Jeff Harris, VP, Solutions Marketing at Ixia looks at the growing armies of botnets, and how their tactics can be nullified using intelligent IP address filtering
Botnet armies have got bigger, more active and more heavily armed than ever before. In the first quarter of 2016, attacks launched by bots reached a record high of 311 million – a 300% increase compared with the same period in 20151, and a 35% increase compared with the final quarter of 2015.
Many botnets are used to launch distributed denial of service (DDoS) attacks, which are also getting substantially stronger and more frequent. One report noted a nearly fourfold annual increase in global DDoS attack strength in the first quarter of this year2, while a second found that 73% of respondents reported DDoS attacks in 2015, with 82% suffering repeated attacks3. Botnets can also launch sophisticated, insidious mass tests of stolen login details, to probe systems for vulnerabilities that can be easily exploited. As the botnet armies step up their attacks, how should organizations approach defending their networks?
Who’s targeting you?
Traditionally, there have been two main strategies available to businesses looking to protect themselves against botnet attacks. The first relates to websites’ and networks’ abilities to deal with the unexpected spikes in inbound traffic to your network, resulting from DDoS attacks. Load balancing strategies based on real-world network testing can help to smooth the peaks and troughs in traffic by spreading traffic volumes, and this can be an important method for mitigating the impact of DDoS attempts. However, even an effective load-balancing strategy can be overwhelmed by a large-scale DDoS attack, bringing applications to a grinding halt – and as we saw earlier, attacks are increasing in strength.
The second strategy relates to the actual security tools, such as firewalls, which focus on identifying and blocking malicious traffic. These are extremely effective in doing this, but the processing power needed to proactively analyze very high volumes of network traffic, identify malicious packets and block them places a heavy burden even on latest-generation, high capacity firewalls. Throw enough non-relevant traffic at them and the flood will significantly reduce their analysis performance which, in turn, causes a performance drain across the network as well.
Intelligent IP filtering
However, there is a third strategy: preventing malicious traffic generated by botnets from reaching your firewall in the first place, by intelligently pre-filtering it. This approach dramatically reduces the strength and impact of an attack, while also improving the efficiency of your firewalls and related security solutions – making it easier for them to identify threats and reducing false positive alerts.
This can be done using a specialized gateway that continually monitors and proactively filters out IP addresses under botnet control. The gateway is fed with real-time, constantly-updated threat and application intelligence feeds on known bad IP addresses – that is, addresses that are known to be infected with bots, or are known to harbor other malware. When traffic from these known, malicious addresses is received by the gateway, it is automatically filtered out at up to 10 GB line speeds – so that it never touches your networks.
This same strategy can even be extended to block traffic from the IP addresses of entire geographical areas where you do not have business interests. Research has shown that botnet command and control centers are overwhelmingly located in a handful of countries: 18% of all DDoS attacks come from Chinese IP addresses, and Russia, Ukraine, Pakistan, China, and Turkey are five of the top ten botnet command and control countries. If your organization does not conduct business in one of these countries, why not block all traffic originating there, and slash your exposure to botnet attacks in a simple step?
Finding leaks
There’s an additional benefit of using threat intelligence gateways to filter IP traffic: they can also identify bot infections already on your network. It is estimated that over 80% of organizations globally are infected with bots, which are stealthily sending sensitive data to criminals. The gateway can also inspect traffic leaving your network: if that traffic is heading to an IP address known to be a botnet command and control server, it is filtered and blocked automatically, cutting off the data leak permanently.
Clearly, the immediate advantage of the IP address filtering strategy is the dramatic reduction of your organization’s vulnerability to both external DDoS attacks from botnets, and stopping data leaks by existing internal bot infections. But this approach has other benefits as well. Your existing security infrastructure, and your IT teams, will function more efficiently. A typical enterprise receives around 17,000 malware alerts per week, and spends $1.27 million annually tracking down false positive alerts. IP address filtering can reduce the numbers of alerts and false positives by 30% or more, freeing up IT teams’ resources, reducing the processing overhead on existing solutions such as firewalls, antivirus and sandboxes, and boosting the business’s ability to respond to targeted attacks.
Intelligent IP filtering using a threat intelligence gateway gives organizations policy-driven control over the traffic to and from their networks, enabling them to keep out unknown, unwanted visitors, and to stop damaging data leaks from pre-existing infections. It’s a critical step in nullifying the weapons used by botnet armies.
1 https://www.threatmetrix.com/cybercrime-report/
2 http://www.networkworld.com/article/3065162/security/kaspersky-predicts-application-layer-ddos-attacks-will-increase.html
3 https://hello.neustar.biz/2016_ddos_report_security_lp.html
[su_box title=”About Jeff Harris” style=”noise” box_color=”#336588″][short_info id=’71133′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.