Just one successful DDoS attack can be devastating for its target organization, leaving it crippled. These attacks are conducted via botnets, composed of thousands of linked computers. To understand just how botnets work, it’s essential to understand the way attackers build the perfect computer army. Here, Daniel Calugar goes through the lifecycle of a DDoS botnet.
DDoS attacks either disturb communications or take down a website completely. These attacks are generally run for one of two reasons: activism or money. Regardless of the reason, the basic life cycle of a DDoS botnet remains the same.
First, the originator of the botnet distributes malicious software (malware) to a series of computers, usually via infected emails or attachments. In particular, network workstations are a desirable target for attackers, allowing them to accumulate dozens of machines in one location. Once the bot has been installed on one or more computers, it will self-propagate, sending its malware to other computers in its network.
Eventually, a high enough number of computers, tablets, and cell phones will be infected to create a robot network (botnet). These devices are controlled by the malicious actor who sent the malware.
The bots may take no action at first. They may merely sit there, awaiting their orders from the botmaster. Eventually, they will receive their signal and burst into action.
Networks can only handle so much traffic from visitors. After that, they will either slow down significantly or shut down completely. To disrupt a website, a botnet directs all of its devices to visit a specific website, overwhelming it with traffic. When the saturated website can no longer meet all of the demands, it will crash.
Once a website is taken down by a DDoS, several things can happen. Occasionally, the attacker will reach out to the organization, taking the blame for the attack and offering to remedy the situation – for a price. This type of DDoS is known as ransomware.
The attacker may also take advantage of the network being temporarily disabled to access any financial information stored on the network and use it for personal gain. These attacks are usually carried out on medium or large businesses that store transaction data.
At times, a DDoS is carried out for political reasons. In this case, the attacker does not attempt to reach out to the business, preferring to leave them with the headache of trying to restore their computer system.
Once the attacker’s goal has been reached, the DDoS will end. This may take hours or even days. It is far better for companies to attempt to end the DDoS on their own. This can be accomplished by finding the infected computers and running an antivirus scan on each of them. Because this leaves the botmaster relatively unscathed, many companies instead choose to work with law enforcement to find the botnet’s command center and detain the attacker.
Botnets will vary greatly from one DDos to another, but they will all follow this basic lifecycle.