The Root of the Botnet Epidemic

Type threatpost
Reporter Dennis Fisher
Modified 2013-04-17T16:38:30


Over the course of a few days in February 2000, a lone hacker was able to bring some of the Web’s larger sites to their knees, using just a few dozen machines and some relatively primitive software to cripple Yahoo, eBay, E*trade, Amazon, ZDnet and others for hours at a time. No one knew it at the time, but these attacks would come to be seen in later years as some of the earlier outbreaks of what has become a massive online pandemic.

Jose Nazario on Botnets and the History of DDoS Attacks

Dennis Fisher talks with Jose Nazario of Arbor Networks
about the Mafiaboy attacks, the history of DDoS attacks and the botnet

The attacks themselves were nothing fancy. The hacker, who would later be identified as a 15-year-old boy from Montreal named Michael Calce, used a DDoS tool called Mstream to instruct a small army of machines he had previously compromised to send huge amounts of junk data at the remote Web servers he was targeting. But the technique was brutally effective: Yahoo, then the dominant search provider and portal site, was knocked offline for about two hours after receiving more than a gigabit of data per second from Calce’s bots.

CNN, ZDnet,, eBay and other sites experienced similar floods, each with a varying degree of success. Initial speculation in the security and law enforcement community centered on sophisticated hackers, maybe a foreign group trying to prove a point about American capitalism, or a foreign intelligence service probing the country’s networks for soft spots.

Instead, U.S. and Canadian authorities eventually traced the attacks to Calce, a high school student who used the handle Mafiaboy and had gotten the DDoS program from an online acquaintance. Calce bragged about the attacks in an IRC channel, and authorities later found that he needed fewer than 80 compromised PCs, many of them in university networks, to take down some of the Internet’s busier sites.

Threatpost editor Dennis Fisher talks about the roots of the botnet problem and how it evolved into one of the larger threats on the Web.

These attacks were seen as a novelty, a sort of interesting exercise that pointed out the security weaknesses of the sites and served as a minor wake-up call for site owners about the dangers of doing business online. The term botnet had not yet gained any currency, and few people, even inside the security research community, had any concept that these networks of compromised machines would turn out to be the single largest security threat of the decade.

Now, nearly 10 years after those attacks, botnets are not just weapons of mass disruption for hacktivists and bored script kiddies, but serve as the foundation for the worldwide cybercrime underground and are at the heart of the massive rise in malware in recent years as well as the wave of SQL injections attacks against legitimate Web sites.

“It’s a huge, huge problem and it’s one that has a lot of different components,” said Joe Stewart, senior security researcher at SecureWorks, and an authority on botnets and online crime. “There’s plenty more going on than just SQL injection and DDoS attacks that people just don’t know about.”

How did it come to this?

There are no definitive numbers on how large the botnet problem is, but experts say the number of infected PCs is in the tens of millions at any given time. Many of those machines belong to home users with relatively fast broadband connections and little or no knowledge of the security threats that lie in wait all over the Web. These PCs are easy prey for attackers. But this wasn’t always the case.

In the early days of the botnet problem, attackers most often targeted PCs inside corporate or university networks, which had the high-speed connections and powerful machines hackers needed for DDoS attacks. Universities, by necessity, also had open networks that afforded attackers more ways in and gave them easy avenues for privilege escalation and the ability to hop from one machine to the next, planting attack software at each step along the way.

“Red Hat [Linux] was the flavor of the month back then. You had all of these scripts you could use to get into their machines,” said Jose Nazario, senior security researcher at Arbor Networks, one of the top botnet researchers in the world. “These guys were really close to writing worms with some of this stuff because they would do automated scanning and installs and self-replication. That’s when it started to get really interesting.”

The tools of choice for this early crew of attackers comprised a small group of programs designed specifically to execute DDoS attacks against a single target. Programs such as Mstream. Trinoo, Tribe Flood Network, Shaft and Stacheldraht that, for the most part, were designed to run on Unix-based systems that had been previously compromised through some other exploit.

The initial infections often were accomplished through the use of vulnerabilities in one of the various remote services often left running on these machines, such as RPC or FTP.

From there, the attacks followed a fairly standard script. A hacker would use a stolen account on a university or corporate network as a drop zone for attack tools, stolen credentials for other machines on the network, lists of other compromised accounts and machines on the network to be scanned. The attacker would then scan the network, looking for other machines with exploitable vulnerabilities and then compromising those computers and planting a copy of the pre-compiled DDoS tool.

In an analysis of Trinoo done in 1999, Dave Dittrich, a researcher at the University of Washington, found that attackers often went out of their way to hide the existence of a bot infection on a machine. In some cases, he found, hackers would plant a rootkit on a compromised computer–especially if that machine was serving as a master, directing traffic for other bots–to disguise the infection. He also found a more insidious method of avoiding detection.

“It should be noted that in many cases, masters have been set up on Internet Service Providers’ primary name server hosts, which would normally have extremely high packet traffic and large
numbers of TCP and UDP connections, which would effectively hide any trinoo related traffic or activity, and would likely not be detected. The fact that these are primary name servers would also tend to make the owners less likely to take the system off the Internet when reports begin to come in about suspected denial of service related activity,” Dittrich wrote.

This pattern was repeated over and over, all over the Internet, creating small, privately owned networks of attacker-controlled machines that could be called upon at any time. And that’s exactly what happened.

Within a few months of the attacks on CNN, eBay and the other sites, DDoS attacks had become a serious problem on the Internet. Hackers of all abilities, and with every conceivable motivation, were joining IRC channels, buying (or downloading) attack software and going on their merry way.

“That really kicked off a gold rush in this space,” Nazario said. “Within a year, everyone and their brother had a botnet. Guys that couldn’t even spell IRC, let alone use IRC, had botnets. These were young guys who had grown up on IM and had no idea what they were doing on IRC. But they hear that some idiot can do this, so they think, so can I. That led to this huge land rush. Everyone sees this wide open space and all of a sudden there’s pressure for easier-to-use botnets, and then things just went from there.”

The next logical step was the creation of user-friendly attack tools, and there were plenty of programmers out there willing to oblige.

“Very quickly, we started seeing attack programs that had a Windows UI, they were point-and-click and people could get whatever options they wanted,” Nazario said. “They could say, I’d like this and this module, please encrypt it, include anti-analysis tricks, and then click compile and they’d be done.”

That land rush that began in 2000 following Calce’s attacks has only gained momentum since, and shows no signs of slowing down. DDoS attacks have been a constant threat for the last 10 years and innovations in attack software and techniques will likely keep that trend going.

“These DDoS attacks still work, and they will for a long period of time, as long as there’s a disparity between what the attackers have available and what we have,” Nazario said.

This is the first in a series of occasional stories examining the roots, growth and effects of the botnet epidemic.