BOX 2.3

On Botnets

Botnets (also known as zombie-nets) are collections of compromised computers that are remotely controlled by a malevolent party. A compromised computer is connected to the Internet, usually with an “always-on” broadband connection, and is running software introduced by the malevolent party. Malevolent software can be introduced through a number of channels; they include clicking on a link that takes the user to a certain Web page, downloading an attachment that executes a program, forcing entry into a computer through an unprotected port (e.g., one typically used for file sharing across the Internet), and so on. Using up-to-date security software such as antivirus programs and firewalls helps to reduce the threat of such “malware,” but today most personal computers—even protected ones—are at least somewhat vulnerable to such threats.

An individual compromised computer (a zombie or a bot) can be used for many purposes, but the threat from botnets arises from the sheer number of computers that a single malevolent party can control—often tens of thousands and as many as a million. (Note also that an individual unprotected computer may be part of multiple botnets as the result of multiple compromises.) When the zombied computers are connected to the Internet through broadband connections, the aggregate bandwidth of the botnets is enormous (e.g., a small botnet of 1,000 zombies times a 300 kilobit Digital Subscriber Line connection is 300 megabits per second). A further property of botnets is that they can be controlled remotely by an adversary, which means that the apparent perpetrator of a hostile act is a zombie computer—making it difficult to trace a hostile act to its initiator. Indeed, an adversary may be located in a nation other than the home country of the zombies.

Typically, an adversary builds a botnet by finding a few machines to compromise. The first hostile action that these initial zombies take is to find other machines to compromise—a task that can be undertaken in an automatic manner. But botnets are capable of undertaking a variety of other actions that have significant impact on the botnet operator’s target(s). For example, botnets can be used to conduct the following actions:

  • Distributed denial-of-service attacks. A denial-of-service attack on a target renders the target’s computer resources unavailable to service legitimate requests by requesting service itself and blocking others from using those resources. But if these requests for service come from a single source, it is easy to simply drop all service requests from that source. However, a distributed denial-of-service attack can flood the target with multiple requests from many different machines, each of which might, in principle, be a legitimate requester of service.

  • Spam attacks. Botnets can be used to send enormous amounts of spam e-mail. Since spam is illegal in many venues and is regarded as antisocial by most, it is in a spammer’s interest to hide his or her identity. Some botnets also search for e-mail addresses in many different locations.

  • Traffic-sniffing attacks and key-logging. A zombie can examine clear-text data passing by or through it. Such data might be sensitive information such as usernames and passwords, and it might be contained in data packets or in various input channels, such as the keyboard channel.



The National Academies | 500 Fifth St. N.W. | Washington, D.C. 20001
Copyright © National Academy of Sciences. All rights reserved.
Terms of Use and Privacy Statement