We once talked about the situation with DDoS attacks and changes in the behavior of hackers. Their attacks become not only more powerful, but also more sophisticated. We will discuss promising means of struggle and how information security specialists stop such activities.
Faster, wider, stronger
In January, the participants of the World Economic Forum in Davos declared — the world is in for a perfect cyberstorm caused by increased activity of botnets. And already in the first quarter of 2023 happened the largest DDoS attack in history. Its capacity exceeded 71 million requests per second [до этого момента, рекордная цифра равнялась 46 млн].
At the same time, botnets are becoming more sophisticated. Last year, engineers from the cybersecurity company Mandiant discovered the UNC3524 network, which served as a tool for corporate espionage. The developers of the malware successfully concealed their activities for 18 months. However, usually security specialists notice large-scale malicious activity within twenty days. The authors of UNC3524 flew below the radar, as put backdoors exclusively to weakly protected user devices – without antiviruses and comprehensive security policies.
Increasingly frequent and dangerous become cyberattacks based on artificial intelligence (AI) and machine learning (ML). Botnets of this kind adapt to vulnerability patches and manage the attack more effectively. An example May be DDoS attack on the freelance exchange TaskRabbit. The site developers had to suspend the site in order to reconfigure the security systems.
To fight against botnets connect cloud providers. In addition to the necessary tools, they provide clients with statistical data on the addresses from which DDoS attacks were previously carried out. Such knowledge bases allow you to quickly detect infected devices and disconnect them from the network. But such solutions are not always effective against complex botnets with intelligent capabilities.
Since attackers are adopting AI systems, security professionals prefer to follow the concept fight fire with fire. To counter botnet attacks, they develop machine learning models that identify malicious activity on the network. For example, malware developers hide the addresses of control servers, but ML models are capable of analyze DNS queries and identify potentially malicious ones.
Unfortunately, existing state of the art systems, for the most part, cannot perform such analysis on the fly. However, in mid-March, Spanish engineers submitted a new model for analyzing traffic signatures. She delivers a verdict in a second.
The model breaks incoming traffic into short segments and highlights flows – separate communications between two devices. Then the system fixes four features: a) source port number, b) receiver port number, c) number of packets sent per time interval, d) number of bytes transferred. Each of these parameters can be quickly determined and calculated.
Next, the second module of the system classifies the range of connections based on the collected parameters. As a classifier, Italian engineers chose decision trees because of their performance. Plus, they can be quickly retrained based on the signatures of modified botnets. The first tests showed that the system is able to work in a congested network with 10% packet loss.
How to disable botnets
AI-based cyber defense mechanisms help protect corporate networks from the malicious activities of botnets. But the only way to protect the Internet space is to stop the work of the botnet. This is done by intelligence agencies together with specialized information security specialists and engineers from research institutes.
For example, in June last year, American specialists eliminated an RSOCS network that masqueraded as a proxy service. Attackers infected IoT devices, Android devices, Raspberry Pi computers, and then sold access to their resources by subscription, mainly for DDoS attacks. The operation has been going on since 2017. The security services conducted a “test purchase” – they acquired access to the service and found 325,000 infected devices on the network. Over time, they were able to identify its internal infrastructure.
However, sometimes botnets “become unusable” due to the mistakes of the attackers themselves. So It happened with the KmsdBot network. As it turned out, the malware did not have a system for checking errors in control commands. In one of them, the operator made a typo – he did not put a space between the URL and the port number – which led to the fall of the entire system.
!bigdata www.bitcoin.com443 / 30 3 3 100
Interestingly, previously dismantled bot networks sometimes return to service. In January 2021, law enforcement officials said they had neutralized Emotet – “the most dangerous malware” according to Europol. The botnet was engaged in stealing data from infected devices. But already in November of the same year, the network started working again, having tripled the number of infected devices.
What else we write about in our corporate blog: