What is a DDoS Botnet?

A DDoS botnet is a group or network of compromised computers or Internet of Things (IoT) devices used by malicious actors to launch distributed denial of service (DDoS) attacks. These attacks aim to overwhelm the target with traffic, disrupting its normal functionality and rendering it unavailable for legitimate users. 

Botnet vs. DDoS botnet

A botnet is a group of compromised computers or Internet of Things devices (IoT) that are under the control of a hacker (also known as a “botmaster” or “bot herder”). They enable a botmaster to launch large-scale attacks via the pooled computational resources the botnet makes accessible. 

A DDoS botnet is simply a botnet used specifically to conduct DDoS attacks.

What is a DDoS attack?

A Distributed Denial of Service (DDoS) is a form of cyberattack where an attacker uses numerous compromised computers (a DDoS botnet) to produce a volumetric attack, with the goal of overwhelming a target system. This type of attack can render the target (a service or server) unavailable to legitimate users. You can think of a DDoS attack as a flood of illegitimate traffic from various sources that effectively incapacitates the target system.  

How are botnets created?

To create a botnet, botmasters first infect a network of devices they will leverage to carry out attacks. To infect devices, hackers enter via software exploits, firmware exploits, or malware downloads from a compromised link or file. Once a device is infected, the botmaster can use the combined computational resources to carry out their attacks, often without the device owner's knowledge. While there isn’t a set amount of infected devices needed to create a botnet, the more extensive the network of infected devices, the more significant the impact an attack can have. Once devices are infected, there are two models for controlling them.

How are botnets controlled?

Client-Server Model

Controlling the bots requires an infrastructure to enable communication between the server (the botmaster) and their clients (your infected computer or devices). The client-server model was the first established, and it works by creating a centralized server (command & control server or C&C for short) to deliver instructions. In other words, in the client-server model, the clients rely solely on instructions supplied by the botmaster’s C&C server. The dependency creates the model's largest drawback because if the C&C server is discovered and disabled, it renders the entire botnet inoperable.

P2P and Decentralized Command & Control

Peer-to-peer (P2P) and decentralized C&C models emerged to bypass the client-server model's centralized drawback. In this model, any client can operate as a server. Instead of instructions from one source, any client in the botnet can propagate them. While this model can slow the delivery of instructions, it makes dismantling this botnet nearly impossible.

What kind of attacks do botnets enable?

Botnets carry out any attack that one computer can, but the difference is in the attack’s scale. Attacks that are more powerful in volume, including DDoS, account takeover, and spam are where botnets strike most frequently.  Some popular botnet attacks include the Mirai botnet’s 2016 DDoS attacks that brought down popular websites like Twitter, Netflix, and Reddit, and the 3ve botnet’s usage of nearly 2 million PCs to commit click fraud valued at almost $30 million.  

How can you protect your applications from DDoS botnets?

Protecting your applications against DDoS botnets is synonymous with protecting your applications against DDoS attacks. Best practices include: 

1. Understand traffic patterns: The first line of defense is to create a traffic profile. This profile includes what “good” traffic looks like and sets expectations for expected traffic volumes across your network.  Monitoring your traffic through this profile allows you to configure rules to accept as much traffic as your infrastructure can handle without impacting your end users. 

2. Use rate limiting: Rate limiting provides a baseline, and you can then put advanced detection methods in place to receive traffic that has been validated by analyzing additional variables. It takes one minor security blip to cause irreparable harm to your network and servers and send your employees through the five emotional stages of a DDoS attack. So do your diligence from the onset.

3. Minimize exposure: One of the easiest ways to mitigate DDoS attacks is to shrink the surface area that can be attacked, ultimately reducing the options for attackers and enabling you to architect countermeasures and protections in one place. You should ensure that you are not exposing your applications and hosts to ports, protocols, and other applications from which you do not expect communication. In most cases, you can achieve this by placing your infrastructure resources behind a proxy Content Delivery Network (CDN), which restricts direct internet traffic to certain parts of your infrastructure. In other cases, you can use a firewall or Access Control Lists (ACLS) to control traffic reaching specific applications. 

4. Deploy an application-based firewall: If your application has internet access, you get attacked multiple times daily. On average, an application with internet connectivity gets attacked every 39 seconds. A good practice is to use a Web Application Firewall (WAF) against attacks. A good starting point is to mitigate OWASP Top 10 type attacks actively, and then you should be able to create a customized traffic profile against additional invalid requests. For example, these requests may be masquerading as legitimate traffic from known malicious IPs or from a geographic part of the world in which you don’t do business. A WAF is also helpful in mitigating attacks as you can leverage experienced support to study the traffic heuristics and create custom-tailored protection for your application.

5. Scale by design: While not the best solution in isolation, increasing your bandwidth (transit) capacity or server (computational) capacity to absorb and mitigate attacks may be an option. When designing and building your applications, make sure you have redundant connectivity to the internet that allows you to handle spikes in traffic. A common practice is to use load balancing to continually monitor and shift loads between available resources to prevent overloading any one point. Additionally, you can create your web applications with a CDN in mind, providing an additional layer of network infrastructure for serving content often closer to your end-users. Most DDoS attacks are volumetric and consume massive amounts of resources, and your application must scale up or down quickly on computation. The distributed nature of a CDN essentially spreads out the attack to the point that it becomes easily absorbed. CDNs also unlock additional methods to thwart the most sophisticated attacks. Developing an attack profile allows CDNs to remove or slow down malicious traffic. 

You can read more about how to mitigate a DDoS attack with our DDoS best practices guidelines. 

How Fastly can help

• Automatic attack mitigation: The platform detects and neutralizes DDoS attacks without manual intervention, ensuring consistent service availability.

• Massive global capacity: With over 350 Tbps of network capacity, Fastly can withstand even the largest volumetric attacks, maintaining infrastructure resilience during extreme events.

• Dynamic traffic monitoring: Continuous evaluation of traffic patterns helps detect anomalies and address threats effectively before they disrupt your operations.

• Rapid response time: Fastly's DDoS platform blocks attacks within seconds, minimizing disruption to your end users.

• Adaptive identification techniques: Using innovative methods like Attribute Unmasking, Fastly identifies and stops sophisticated, evolving attacks that bypass conventional defenses.

• Versatile architecture support: The DDoS protection platform deploys swiftly across diverse infrastructures, accommodating changes on demand.

• Integrated platform experience: Fastly offers a standalone solution that integrates with other Fastly edge cloud services as needed.

• Cost-Effective operations: Fastly charges based on legitimate traffic, ensuring you are not burdened by expenses resulting from attack spikes.

• Resilient App and API protection: Fastly safeguards applications and APIs from performance degradation and outages, ensuring reliable service delivery even during attacks.

• Simple deployment: The solution activates with a single click, providing immediate protection for businesses of any size.

Learn more about how Fastly's DDoS protection can help you secure your digital infrastructure and maintain uninterrupted service by requesting a demo.