Science Fair Project Encyclopedia
Botnet is a jargon term for a collection of software robots, or bots, which run autonomously. A botnet's originator can control the group remotely, usually through a means such as IRC, and usually for nefarious purposes.
A botnet can comprise a collection of cracked machines running programs (usually referred to as worms, Trojan horses, or backdoors) under a common command and control infrastructure. Individual programs manifest as IRC "bots". Often the command and control takes place via an IRC server or a specific channel on a public IRC network. A bot typically runs hidden, and complies with the RFC 1459 standard. Generally, the perpetrator of the botnet has compromised a series of systems using various tools (exploits, buffer overflows, as well as others; see also RPC). Newer bots can automatically scan their environment and propagate themselves using vulnerabilities and weak passwords. Generally, the more vulnerabilities a bot can scan and propagate through, the more valuable it becomes to a botnet owner community.
Botnets have become a significant part of the Internet, albeit increasingly hidden. Due to most conventional IRC networks taking measures and blocking access to previously-hosted botnets, owners must now find their own servers. Oftentimes, a botnet will include a variety of connections, ranging from dial-up, DSL, cable, educational, and corporate. Sometimes, an owner will hide an IRC server installation on an educational or corporate site, where high-speed connections can support a large number of other bots. Exploitation of this method of using a bot to host other bots has proliferated only recently, as most script kiddies do not have the knowledge to take advantage of it.
Botnets serve various purposes, including Denial-of-service attacks, creation or misuse of SMTP mail relays for spam, click fraud, and the theft of application serial numbers, login IDs, and financial information such as credit card numbers. The botnet owner community features a constant and continuous struggle over who has the most bots, the highest overall bandwidth, and the largest amount of "high-quality" infected machines (commonly university, corporate, and even government machines).
Botnet servers will often liaise with other botnet servers, such that a group may contain 20 or more individual cracked high-speed connected machines as servers, linked together for purposes of greater redundancy. Actual botnet communities usually consist of one or several owners who consider themselves as having legitimate access (note the irony) to a group of bots. Such owners rarely have highly-developed command hierarchies between themselves; they rely on individual friend-to-friend relationships. Often conflicts will occur between the owners as to who owns the individual rights to which machines, and what sorts of actions they may or may not permit.
Types of Attacks
Main article: Denial of Service Attacks
If a machine receives a Denial of Service attack from a botnet, few choices exist. Given the general geographic dispersal of botnets, it becomes difficult to identify a pattern of offending machines, and the sheer volume of IP addresses does not lend itself to the filtering of individual cases. Passive OS Fingerprinting can identify attacks originating from a botnet: network administrators can configure newer firewall equipment to take action on a botnet attack by using information obtained from Passive OS Fingerprinting.
Botnets typically use free DNS hosting services such as DynDns.org, No-IP.com, and Afraid.org to point a subdomain towards an IRC server that will harbor the bots. While these free DNS services do not themselves host attacks, they provide reference points, often hard-coded into the botnet executable. Removing such services can cripple an entire botnet. Recently, these companies have undertaken efforts to purge their domains of these subdomains. The botnet community referto such efforts as "nullrouting", because the DNS hosting services usually direct the offending subdomains to an inaccessible IP address.
The botnet server structure mentioned above has inherent vulnerabilities and problems. For example, if one was to find one server with one botnet channel, often all other servers, as well as other bots themselves, will be revealed. If a botnet server structure lacks redundancy, the disconnection of one server will cause the entire botnet to collapse (at least until the owner(s) decides on a new hosting space). However, more recent IRC server software includes features to mask other connected servers and bots, so that a discovery of one channel will not lead to much harm.
The contents of this article is licensed from www.wikipedia.org under the GNU Free Documentation License. Click here to see the transparent copy and copyright details