The Problem with Bots
It all started with a video game. Three college-age friends—Paras Jha, Josiah White, and Dalton Norman—wanted to gain an advantage in Minecraft, so they developed a powerful, and elaborate, method to do so.
Minecraft is a game where users create their own worlds and experiences by digging and building 3D blocks. One unique element of the game is that within the platform itself, players can link to individual-hosted servers to play in a multiplayer mode.
Hosting a server and renting space to other players is a lucrative business; some individuals make $100,000 a month, according to an investigation by WIRED.
To tap into this market, Jha, White, and Norman created a malware that scanned the Web for Internet of Things (IoT) devices that used default security settings for usernames and passwords. The malware then infiltrated the devices, which became part of a botnet army made up of 600,000 devices at its peak strength.
That botnet was dubbed Mirai, and it was used to launch a distributed denial of service (DDoS) attack against French hosting provider OVH in September 2016. It was so powerful that traditional DDoS mitigation techniques were ineffective against it.
Then, just after the OVH attack, Mirai hit security reporter Brian Krebs' website, Krebs on Security, kicking it offline for more than four days with an attack that peaked at 623 gigabytes per second, according to Krebs' account.
Authorities and researchers began to investigate the Mirai botnet, and soon began asking why—in addition to its targets—it was hitting Minecraft servers. They later determined that OVH was hit because it provided a service that helped mitigate DDoS attacks against Minecraft, and they ultimately discovered the three friends behind the botnet.
They confessed to creating the botnet as part of a scheme to allow people to pay to use it to push players off specific Minecraft servers in hopes that they would then pay to use an alternative server. Jha, White, and Norman all pled guilty to a variety of charges in December 2017, after Mirai's source code was released on the Internet.
While Mirai was unique in its scope, it was just one of hundreds of botnets that are active today and impacting organizations' networks in real time. For instance, cyber firm Fortinet's Threat Landscape Report Q2 2017 detected 243 unique botnets that were active, with 993 daily communications per firm.
Fortinet found that approximately 45 percent of firms detected one type of botnet in their environment, while 25 percent saw two, and 10 percent saw three. Most of these botnets were detected in the telecommunications and carrier sector.
"Our data shows the majority of firms in our sample have one or two different botnets active in their environment at any given time," according to Fortinet's report. "Some, however, have 10 or more. And many of those frequently communicate with external hosts."
Because of this widescale activity, U.S. President Donald Trump included a section in his May 2017 cybersecurity executive order directing the secretaries of homeland security and commerce to assess actions that could be taken to "drastically reduce" the number of botnet attacks.
The secretaries were instructed to identify and promote action by stakeholders to improve the resilience of the Internet and communications ecosystem, and to "encourage collaboration with the goal of dramatically reducing threats perpetrated by automated and distributed attacks," in other words, botnets, according to the executive order.
In January 2018, the secretaries completed the first step of that process by issuing a draft report for public comment, Enhancing the Resilience of the Internet and Communications Ecosystem Against Botnets and Other Automated, Distributed Threats.
The secretaries solicited input for the report by hosting a workshop, publishing a request for comment, and initiating an inquiry through the president's National Security Telecommunications Advisory Committee (NSTAC). They also consulted with the U.S. Departments of Defense, Justice, and State, as well as the FBI, the Federal Communications Commission, the Federal Trade Commission, and others.
"Botnets threaten to undermine the Internet ecosystem, as well as the promise of next-generation technologies," said David Redl, assistant secretary for communications and information and the administrator for the National Telecommunications and Information Administration, in a statement. "This report clearly demonstrates the urgency of the problem, and this administration's commitment to taking on these threats and creating a more secure and sustainable Internet."
For instance, the report found that botnets are being used for a variety of malicious activities, including DDoS attacks, ransomware attacks, and propaganda campaigns carried out via social media.
These attacks, according to the NSTAC, threaten the "security and resilience" of U.S. communications ecosystems and the Internet, as well as its critical infrastructure. The NSTAC also assessed that IoT devices will be used by threat actors to launch global automated attacks.
"With new botnets that capitalize on the sheer number of IoT devices, DDoS attacks have grown in size to more than one terabit per second, outstripping expectations," according to the report. "As a result, recovery time from these types of attacks may be too slow, particularly when mission-critical services are involved."
One prime example of the impact botnets have on the Internet is the Mirai botnet. In addition to its attacks on Minecraft servers, it was used to launch a massive DDoS attack on domain name service provider DYN, effectively shutting down the Internet on the East Coast of the United States for several hours.
"While the original Mirai variant was relatively simple, exploiting weak device passwords, more sophisticated botnets have followed; for example, the Reaper botnet uses known code vulnerabilities to exploit a long list of devices," the report explained. "The Mirai and Reaper botnets clearly demonstrate the risks posed by botnets of this size and scope, as well as the expected innovation and increased scale and complexity of future attacks."
The report identified six themes that pose opportunities and challenges to reducing the threat of automated, distributed attacks carried out by botnets, including that they are a global problem; effective tools exist to combat them, but are not widely used; products need to be secured at all stages of their lifecycle; education and awareness are needed; market incentives are misaligned; and botnet attacks are an ecosystemwide challenge.
"Botnets represent a systemwide threat that no single stakeholder, not even the federal government, can address alone," said Walter G. Copan, undersecretary of commerce for standards and technology, in a statement. "The report recommends a comprehensive way for the public and private sectors, as well as our international partners, to work together and strengthen our defenses."
These actions take the form of five goals in the secretaries' report: identify a clear pathway toward an adaptable, sustainable, and secure technology marketplace; promote innovation in the infrastructure for dynamic adaptation to evolving threats; promote innovation at the edge of the network to prevent, detect, and mitigate bad behavior; build coalitions between the security, infrastructure, and operational technology communities; and increase awareness and education across the ecosystem.
One of the main points in the report is the lack of security built into the increasing number of IoT devices on the marketplace. Many manufacturers continue to release unsecure devices because there are no requirements—or incentives—for them to release better products.
To combat this, the report recommends that the U.S. federal government adopt security standards for all devices it purchases. Doing so, the report argues, would push the marketplace to create more secure products without imposing new regulations or relying on a legislative solution.
"The federal government can use acquisition rules and procurement guidelines to amplify the market signal by requiring certain security features or properties," the report explains. "The private sector could establish an assessment and labeling mechanism for products that comply with the home profile. The private sector could also work with existing programs or establish new programs to evaluate products that comply with the industry profile."
While this is a move in the right direction, Michael Marriott—research analyst at Digital Shadows—says it is not enough to change the marketplace because so many IoT devices are developed outside of the United States. These products are then sold to an international market where they can be compromised to become part of a botnet.
"Making sure manufacturers are thinking about these types of considerations is important," Marriott says. "But there are devices developed outside the United States, so other approaches are needed as well."
John Dickson, CISSP, principal at Denim Group and a former U.S. Air Force officer who served in the Air Force Information Warfare Center, also expressed disappointment in the report, saying it was "completely devoid of specific policy ideas and recommendations."
For instance, Dickson says he would have liked to have seen more specific recommendations for the telecommunications and Internet service providers (ISPs) who have a major role in mitigating DDoS attacks carried out by botnets.
The report touches on the role that ISPs play, and it limits its recommendations to increased information sharing between ISPs and their partners to "achieve more timely and effective sharing of actionable threat information both domestically and globally."
This, Dickson says, is not enough. Instead, he would have preferred to see recommendations to block specific types of traffic or to monitor traffic to prevent botnet attacks.
"There is an incentive for telcos to do this—reducing spurious traffic on their networks," according to Dickson. "But they're likely to say there's a cost associated with doing that, which will be passed on to users."
Countries with more government control of ISPs have shown how this can work, Dickson says. For instance, countries like China and Saudi Arabia—which have greater government control of the Internet in general—have been more effective in preventing botnet attacks because they're able to block them from getting in.
"We don't have government control of our telcos anymore—it's much more Wild Wild West with more players and a bigger network," Dickson says of the U.S. system, making it more vulnerable to botnet attacks.
Security Management reached out to AT&T and Verizon for their reactions to the report, but neither of the companies responded. And as of press time, there were no public comments on the draft report.
The report was open for public comment until February 12, and its final recommendations are due to be submitted to President Trump by May 11.