Botnets / DDoS
Last Updated on Sunday, 29 November 2009 10:23 Written by DarkKnightH20 Monday, 3 August 2009 04:56
What is DoS/DDoS?
DoS stands for Denial of Service. As the name states, it’s a condition in which an application or service becomes unavailable, hence denial of service. This condition can be induced through many ways, such as bad programming, which often leads to vulnerabilities that cause CPU usage to skyrocket, as well as crashing, lag, and freezing. For our article’s purpose, we’ll count DoS-like conditions as being achieved through more common means–through the flooding of packets.
So…We’ve got DoS down, but what is DDoS?
DDoS, or Distributed Denial of Service, uses DoS methods, but expands on the concept by making many computers at once attack the target. DDoS, however, focuses on flooding the victim’s port(s) to (A) Lag them (B) Crash them (C) Stop legitimate traffic from reaching the port/service. Though individual computers can be DDoS’ed, websites and IRC servers are primary targets.
DDoS can be a group effort done by friends, or, most commonly, through a botnet. A botnet has usually one commander that talks to all the “friendly” computers to tell them what to do. Called “bots”, these computers are often infected with a “backdoor” that allows the commander of the botnet to easily execute commands, download/execute files, etc. Majority of the time, these computers don’t even know they’re infected with a backdoor.
How are the bots controlled?
They can be controlled through a variety of ways. However, the most common method is through IRC. Each infected computer connects to an IRC server and joins a channel (that’s likely password protected). The commander logs in to the bots through writing a command to the room, and then does as he/she wishes, often issueing commands to initiate a DDoS on a remote target.
What type of flooding methods are there?
There are many different flooding methods that can be used–
How are botnets made?
Botnets are created through many ways. Sometimes, people bind a botnet client to another exe, then send it to people or post it on websites (usually in the disguise of a hack). Spam in email inbox’s can contain these files as well. However, using vulnerabilities is the most preferred way. Some use internet browser exploits or email software vulnerabilities to cause the automatic downloading (and executing) of a file (i.e. bot client/backdoor). Some use Instant Messaging (IM) software (including IRC and other chatting software). However, OS vulnerabilities are the most commonly used. Worms are created to exploit these vulnerabilities and often spread bots (and the worm) while doing so. This creates a nice army for a botnet. In fact, many botnets are self-spreading. A plugin is simply installed on the clients (pre-installed or installed via an update through a bot command) that allows allows for scanning and exploiting of IP ranges. When victims are found, these self-spreading bots pass themselves along, creating a rising army. However, self-spreading bots is a nice way of getting bots destroyed. A raise in suspicion is caused by this and leaves a long trail of activity leading to the owner.
Other uses of a Botnet
Botnets don’t have to be used only for flooding. They can be used for spamming (E-mail, forums, IM, Net Sending, etc.) and cracking/bruteforcing passwords, which can significantly cut down the time it takes for a successful crack. They can also be used to crack encryptions, a very useful concept for those who do not have their own super computers. They can be used to P2P files, as well as distribute files in general as well.
Disadvantages of a Botnet
Generally speaking, paper trails are left with a botnet. When performing an attack on a website for example, server logs capture loads of data that can be used to find the attacker. Even personal computers have firewalls to grab IP addresses that they can report to their ISP, of which is likely to have a much better log of the attack. If you’re adept in the field of security, then keep this in mind if a “friend” of yours attacks you with a botnet — bots are commonly created through infecting a computer that lacks security updates. If that computer was so easily infected with a backdoor, chances are, that you too may be able to hack it and grab the bot client. After doing so, you can do a number of things, such as send a copy to your ISP/authorities or even reverse engineer it to grab the password/server info/etc. If you get the username and password, you may in fact be able to hijack the entire botnet (or break it up). Packet sniffing can even grab this data for you.
Bots should be packed, encoded, or altered a lot to avoid detection. Custom-made clients are the most undetectable type, however, as attempts to avoid detection can also RAISE detection (i.e. most virus scanners recognize packers such as UPX). To avoid firewall detection, bots should add their server’s IP to the firewall’s “trusted” or “accepted” list. Bots should also have a login system of their own so that they’re unusuable by anybody other than the person logging in to them. If the bots communicate with the owner through an IRC server (or even other means of communication), then a backup server should be available for them to connect to incase the server is ever down . Also, if using a public IRC server to communicate, bots should not have random names derrived from random letters and numbers. A dictionary list should be used to avoid suspicion, as well as fake version info (i.e. they use random versions of mIRC), and join a secret, password-protected channel.
Protecting Against Bots
People should update their OS with the latest patches to avoid being infected through worms and vulnerabilities, while also avoiding unfamiliar websites, odd emails, and making sure to have the latest anti-virus protection (and definitions). Firewalls should be used (hardware and software) to increase security.
How to Protect from a Botnet Attack
Protecting yourself can be difficult and often happens before you get the chance to do much about it. A great computer with a great internet connection can take a beating without issues depending on the size of the botnet. If you have a server, a backup computer or connection that kicks in if the primary server/connection is having issues is a great fail switch. Blocking the IP of the attacking computers is helpful, but still requires your computer to work itself a bit, as it has to look at the IP still, then ignore it. Plus, IPs can be spoofed (changed to show a different IP). Filtering has the same issue. If being DDoSed/DoSed on your home computer, you can call your ISP and request a new IP address. If you have a dynamic IP, then simply disconnect and wait for a new IP (release and renew via IPConfig can do this usually). Also, there are services offered online for those who wish to protect their website form DDoS attacks, as well as server applications to help with the load.
Most bots are coded in C++ and are more known to infect Windows users. However, Java bots that work on Windows, Mac, and Linux/Unix aren’t entirely uncommon.
When a new big vulnerability is out, a botnet is likely to be using it relatively soon. Sometimes though, bots use unknown vulnerabilities. When this is the case, they’re eventually discovered, reverse-engineered, then dissected until the exploit is found and an attempted patch is made.
Botnets can spread through networks too. Though I have not seen this done yet, bots can be given the ability to spread through wireless access points, especially if the acess point is insecure.
Note: I do not support the creation of botnets. They’re illegal.
Incoming search terms:
- how to make a botnet for ddos
- botnet ddos
- how to make ddos botnet
- how to create botnet
- botnet ddos скачать
- how to create a botnet