How to Mitigate the Increasing Botnet Threat

A single malicious botnet can harness enough machines to take down key Internet infrastructure and create financial havoc. Millions of computers on the Internet can be compromised. But there are measures that network managers can take to mitigate these botnet threats, using many of the tools already available to help prevent attacks. Here, Knowledge Center contributor Darren Grabowski discusses the impact of these silent botnet threats and offers solutions that network managers can use to mitigate these botnet threats.


The Internet is in the midst of a global network pandemic, with millions of computers on the Internet compromised in some fashion. It is estimated that the number of recent malware infections on the Internet is over 7 million, and over 70 percent of all e-mail messages are spam. It is also believed that 85 percent of spam comes from just six botnets. It was recently reported that there is an average of ten million active botnet members on any given day, and that botnets are winning the spam war.

These types of high-profile security threats receive significant publicity. However, another threat, a silent one, centers around low-bandwidth consumption, compared to legitimate traffic on a network. A large number of compromised machines, if directed by a malicious botnet, can take down key Internet infrastructure.

The compromised machines can also be used for other harmful activities that could cause a severe financial impact (that is, phishing). According to a recent survey, 3.6 million adults have lost money in phishing schemes, resulting in an estimated loss of $3.2 billion. Phishing is only one part of the problem. Attacks have already caused issues for countries such as Estonia and infrastructure such as the Domain Name System (DNS).

To help mitigate this threat, one of the many tools used is a darknet. According to Team Cymru's Darknet Project, a darknet is "a portion of routed, allocated IP space in which no active services or servers reside. These are 'dark' because there is, seemingly, nothing within these networks." In short, there should be no reason for any traffic to enter this space.

Actually, there is one server in a darknet which collects entering packets. This data can be used for immediate action or stored for further analysis. The levels of nefarious traffic from this silent threat are low compared to legitimate traffic, so many network operators may choose to ignore the traffic or they may not even realize the silent threat hiding in their legitimate traffic.

Most users and operators know a problem exists, but few are in a position to see how big the problem is. Solutions are simple: the right tools, dedicated staff and cooperation. Implementation is the most difficult part. Networks large and small must work together to mitigate this threat.

What can be done to mitigate this threat?

We are not going to rid the Internet of compromised machines. That does not mean the problem should be ignored or that we can't mitigate it. What we need to do is reduce the capability of botnets, which means reducing the number of infected machines. Networks of all sizes can assist by properly monitoring their networks and removing infected machines.

Tools exist to monitor traffic at relatively low costs. A darknet, or any other similar monitoring device, allows networks to find potential compromised machines by watching their IP space. Some monitoring devices can be deployed at a relatively low cost using existing hardware or using data from existing intrusion detection systems. Let's look at some solutions:

Solution No. 1: Use scripts and NetFlow data

Using some scripts and NetFlow data, you can monitor your network for activities such as denial of service (DoS) attacks. IP addresses participating in a DoS attack can be investigated a bit further. By combining data from a DoS attack or a darknet and other sources (such as greylisting or spam traps), you can potentially find a botnet member.

Once suspicious hosts are located, you can check to see if these hosts are communicating with a common host-which could be a command-and-control (C&C) server. Taking down a C&C server can disrupt a botnet, even for a short while. If the compromised host's owner can be contacted, there may be a chance that a list of bots can be obtained and further notifications can be sent out.