Botnets! What are they good for?!?

| 1 Comment

Joe wrote in his comment from my previous entry:

I think this pertains to the issue:

http://www.eweek.com/article2/0,1895,2004893,00.asp

As I often do, my response back got to be rather lengthy so I decided to make a new Entry for it.

Yeap, in this particular case they're using the vulnerability that I wrote about, MS06-040. BotNets are really common and are these days a primary goal of someone writing Malware. Usually the Bots (or Zombies as they are sometimes called) are used for sending spam just like the E-Week article, other times they are used to overload a website and take it down.

A few years back that is what happened to several major websites as BotNets were used to send millions of "hello" packets to major corporations to keep their websites from coming up for real visitors. These "hello" packets are a type of TCP (Transmission Control Protocol) packet called a SYN (Synchronize) packet which is the very first packet two computer "speaking" TCP send. The first three packets two TCP speakers send are called the SYN/ACK handshake, with the first machine sending a SYN packet, the next machine sending it's own SYN packet which also has an ACK (Acknowledgement) flag within it back to the initial speaker, and finally the initial speaker sending it's own ACK (no SYN this time, notice) back to the second speaker. After all of that both machines can send data via TCP back and forth.

Now what happens in the SYN Flood attack that I was mentioning is that you have a BotNet send millions of the SYN packets to a target website. The machines that make up the target website have to send SYN/ACK packets back and wait for the final ACK back. Thing is that usually the BotNets will forge their source address so no one ever answers those SYN/ACK packets back to the website machines. They can only send a certain number of those before they can't answer anyone else and so they can't do anything.

Since everyone knows this happens there has been many mechanisms created to prevent this type of attack from working. AOL and Foundry Networks have a patent on one such method for example. Unfortunately if an attacker has a large enough BotNet, then he can actually allow the machines to complete the SYN/ACK handshake and continuously request information from the website which will flood the website and still keep legitimate viewers from seeing the website.

Okay, that took a little bit of a side turn, but that's me, always wondering around with my words!

Basically, everytime the good guys figure out a way to prevent an attack, the bad guys go and find another annoying thing to do to bug people.

1 Comment

Thank you, Jay. Botnets, what are they good for? Well, they must be good at generating money for their creators or they wouldn't exist!