The best way to detect botnet activity is by analyzing attacks on protected websites and applications.
Bot mitigation is not a static discipline. Security researchers are constantly looking for evidence of novel bot attacks, and new ways to improve defenses against existing ones.
Bot mitigation reports are valuable tools in the quest for constant improvement because they offer a wealth of information about how bots work, what kinds of resources they target, and where they may be located.
Security professionals need to routinely analyze and debug their bot mitigation policies using debugging tools to reduce false positives and predict future attacks. This is a crucial step in the ongoing fight against increasingly complex botnets and the destructive Distributed Denial of Service (DDoS) attacks they can generate.
Detecting, Analyzing, and Debugging a Bot Attack: Part One
Imperva uses a multi-pronged approach to detect and discover botnets. The first step of this process is called a Naive Back-and-Forth algorithm.
Essentially, this algorithm identifies potential bad bot behavior by comparing the unique IP addresses responsible for delivering malicious payloads, adding them to a list, and sorting them by frequency. The most “popular” payloads are the ones most likely attached to a criminal network of bots.
The challenge here is distinguishing between a single, powerful botnet, and multiple small attacks from distinct bots, based on payload popularity.
For example, you might see thousands of different IP addresses appear to be testing for a SQL injection vulnerability on a particular website, there is good reason to believe that they are working in unison as part of a botnet. But a responsible security professional would not simply jump to this conclusion without additional data.
The detection logs may reveal that the same IPs attempted to perform remote code execution attacks, backdoor uploads, and other actions that are separate and distinct from SQL injection. If the number of attacking IP addresses appears to grow while the number of days each address attacks shrinks (what statisticians call a negative correlation), we would have good reason to challenge the botnet hypothesis.
Next, we could look at the IP turnover rate, which describes how frequently individual IPs access web resources. Large numbers of short-lived IP addresses indicate a botnet, while a small number of highly active IP addresses would indicate multiple groups using the same attack payload, rather than a dedicated malicious botnet.
Diving into the data behind mitigated attacks can help reveal patterns that can be used to qualify those attacks. Standard statistical tools like correlation can often help classify some of the strategies bot controllers use and help security professionals improve their defenses.
Detecting, Analyzing, and Debugging a Bot Attack: Part Two
The Naive Back-and-Forth process is just one step Imperva uses when performing bot mitigation forensics. The second, more sophisticated algorithm we use relies on specialized client classification capabilities to cluster bots together according to the attacks they have perpetrated.
For example, a bot mitigation report may indicate multiple clients attacking a website at the same time. It may also find that some clients have performed multiple, coordinated attacks in the past. The ability to cluster these groups together and understand their behaviors on a wider scale is invaluable to the bot detection process.
Importantly, this approach allows for client classification irrespective of the particular payloads they use. Consider a spambot-for-hire aiming at the comments section of several websites. While the actual payload it delivers may change as its owner signs contracts with different customers, it will necessarily leave a distinct trace on every website it visits. Collecting these traces and creating a unique signature that applies to this particular group of clients will help stop the bot operator from being able to continue spamming the website. Imperva may can also define a signature for mobile devices that access API by using the Imperva Advanced Bot Mitigation mobile SDKs.
This kind of attack would be visible as a variable number of IPs attacking for a short while and then stopping. A low IP turnover would be indicative of a relatively simple botnet trying to convince legitimate users to follow links in comment threads. The stop-and-go cycle could indicate multiple different customers hiring the botnet to advertise their products and services illicitly.
By collecting and classifying this kind of data, Imperva customers are helping to increase the capabilities of the entire Imperva defense ecosystem. Every attack signature and bot classification in our Cloud WAF environment helps to fine-tune our approach even further.
Watch the related webinar on Cloud WAF Advances Bot Protection:
Detecting Sophisticated Botnets with Anti-Debugging Tools
For professional security researchers, gaining access to botnet binaries is not a steep challenge. Using purpose-built honeypots to trick the scanner and loader is often enough to complete the job.
However, a security researcher with a binary and no source code will have to reverse engineer their assets to find out what they are dealing with. Dynamic analysis is often the most economical way to proceed here, but highly advanced botnets may use anti-debugging tools to detect when they are being analyzed in this way.
The Mirai botnet is a famous example of this kind of technology. Mirai would replace user software interrupt signals with its own software interrupt signals, invoking its own customized handler for the job. If a debugging tool is controlling this process, Mirai could trick the debugger into clearing the (self-invoked) software interrupt flag, making it look like the customized signal handler was never invoked, letting the botnet program move forward undeterred.
But even Mirai and Mirai-like botnets with sophisticated anti-debugging tools can be defeated. The original Mirai botnet was dismantled years ago, and Imperva successfully protected an entertainment industry client against a massive 13-day long DDoS attack perpetrated by an advanced Mirai-like botnet – the largest we have ever seen – just last year.
In that case, it was the client classification algorithm that detected the 400,000+ distinct IPs were largely targeting two particular open ports which were known to be associated with a new Mirai variant. This was the vital piece of information that allowed our team to “crack the code” and successfully detect, mitigate, and analyze the attack despite its sophistication.
Learn More with Imperva Community
The Imperva Community is a great place to learn more about how to use Imperva cybersecurity technologies like On-Prem WAF, Cloud WAF, Advanced Bot Protection and more to establish efficient, secure processes for enterprise networks. Rely on the expertise of Imperva partners, customers and technical experts.
Related Content: