Botnets are insidious. They’re the invisible, ever-growing and polymorphic ‘army’ that enterprise network admins must defend against.
While there are some legitimate and beneficial uses for botnets, too often they are used for malicious purposes. In the latter scenario, typically a computer becomes infected with a type of malware, which then attempts to contact the control server (or perhaps other bots that it can discover). The bot usually attempts to propagate to nearby computers while it awaits instructions from the master controller (a.k.a. the botmaster).
The vectors for the initial bot malware infection of a machine are as many and varied as those of any other malware. Out-of-date software, drive-by downloads, phishing emails and even Facebook and USB drives are all potential avenues for infection.
The Dangers of Botnets in the Enterprise
While strong security policies can protect against many botnet infections, the potential for damage or loss due to a botnet is a major concern for network admins. It’s possible for a botnet to obtain full control of the network, for example.
Ransomware, internal phishing and data exfiltration are also concerns, of course. However, even botnets used for DDoS attacks, crypto mining, click fraud or spam can carry heavy cost burdens for the enterprise in terms of energy usage, tied-up computer resources (and thus lowered productivity) and even damaged IP reputation.
IoT devices are another area of particular concern since they often do not have top-notch security capabilities and may even lack the ability to be patched remotely. (The Mirai botnet malware in particular targets IoT devices.)
The battle against malicious botnets is unending. Even as authorities and other white hats increase their attempts to stop malicious botnets, the botmasters devise ever more sophisticated means of eluding detection and remediation.
The key to defending against malicious botnets lies in their structure. Every botnet has at least one botmaster that issues orders via some type of command-and-control (or C&C/C2) structure.
C&C commands can be issued via HTTP, DNS, Telnet or internet relay chat (IRC), for example, or via a hidden service like the ToR network. Newer botnets utilize a peer-to-peer arrangement in which commands are issued to any of the subject bots, and then propagate to all other bots in the botnet.
Therefore, if you can “cut off the head” of the botnet, i.e. its C&C communications, it’s possible to effectively disable it, protect your network against further infiltration and attacks, and then proceed to remediate the affected computers.
Introducing Botnet C&C Protection from Edge to Cloud
The recent release of Hillstone StoneOS, version 5.5R8 , offers enhancements with sophisticated protections that help detect and prevent C&C communications and thus incapacitate botnets. Released on December 2, the latest StoneOS provides enhanced and refined protections for Hillstone E-Series and T-Series Next-Gen Firewalls, virtual NGFW CloudEdge, and now the X-Series Next-Gen Data Center Firewalls as well. A short technical demo is available.
These enhancements provide comprehensive botnet protection across hybrid networks and include:
- A robust data center platform. C&C detection is now fully supported on the X-Series data center firewall platforms. Through Hillstone X-Series, admins can protect the data center by monitoring or disrupting C&C connections from L3 to L7. In addition, these capabilities are supported on a new CloudEdge VM-based firewall, the VM08, which addresses the high-performance, high-bandwidth virtual workload conditions and strict SLA requirements typical of data centers, thus giving admins even more flexibility in deployment.
- Detection of domain generation algorithms (DGAs) has also been enhanced and added to the X-Series data center firewalls. DGA detection is an important defense mechanism for admins because infected hosts often generate pseudo domain names randomly, including C&C server domain names. This enhancement both detects and prevents these traffic types automatically, further strengthening defenses.
- An enhanced botnet C&C customized access list allows admins to block suspected botnet communications. In addition, admins can dynamically adjust and customize the access list to allow or block traffic based upon the IP address or domain name. An included signature database, updated continuously, gives network admins the ability to block C&C communications from a wide variety of known botnet operators.
- Improved DNS sinkhole support can automatically divert faulty DNS response messages to a safe location where IT admins can apply other specialized security analysis tools. This prevents connection to potentially malicious destinations that could be used for C&C communications. Admins also receive detailed threat log statistics of DNS access requests with false results for further investigation and remediation.
- Advanced DNS tunneling detection, new for all Hillstone firewall products, protects the network against data leakage and exfiltration attempts. Attackers may encode enterprise data into DNS request messages in an attempt to bypass web authentication or firewall blocking. Hillstone firewalls detect this type of traffic through multiple metrics and methods to protect against this type of exploit.
Hillstone StoneOS 5.5R8 includes over one hundred upgrades and enhancements to provide the most comprehensive, intelligent, reliable and easy-to-use security solution for enterprises. These capabilities are available from edge to cloud through Hillstone E- or T-Series NGFWs at the edge, to X-Series data center firewalls, to Hillstone CloudEdge virtual NGFWs in the data center or running in the cloud. Together these security solutions provide comprehensive protection across hybrid networks.
Stay ahead of the constantly changing cyber security threat landscape by upgrading today. You can learn more about the latest StoneOS release in the Hillstone Resources section of our website, or by contacting us.