"Malicious botnets", networks of "zombie" computers controlled and commanded by outsiders with nefarious intentions ranging from Directed Denial of Service (DDoS) attacks to simple spamming and ad insertions are considered by Internet security experts as the major threat in the coming months and years.

The Federal Bureau of Investigation (FBI) has recently announced that it has identified at least one million 'captive' computers in the United States. At the same time, various Internet security experts believe that there are anywhere from three to 35 million bots operating in the world-wide web, infecting an average of 250,000 Internet Protocol (IP) addresses a day, representing literally thousands of internet-connected devices from desktop computers to iPods.

A key concern of many security experts stems from the fact that bots and the codes that make them up are readily available online. Worse, many of the malicious codes that make up these bots are modular, making it easier for bot operators to 'mix and match' codes to launch attacks against vulnerable networks or sites.

Defending Against Botnets

The best defense against botnets undertaking a DDoS attack is a layered approach using firewalls, 'diversionary' paths (in which bots are directed to a 'holding area' where they can be studied and 'disarmed') and other such techniques. Among the steps that can be taken by companies or networks to alleviate the threat of botnet attacks are:

  • Putting a full security suite in place, at all levels of the digital environment; from desktop/laptop/notebooks to servers, internal networks and external connections to the Internet. "Full" security includes anti-virus, anti-spam, anti-adware systems with constant and timely updates as well as firewalls, intrusion detection software and e-mail gateways;
  • Establishing a workable patch management system which ensures that security patches are updated frequently and as soon as they are made available;
  • Educating users to be wary of attachments or weblinks in their email. Most malicious code (in the form of Trojans, worms and the like) are embedded in innocuous email attachments or weblinks that allow the code to sneak in;
  • Shutting down external access, especially through the 'ports' (pathways in and out of the system that are used to move programs and files) which are not used for particular applications. Among the ports which should be considered for full or partial closure are those used for Internet Relay Chats (IRCs) and File Transfer Protocols (FTP) applications which are favored means for bots to communicate with their 'controllers';
  • For operators and webmasters, a key learning lies in monitoring the traffic 'flux' of the network, which would lead to the operators and webmasters being able to detect or suspect if a botnet attack is underway; and
  • Developing a systematic plan to disrupt a botnet attack, including knowing how to isolate a 'polluted' machine from the network as soon as an attack is detected. The machine can then be studied at leisure, pinpointing the vulnerabilities which allowed the bots in and developing patches or approaches to deal with the problem.