You are here: Home > Publications > RIPE Labs > SeyedAlireza Vaziri > Botnets: As We See Them in 2017

Botnets: As We See Them in 2017

SeyedAlireza Vaziri — 02 Aug 2017
Year after year, botnets make impressive progress over counter-attack methods. Botmasters have deployed encryption and P2P connectivity to bots and we are always a step behind.


The Distributed Denial of Service (DDoS) attack is one of the most abusive types of intrusion I have encountered during my career. As a network/system engineer, I had to defend my network's infrastructure, servers and services from an outage - a battle that I lost most of the time. Last year, I started to study botnets as internal and external threats, and those studies have helped me to understand them better and get a sense of how to fight them. 

Botnets are those infected machines and Internet-connected devices around the globe that are under the control of a person called a "botmaster". Botmasters use those bots to attack others, send spam and distribute malware over the Internet. These botnets are companies' worst nightmare in the matter of service availability. A couple of bitcoins could buy a large scale bandwidth saturation attack from a botmaster, which will hit the victim's infrastructure hard enough to cause a massive disruption for its eligible users.

No one likes those moments that a large scale DDoS hits the infrastructure and there is no other solution than blackholing the victim's IP addresses. The attacker's goal was to disrupt the service and he has conquered what he was looking for. 

The battle we always lose

Fighting against botnets has its long history and the methodology has evolved as botnets revolved. In the early days, the counter-attack method was to interrupt the bot's Command and Control (CnC) connection to the botmaster, which most of the time was on an IRC channel. This was like fighting a single-headed dragon and, fortunately, the beast goes down if the head is down.

Nowadays the beast is polycephalic, a multi-headed botnet that uses redundant connectivity paths to make sure the whole botnet doesn't go down with a single point of failure. Sadly, you chop off the first head and another appears. Tracking the botmaster is literally impossible and connection interruption to CnC is no longer useful.

Most security appliances use Intrusion Detection/Prevention System (IDPS) techniques to block malicious traffic, as they know what a malicious packet looks like (packet signature) by looking at it or its content. Security experts came to fight botnet traffic with signature-based IDPS methodology, which was successful in its time, but the main problem with this type of prevention is that it has to catch the bot payload to find its packet signature, then it can block the malicious traffic, which puts service providers a step behind the attacker.

Botmasters deployed encryption and obfuscation to their bot communication to make us blind to what goes along the wire. The obfuscation is taking place in the command and control layer: the botmaster sends "good morning" to bots, which means "do a SYN scan on your broadcast domain". Under which circumstance could you guess what the botmaster means by "good morning", or identify whether it is malicious traffic?

How to fight

The question I encounter every time is, "how do we fight the botnets?". I suppose most people are talking about the bots that are attacking their infrastructure, but how about the bots residing in your network and attacking others? 

Fighting against botnets is not one simple, straight path. In order to defeat botnets in the real world, we have to see the big picture, not the attack that we encountered last night.

Close to the source

Most network operators are not aware of bots that reside in their network, so it is a good idea to start from our own networks to find a possible infected machine and block its outbound malicious traffic.

Modern botnets are trying to spread themselves as wide as they can, so you will see massive intrusion logs from an insider bot that is trying to inject itself into other machines. One of the simplest ways to catch infected machines is to deploy honeypot on a large scale in your network, but honeypots are hard to maintain and manage.

MHN is a very simple solution to deploy a distributed honeynet in your network. It gathers logs from honeypots that it has deployed and returns useful results on its web-based management interface. Deploying a honeynet across the network needs computing resources which might cost you an extra thousand euros if you don't have that type of infrastructure. Raspberry Pi is here to help you with the cost and ease of deployment. RPi is a USD 25 credit card-sized computer, powered by an ARM-based CPU with various Linux distros, and is available with zero configuration and installation effort.

Defending the castle

As I mentioned earlier, most of us are looking forward to a method that can distinguish malicious traffic from eligible traffic. A dozen types of DDoS attacks have been identified so far, but every time there is a new complicated traffic which is harder to identify. Mainstream methods like IDPS and Deep Packet Inspection (DPI) are resource-hungry and costly. However, most of the enterprise firewall owners have to wait for the vendors to get the signature update which, most of the time, is based on generic attacks and is not crafted for the specific attack that has hit those networks. You might need to ask your upstream provider to scrub traffic flow to make sure that no malicious traffic is going toward your infrastructure, but it is costly and might affect your network performance.

What is the proper way?

Botnet detection methods have been heavily researched recently, and there is not a single comprehensive solution to this problem. Researchers have, however, come up with an idea to use deep machine learning as a method to defend networks from botnets in a supervised manner. They have started to study recent botnet attacks to find out how they communicate with other hosts and how they attack victims by the commands they receive from their botmaster. Studying botnet activities will help you find out how the bot is generating packets at the time of the DDoS. Tools like BotHunter and BotMiner have helped to detect existing bots, but they are not perfect in every aspect.

NetFlow has been used for traffic identification of malicious network activities. As far as NetFlow is not abusive to resources comparing to DPI methods, it can open up a new chapter in traffic detection as most of the protocols and services are using encryption to protect privacy and most of the current methods are unable to identify encrypted traffic. NetFlow could be used as an egress and ingress traffic identification tool while its data could be mined for pattern recognition and machine learning.

BotFinder uses the same method to detect internal infected machines and it has been around for a couple of years with high detection rates, but there is a lack of an "unusual traffic detection system" that improves itself as it studies NetFlow datasets with the help of deep machine learning techniques and a distributed honeypot, so it could detect low bandwidth DDoS attacks and botnet attacks, and identify infected machine encrypted traffic based on pattern recognition. Hopefully, AI is going to find its way into network security.


Fighting botnets in real world scenarios is not something straightforward, so you might encounter a vague situation which might lead your network to a massive outage and find your expensive firewall does not help you as much as the cost implied. It is the time to deploy modern techniques to fighting botnets.

I strongly encourage you to start deploying a distributed honeypot in different layers of your network and use MHN as an aggregator tool. It supports REST API and can make a list of infected machines to help you block them with firewall rules or access lists, as most of the modern network devices support REST.

NetFlow has helped engineers to get a better sense of what is going on in their network and recently has been used for traffic detection. My experience with NetFlow detection technique is limited and so far I have been successful in detecting most variants of current botnets with NetFlow data. I'm trying to mix honeypots, NetFlow and deep machine learning to stop botnets, so if you have done something great tell me in the comments below how you have fought botnets so far.

If you are interested in fighting botnets, send me an email on alireza dot vaziri at gmail dot com.


Add comment

You can add a comment by filling out the form below. Comments are moderated so they won't appear immediately. If you have a RIPE NCC Access account, we would like you to log in.