often must load multiple files and run database queries in
order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult
to flag as malicious.
Application Layer Attacks
The Goal of the Attack:
Sometimes referred to as a layer 7 DDoS attack (in reference to the 7th layer of the OSI model),
the goal of these attacks is to exhaust the resources of the target. The attacks target the layer
where web pages are generated on the server and delivered in response to HTTP requests. A
single HTTP request is cheap to execute on the client side, and can be expensive for the target
server to respond to as the server often must load multiple files and run database queries in
order to create a web page. Layer 7 attacks are difficult to defend as the traffic can be difficult
to flag as malicious.
Application Layer Attack Example:

HTTP Flood
This attack is similar to pressing refresh in a web browser over and over on many different
computers at once – large numbers of HTTP requests flood the server, resulting in denial-of-
service.
This type of attack ranges from simple to complex. Simpler implementations may access one
URL with the same range of attacking IP addresses, referrers and user agents. Complex versions
may use a large number of attacking IP addresses, and target random urls using random
referrers and user agents.
Protocol Attacks
The Goal of the Attack:
Protocol attacks, also known as a state-exhaustion attacks, cause a service disruption by
consuming all the available state table capacity of web application servers or intermediate
resources like firewalls and load balancers. Protocol attacks utilize weaknesses in layer 3 and
layer 4 of the protocol stack to render the target inaccessible.
Protocol Attack Example:

SYN Flood
A SYN Flood is analogous to a worker in a supply room receiving requests from the front of the
store. The worker receives a request, goes and gets the package, and waits for confirmation
before bringing the package out front. The worker then gets many more package requests
without confirmation until they can’t carry any more packages, become overwhelmed, and
requests start going unanswered.
This attack exploits the TCP handshake by sending a target a large number of TCP “Initial
Connection Request” SYN packets with spoofed source IP addresses. The target machine
responds to each connection request and then waits for the final step in the handshake, which
never occurs, exhausting the target’s resources in the process.
Volumetric Attacks
The Goal of the Attack:
This category of attacks attempts to create congestion by consuming all available bandwidth
between the target and the larger Internet. Large amounts of data are sent to a target by using
a form of amplification or another means of creating massive traffic, such as requests from a
botnet.
Amplification Example:

DNS Amplification
A DNS Amplification is like if someone were to call a restaurant and say “I’ll have one of
everything, please call me back and tell me my whole order,” where the callback phone number
they give is the target’s number. With very little effort, a long response is generated.
By making a request to an open DNS server with a spoofed IP address (the real IP address of the
target), the target IP address then receives a response from the server. The attacker structures
the request such that the DNS server responds to the target with a large amount of data. As a
result, the target receives an amplification of the attacker’s initial query.
What is the process for mitigating a DDoS attack?
The key concern in mitigating a DDoS attack is differentiating between attack and normal traffic.
For example, if a product release has a company’s website swamped with eager customers,
cutting off all traffic is a mistake. If that company suddenly has a surge in traffic from known
bad actors, efforts to alleviate an attack are probably necessary. The difficulty lies it telling apart
the real customer and the attack traffic.
In the modern Internet, DDoS traffic comes in many forms. The traffic can vary in design from
un-spoofed single source attacks to complex and adaptive multi-vector attacks. A multi-vector
DDoS attack uses multiple attack pathways in order to overwhelm a target in different ways,
potentially distracting mitigation efforts on any one trajectory. An attack that targets multiple
layers of the protocol stack at the same time, such as a DNS amplification (targeting layers 3/4)
coupled with a HTTP flood (targeting layer 7) is an example of multi-vector DDoS.
Mitigating a multi-vector DDoS attack requires a variety of strategies in order to counter
different trajectories. Generally speaking, the more complex the attack, the more likely the
traffic will be difficult to separate from normal traffic - the goal of the attacker is to blend in as
much as possible, making mitigation as inefficient as possible. Mitigation attempts that involve
dropping or limiting traffic indiscriminately may throw good traffic out with the bad, and the
attack may also modify and adapt to circumvent countermeasures. In order to overcome a
complex attempt at disruption, a layered solution will give the greatest benefit.
Black Hole Routing
One solution available to virtually all network admins is to create a blackhole route and funnel
traffic into that route. In its simplest form, when blackhole filtering is implemented without
specific restriction criteria, both legitimate and malicious network traffic is routed to a null
route or blackhole and dropped from the network. If an Internet property is experiencing a
DDoS attack, the property’s Internet service provider (ISP) may send all the site’s traffic into a
black hole as a defense.

Rate Limiting
Limiting the number of requests a server will accept over a certain time window is also a way of
mitigating denial-of-service attacks. While rate limiting is useful in slowing web scrapers from
stealing content and for mitigating brute force login attempts, it alone will likely be insufficient
to handle a complex DDoS attack effectively. Nevertheless, rate limiting is a useful component
in an effective DDoS mitigation strategy. Learn about Cloudflare's rate limiting
Web Application Firewall
A Web Application Firewall (WAF) is a tool that can assist in mitigating a layer 7 DDoS attack. By
putting a WAF between the Internet and a origin server, the WAF may act as a reverse proxy,
protecting the targeted server from certain types of malicious traffic. By filtering requests based
on a series of rules used to identify DDoS tools, layer 7 attacks can be impeded. One key value
of an effective WAF is the ability to quickly implement custom rules in response to an attack.
Learn about Cloudflare's WAF
Anycast Network Diffusion
This mitigation approach uses an Anycast network to scatter the attack traffic across a network
of distributed servers to the point where the traffic is absorbed by the network. Like channeling
a rushing river down separate smaller channels, this approach spreads the impact of the
distributed attack traffic to the point where it becomes manageable, diffusing any disruptive
capability.
The reliability of an Anycast network to mitigate a DDoS attack is dependent on the size of the
attack and the size and efficiency of the network. An important part of the DDoS mitigation
implemented by Cloud flare is the use of an Any cast distributed network. Cloud flare has a 25
Tbps network, which is an order of magnitude greater than the largest DDoS attack recorded.
If you are currently under attack, there are steps you can take to get out from under the
pressure. If you are on Cloud flare already, you can follow these steps to mitigate your attack.
The DDoS protection that we implement at Cloud flare is multifaceted in order to mitigate the
many possible attack vectors. Learn more about Cloud flare’s DDoS protection and how it
works.

What is Botnet?
A botnet is a collection of internet-connected devices, which may include PCs, servers, mobile
devices and internet of things devices that are infected and controlled by a common type
of malware. Users are often unaware of a botnet infecting their system. 
Infected devices are controlled remotely by threat actors, often cybercriminals, and are used
for specific functions, so the malicious operations stay hidden to the user. Botnets are
commonly used to send email spam, engage in click fraud campaigns and generate malicious
traffic for distributed denial-of-service attacks.
How botnets work
The term botnet is derived from the words robot and network. A bot in this case is a device
infected by malware, which then becomes part of a network, or net, of infected devices
controlled by a single attacker or attack group.
The botnet malware typically looks for vulnerable devices across the internet, rather than
targeting specific individuals, companies or industries. The objective for creating a botnet is to
infect as many connected devices as possible, and to use the computing power and resources
of those devices for automated tasks that generally remain hidden to the users of the devices.
For example, an ad fraud botnet that infects a user's PC will take over the system's web
browsers to divert fraudulent traffic to certain online advertisements. However, to stay
concealed, the botnet won't take complete control of the web browsers, which would alert the
user. Instead, the botnet may use a small portion of the browser's processes, often running in
the background, to send a barely noticeable amount of traffic from the infected device to the
targeted ads.
On its own, that fraction of bandwidth taken from an individual device won't offer much to the
cybercriminals running the ad fraud campaign. However, a botnet that combines millions of
devices will be able to generate a massive amount of fake traffic for ad fraud, while also
avoiding detection by the individuals using the devices.
Botnet architecture
Botnet infections are usually spread through malware, such as a Trojan horse. Botnet malware
is typically designed to automatically scan systems and devices for common vulnerabilities that
haven't been patched, in hopes of infecting as many devices as possible. Botnet malware may
also scan for ineffective or outdated security products, such as firewalls or antivirus software.
Once the desired number of devices is infected, attackers can control the bots using two
different approaches. The traditional client/server approach involves setting up a command-
and-control (C&C) server and sending automated commands to infected botnet clients through
a communications protocol, such as internet relay chat (IRC). The bots are often programmed
to remain dormant and await commands from the C&C server before initiating any malicious
activities.

The other approach to controlling infected bots involves a peer-to-peer network. Instead of
using C&C servers, a peer-to-peer botnet relies on a decentralized approach. Infected devices
may be programmed to scan for malicious websites, or even for other devices in the same
botnet. The bots can then share updated commands or the latest versions of the botnet
malware.
The peer-to-peer approach is more common today, as cybercriminals and hacker groups try to
avoid detection by cybersecurity vendors and law enforcement agencies, which have often used
C&C communications as a way to monitor for, locate and disrupt botnet operations.
Notable botnet attacks

Zeus
The Zeus malware, first detected in 2007, is one of the best-known and widely used malware
types in the history of information security.
Zeus uses a Trojan horse program to infect vulnerable devices and systems, and variants of this
malware have been used for various purposes over the years, including to spread
CryptoLocker ransomware.
Initially, Zeus, or Zbot, was used to harvest banking credentials and financial information from
users of infected devices. Once the data was collected, attackers used the bots to send out
spam and phishing emails that spread the Zeus Trojan to more prospective victims.
In 2009, cybersecurity vendor Damballa estimated Zeus had infected 3.6 million hosts. The
following year, the FBI identified a group of Eastern European cybercriminals who were
suspected to be behind the Zeus malware campaign; the FBI later made more than 100 arrests
in the U.S. and Europe.
The Zeus botnet was repeatedly disrupted in 2010, when two internet service providers that
were hosting the C&C servers for Zeus were shut down. However, new versions of the Zeus
malware were later discovered.

Srizbi
The Srizbi botnet, which was first discovered in 2007, was, for a time, the largest botnet in the
world. Srizbi, also known as the Ron Paul spam botnet, was responsible for a massive amount of
email spam -- as much as 60 billion messages a day, accounting for roughly half of all email
spam on the internet at the time. In 2007, the Srizbi botnet was used to send out political spam
emails promoting then-U.S. Presidential candidate Ron Paul.
The botnet used a Trojan to infect users' computers, which were then used to send out spam.
Experts estimated that the Srizbi botnet included approximately 450,000 infected systems.
The cybercriminals behind Srizbi used San Jose, Calif.-based hosting provider McColo for the
botnet's C&C infrastructure. The botnet's activity ceased when McColo, which was discovered
to be hosting other botnet and spam operations, as well, was shut down in 2008.
Gameover Zeus
approximately a year after the original Zeus botnet was disrupted, a new version of the Zeus
malware emerged, known as Gameover Zeus.
Instead of relying on a traditional, centralized C&C operation to control bots, Gameover Zeus
used a peer-to-peer network approach, which initially made the botnet harder for law
enforcement and security vendors to pinpoint and disrupt. Infected bots used the domain
generation algorithm (DGA) to communicate.
The Gameover Zeus botnet would generate domain names to serve as communication points
for infected bots. An infected device would randomly select domains until it reached an active
domain that was able to issue new commands. Security firm Bitdefender reported two versions
of Gameover Zeus, one of which generated 1,000 new domains, and the other which generated
10,000 new domains each day.
In 2014, international law enforcement agencies took part in Operation Tovar to temporarily
disrupt Gameover Zeus by identifying the domains used by the cybercriminals, and then
redirecting bot traffic to government-controlled servers.
The FBI also offered a $3 million reward for Russian hacker Evgeniy Bogachev, who is accused of
being the mastermind behind the Gameover Zeus botnet. Bogachev is still at large, and new
variants of Gameover Zeus have since emerged.

Methbot
An extensive cybercrime operation and ad fraud botnet known as Methbot was revealed in
2016 by cybersecurity services company White Ops. According to security researchers, Methbot
was generating between $3 million and $5 million in fraudulent ad revenue daily last year by
producing fraudulent clicks for online ads, as well as fake views of video advertisements.
Instead of infecting random devices, the Methbot campaign is run on approximately 800-1,200
dedicated servers in data centers located in both the U.S. and the Netherlands. The campaign's
operational infrastructure includes 6,000 spoofed domains, and more than 850,000 dedicated
IP addresses, many of which are falsely registered as belonging to legitimate U.S.-based
internet service providers.
The infected servers can produce fake clicks and mouse movements, as well as forge social
media account logins to appear as legitimate users to fool conventional ad fraud detection
techniques. In an effort to disrupt the monetization scheme for Methbot, White Ops published
a list of the spoofed domains and fraudulent IP addresses to alert advertisers and enable them
to block the addresses.

Mirai
several powerful, record-setting distributed denial-of-service (DDoS) attacks were observed in
late 2016, and they later traced to a new brand of malware known as Mirai. The DDoS traffic
was produced by a variety of connected devices, such as wireless routers and CCTV cameras.
Mirai malware is designed to scan the internet for insecure connected devices, while also
avoiding IP addresses belonging to major corporations, like Hewlett-Packard and government
agencies, such as the U.S. Department of Defense.
Once it identifies an insecure device, the malware tries to log in with a series of common
default passwords used by manufacturers. If those passwords don't work, then Mirai uses brute
force attacks to guess the password. Once a device is compromised, it connects to C&C
infrastructure and can divert varying amounts of traffic toward a DDoS target.
Devices that have been infected are often still able to continue functioning normally, making it
difficult to detect Mirai botnet activity from a specific device. For some internet of things (IoT)
devices, such as digital video recorders, the factory password is hard coded in the device's
firmware, and many devices cannot update their firmware over the internet.
The Mirai source code was later released to the public, allowing anyone to use the malware to
compose botnets leveraging poorly protected IoT devices.

Preventing botnet attacks

In the past, botnet attacks were disrupted by focusing on the command-and-control source.
Law enforcement agencies and security vendors would trace the bots' communications to
wherever the C&C servers were hosted, and then force the hosting or service provider to shut
them down.