Botnets have existed for at least a decade. As early as 2000, hackers were breaking into computers over the Internet and controlling them en masse from centralized systems. Among other things, the hackers used the combined computing power of these botnets to launch distributed denial-of-service attacks, which flood websites with traffic to take them down.

But now the problem is getting worse, thanks to a flood of cheap webcams, digital video recorders, and other gadgets in the "Internet of things." Because these devices typically have little or no security, hackers can take them over with little effort. And that makes it easier than ever to build huge botnets that take down much more than one site at a time.

In October, a botnet made up of 100,000 compromised gadgets knocked an Internet infrastructure provider partially offline. Taking down that provider, Dyn, resulted in a cascade of effects that ultimately caused a long list of high-profile websites, including Twitter and Netflix, to temporarily disappear from the Internet. More attacks are sure to follow: the botnet that attacked Dyn was created with publicly available malware called Mirai that largely automates the process of co-opting computers.

The best defense would be for everything online to run only secure software, so botnets couldn't be created in the first place. This isn't going to happen anytime soon. Internet of things devices are not designed with security in mind and often have no way of being patched. The things that have become part of Mirai botnets, for example, will be vulnerable until their owners throw them away. Botnets will get larger and more powerful simply because the number of vulnerable devices will go up by orders of magnitude over the next few years.

What do hackers do with them? Many things.

Botnets are used to commit click fraud. Click fraud is a scheme to fool advertisers into thinking that people are clicking on, or viewing, their ads. There are lots of ways to commit click fraud, but the easiest is probably for the attacker to embed a Google ad in a Web page he owns. Google ads pay a site owner according to the number of people who click on them. The attacker instructs all the computers on his botnet to repeatedly visit the Web page and click on the ad. Dot, dot, dot, PROFIT! If the botnet makers figure out more effective ways to siphon revenue from big companies online, we could see the whole advertising model of the Internet crumble.

Similarly, botnets can be used to evade spam filters, which work partly by knowing which computers are sending millions of e-mails. They can speed up password guessing to break into online accounts, mine bitcoins, and do anything else that requires a large network of computers. This is why botnets are big businesses. Criminal organizations rent time on them.

But the botnet activities that most often make headlines are denial-of-service attacks. Dyn seems to have been the victim of some angry hackers, but more financially motivated groups use these attacks as a form of extortion. Political groups use them to silence websites they don't like. Such attacks will certainly be a tactic in any future cyberwar.

Once you know a botnet exists, you can attack its command-and-control system. When botnets were rare, this tactic was effective. As they get more common, this piecemeal defense will become less so. You can also secure yourself against the effects of botnets. For example, several companies sell defenses against denial-of-service attacks. Their effectiveness varies, depending on the severity of the attack and the type of service.

But overall, the trends favor the attacker. Expect more attacks like the one against Dyn in the coming year.

This essay previously appeared in the MIT Technology Review.

Posted on March 1, 2017 at 6:53 AM • 35 Comments


Joe RandomMarch 1, 2017 7:38 AM

Another defense would be to penetrate the vulnerable devices before Mirai does, and then block Mirai and other malware from getting in.

According to Krebs' recent article, this is what Mirai itself is doing, but I guess there are obstacles to doing it legally.

captsutterMarch 1, 2017 7:58 AM

Offensive security has its proponents, but it is a slippery slope, Who do you trust to patch your systems. As a journalist would you rather have a secure system that you control (not RBN, not GCHQ, not NSA, not FSB) or do you want your computer to become the battleground of competing criminal organizations, State Actors and the occasional vigilante hacker? I first saw offensive defensive viruses in 2003 with "nimda" and various anti-nimda viruses. Personally I want control of my Computer, my TV, my telephone and do not trust the FBI, NSA or other "benevolent" actors to understand or protect my system.
The answer to Random Joe's comment is "been there done that". It doesn't end well, the only real solution is build resilient systems that do not lend themselves to offensive uses.

Joe R AndomMarch 1, 2017 8:01 AM

This is an issue for IoT devices that are Internet accessible, and it is the majority.

But if one's application use cellular for connectivity, there is an easy and nice way to avoid a Mirai situation: use what is called a private APN. When a device uses a private APN it is not connected to the Internet but to a private IP network. The telco operator then provides access to the cloud backend through a VPN or leased line. Of course this requires:

- the higher cost of cellular to be acceptable, vs a simple/cheap LAN technology;

- being ok with having to go through a cloud back-end to get (indirectly) at the device data.

So it's not for all applications for sure, but it could cover many useful cases. And because the devices are NOT Internet accessible, remote attacks are not a practical problem: in theory one could crack the telco or cloud backend to get to the device. Not only is this much harder to do, and easier to fix, but if one has done this there's more interesting things to do than hack the devices I think ;)

As always there is no perfect solution in this world, but for cases where cellular is ok it's a simple and effective way to improve an IoT system device side security. With all the DDoS attacks happening I'm surprised nobody mentions this. Maybe because it's hardly new in the cellular world? This feature has been there since GPRS, is unchanged through 3G and LTE (and likely tomorrow 5G) and is commonly used in M2M cellular applications. But I'd bet many newcomers to IoT may not know about its existence.

MatteoMarch 1, 2017 8:18 AM

@Joe Random
"attacking" the insecure devices to patch them is possible (and is being done, search on git) but it's not a very good solution; in fact the device is protected (or infected) only until it is rebooted. and there are multiple virus competing for the control of that devices

WmMarch 1, 2017 8:59 AM

"Political groups use them..."

You can be assured that such political groups are exponentially on the Democratic party side.

anonymous cowardMarch 1, 2017 9:34 AM

Someone I know never cared for security whatsoever. Now he is afraid of the ransomware...
I tried to explain to him that he won't even notice most malware, because it's used to attack others. And I got the stunning answer: "Yes, but if it doesn't harm me, why should I care?"

cphinxMarch 1, 2017 9:54 AM

A significant portion of the IoT devices that are based out of consumer residences, reside behind a gateway with little to no network-level security. I would assume that many non-private establishments (small businesses and whatnot) also have little to no network-level security.

With that said, most consumer gateways, provided by the consumer's ISP include a gateway firewall, which is (almost) never turned on by default. On top of that, the ISP's (almost) never secure the gateway by changing the default credentials for the device.

If that gateway, or standard network-level firewall were enabled by default, and default login credentials were randomized per device/MAC address, then one step in the right direction has been taken. By default, these gateway firewalls block P2P, I2P, and similar services which (I would assume) most consumers will never use (intentionally) let alone even understand what they are. With a few changes to the default firewall settings and distributed in mass, the consumer ISP industry just made it significantly more time consuming and expensive to exploit consumer-home based IoT devices.

Anyway, I don't work for an ISP and with that I don't claim or imply that I understand all of the backend that would need to be put into place to support this. However, with what I do understand, it seems like a fairly simple thing to both implement and manage.

The average consumer will never understand nor care enough to make these changes on their own. Hold the ISP's accountable to reduce both the threat and the risk of many botnets and other vulnerabilities by enforcing greater security with their home-based gateways and devices. That's my opinion.

NevermindMarch 1, 2017 10:04 AM

This is an international problem. Blaming single policitcal parties is petty, especially when neither is interested in a solution to this problem.

We need legal liability (including a penalty if not compliant) to publish security holes for all organizations, especially for tax funded intelligence agencies. The next step would be to obligate manufacturers to provide security updates or disable the vulnerable devices.

The problem is, that a hi-jacked IOT device does not appear defective to the owner. This has to change.

Not really anonymousMarch 1, 2017 10:15 AM

Maybe we need some groups bricking vulnerable hardware so that there are proper incentives to have good security in internet connected devices while also reducing the pool of hardware available for recruitment into botnets.

markMarch 1, 2017 11:18 AM

WM: "on the Democratic side"? That's not even a lie, since a liar has to be able to distinguish between reality and nonreality; it's made-up bs pulled out of right-wing talk radio.

And with all these issues of security, maybe it's time to consider the unconsiderable: maybe the IoT was a MIND-BOGGLINGLY STUPID idea.

Just because you *can* do something doesn't mean you *should*. I, for example, will NEVER, under ANY circumstances, have a 'Net-enabled thermostat, since I would prefer to come home to a warm/cool house, and not what some 16 yr old down the block decided to do to my thermostat "because he could".


Kurt SeifriedMarch 1, 2017 11:49 AM

This is just Internet/Security meeting the law of large numbers. 2^32 is not a large number anymore with all the IoT devices we'll be attaching to the Internet (every single lightbulb, kitchen appliance, kids toys, etc.). If even 1% of these things are remotely hackable (and I suspect the actual % number is much much higher) then we have millions of devices online, hacked, that have a lot of processing power (comparatively to a decade ago) and enough bandwidth (DSL/Cable/etc having replaced dialup) to do a lot of harm. Even a small botnet of 10,000 machines can generate a lot of traffic now.

AndrewMarch 1, 2017 12:19 PM

There are more uses of botnets.. password breaking, bitcoins mining, malware spreading, propaganda, spam etc...

All windows users are basically botnets. If Microsoft wants to break a password it can distribute the task to 1 billions CPUs (4-5 billions cores) with a hidden process.... if smarter even on GPU....

Sancho_PMarch 1, 2017 1:05 PM

@anonymous coward wrote:
And I got the stunning answer: "Yes, but if it doesn't harm me, why should I care?"

The stunning thing is the answer is correct.
It’s not only natural (in the sense of nature, egoistic), it also fits capitalistic thinking (our mantra) and is technically correct.

Until serious people make money by writing boulevard-press articles about bot nets (@Bruce) we need them because of their “scary” factor.

No need to think twice about what bot nets are. Money.

SideNoteMarch 1, 2017 5:01 PM

Respecting and acknowledging Bruce's work I would like just to point out that calling people who do such network overdoses as hackers seems just unappropriated. I've never felt in the need to be so conservative in stereo-logos, and actually thought of it as ridiculous, but this seems to feed-forward the inquisitory narrative on hackers and it's true meaning.

The Almighty Magnificent FATNessMarch 1, 2017 7:57 PM

Botnets don't exist.

They are figment of your imagination.

sitaram:. March 1, 2017 8:05 PM

forget IOT.

At least two of the various security podcasts I listen to on my commute have predicted a botnet of wordpress sites. The numbers are high enough, and they have a lot more juice!

Clive RobinsonMarch 1, 2017 8:49 PM

@ sitaram,

... predicted a botnet of wordpress sites. The numbers are high enough, and they have a lot more juice!

And a lot more to lose.

Perhaps you need to think of the IoT devices as "termites" and the wordpress computers as "elephants". We know they can both destroy trees and houses, but elephants don't get much of a chance compared to termites. People can easily see elephants doing harm and take steps to limit their damage, termites however are mainly unseen and thus don't get stopped untill real harm is done.

Clive RobinsonMarch 1, 2017 9:06 PM

@ Bruce,

Once you know a botnet exists, you can attack its command-and-control system.

Only if it has one you can attack, and it's possible to attack it.

Quite a few years ago I worked out a number of ways to get around the attack issues and described on of them on this blog. Thankfully so far the botnet herders have not resorted to such tactics, mainly because the lack of security on the Internet makes it a "target rich environment". Thus it's still easier for bot herders to just go out and find new computers to turn into bots than it is to code a complex C&C that is effectively attack proof. However at some point the numbers will change in favour of attack proof C&C channels.

JPAMarch 1, 2017 9:50 PM

"If the botnet makers figure out more effective ways to siphon revenue from big companies online, we could see the whole advertising model of the Internet crumble"

IMHO the pay-per-click system has always been a giant scam. The advertisers have been getting ripped off since it began. It also drives all sorts of dysfunctional dynamics between people, information, bogus drivel and web-sites. I can't see anything but benefit from that model crumbling.

neillMarch 1, 2017 10:05 PM

noone wants to pay more for their IoT device, nor their network setup

even with stupid insecure devices a good managed network on the CPE side would help, as well as ingress restriction of the ISP's edge routers ... but that takes time, and the cost is higher ...

maybe AI could help us there in the future

My InfoMarch 2, 2017 2:04 AM


even with stupid insecure devices a good managed network on the CPE side would help, as well as ingress restriction of the ISP's edge routers

We're all paying for your useless networking equipment vendor certs.

WulfMarch 2, 2017 6:13 AM

I am wondering about the following scenario:
IoT devices can be seen as a resource for Botnet operators. Currently there are lots of uninfected devices.
But under the assumption that this will change and the resource "uninfected IoT device" will diminish, what will happen ... Will we see botnet operators fighting against each other for larger numbers of infected systems?
Or is the assumption wrong and the production of new IoT devices is large enough to be sufficient for all botnet operators?

sitaramMarch 2, 2017 6:47 AM


In this context I see the wordpress sites as termites the size of an elephant (sorry for mangling your analogy beyond reality). The main point is that there are an enormous number of them, so it's whack-a-mole, except with elephants.

As for "a lot to lose", I'm not sure. Most wordpress sites are personal vanity blogs hosted on some rented space, I imagine. They'd shrug and open another, and since they were victims, they wouldn't even be charged.

We'll see... if nothing like this happens within 6 months to a year, you were right :)

Nick PMarch 2, 2017 10:51 AM

@ Bruce

My idea of a parallel Internet (or ISP regulations) having authentication and DDOS monitoring built into every router is looking better all the time, eh?

AndreaMarch 2, 2017 12:42 PM

IoT is the current expanding market, and it is too big to ignore it, just because it is mostly unsecure by design.

Being out of the IoT "thing" just means being out of the most expanding and growing market, something that you will regret in the near future.

The issue here is that the "secure by design" is not working just because it does not seem the way human beings design their new projects. At least, we are at the second turn, the first one could be the Internet protocols at the beginning. We see the same pattern and nothing seems to be learnt, but no one of the people who is posting here has ignored the Internet even if it was (is) not secure by design.

Anyway nothing is stopping you to choose wisely the appliance or device to use, much more, nothing is stopping you, apart of laziness, to configure, or implement, a bit more of security, knowing that, but IMHO everyone here know it, security is not an aim but it is a continuos process.

Clive RobinsonMarch 2, 2017 5:33 PM

@ Bruce and the usual suspects,

I have come to the conclusion that IoT as an expression has become to broad to be meaningfull any longer. It's a little like saying "animals that live" when we have dovisions of those that swim, fly and walk, further subdivided in various meaningful ways.

For instance we do have IoT devices that are not effected by being put on a totally private network, whilst others are designed to do an ET and phone home for a variety of reasons. Obviously the former can be used to work not just securely, but also to maintain privacy etc even though each device may not be secure at all. Whilst the latter will always be inherantly vulnerable no matter how securely it was initially designed.

My personal view is anything that has to do an ET to function should be at the very least shuned, if not actually be made illegal. Of course there are "exception arguments" such as those like "TV guides" on televisions, however a little thought reveals that in many cases the potential loss of privacy can be fairly easily mitigated. The fact that manufactures appear not to want to go down the mitigation road should be ringing alarm bells in peoples heads. Hence we need a new term for such malicious devices.

Sancho_PMarch 2, 2017 5:34 PM

@Nick P

I guess your “built into every router” is a joke?
Or are you talking about not existing / fictionally devices instead of the hundred millions installed ones?
Does anyone know how to build bulletproof COTS (inter-) networking devices?
If, and I doubt it, but if - would there be a reasonable market $$$ chance?
(“bulletproof” means liability, not lex Micro$oft)

Would you then mandate all users to change the existing ones to the “safe” monopoly-router, just to make them all (un)safe, just in case?
Landfill or business?
And the bigger ones, too? RISCO - RISCO? No more “lawful” access?
What would our friends from a certain TLA think about that idea?

Insecure routers, PCs and IoT-devices do not form a botnet (bot + net),
they are just single grains of sand.

To make a beach you need the net, precisely an ISP (or more of them).
ISPs bundle that grains to a mighty weapon capable to knock down e.g. Dyn.

My single webcam can’t.
Even 200 couldn't do it from my dynamic IP.

Dirk PraetMarch 3, 2017 4:40 AM

@ Nick P

My idea of a parallel Internet (or ISP regulations) having authentication and DDOS monitoring built into every router is looking better all the time, eh?

I would also very much welcome any initiative to build some kind of Little Snitch-like egress functionality into every commercial (home) router, accompanied by some (MacOS/Windoze/Linux/BSD/iOS/Android) workstation agent, that would alert to suspicious/unknown/known bad traffic originating from designated (e.g. IoT) devices on your LAN. And that could be correlated with some open source "bad hombres" database like Virustotal. The tech savvy and privacy-minded user can of course build his own home network monitor and (N)IDS, but this is somewhat beyond the technical capabilities of the average person.

@ Sancho_P

Does anyone know how to build bulletproof COTS (inter-) networking devices?

There are plenty of hardened (micro)kernels and (mini)OS'es out there for IoT purposes. You just need companies to adopt them. But absent any sort of liability/accountability regulation, I guess it's going to remain a race to the bottom.

Nick PMarch 3, 2017 9:02 AM

@ Sancho_P

"Does anyone know how to build bulletproof COTS (inter-) networking devices?"

Yeah. They were the among the first things designed, built, and certified to high-assurance security. They passed from 2-5 years of analysis and pentesting by NSA's Information Assurance Directorate. The security kernels were the first. The CertiKOS framework used in mCertiKOS is state-of-the-art for software. Rockwell-Collins is using secure CPU's along with some others in industry (esp Microsemi) and academia. These days, we also have languages immune to common vulnerabilities, OS's written in them, prototypes for automated analysis of information flows, free microkernels, robust code for networking from BSD's, and some server/admin programs (esp from DJB or OpenBSD folks) that are simple & rarely have exploits. More than enough to build products. Matter of fact, there's periodically a new company doing it but with little market demand due to no ISP involvement and user's not understanding value proposition (i.e. brainwashing by shitty vendors).

The simplest route was taken by genua, a defense contractor, who subsetted OpenBSD for security appliances. They then added their firewall, VPN, etc code on top of it. Odds of their router getting hacked are about the odds of OpenBSD box getting hacked. Decent gamble.

@ Dirk Praet

Yeah, you're seeing where I'm going with it. I'll add that the WAN protocols already do things such as prioritization of traffic for QoS. Only reasonable to expect them to detect their own network being blasted and disconnect that host.

@ All

Previously, I countered a claim on Hacker News that Google's security people were good enough to stop nation states. Googler's pounced on me. So, I illustrated how far their competition was ahead on high-assurance security along with their failures. Now, when searching for Sancho_P, Google replied back by suggesting products appropriate for high-assurance, security engineers. Is this a fluke in machine learning or should I keep an eye out for a chance to write another damning post about them? ;)

Joe RandomMarch 3, 2017 3:14 PM

@Matteo Excellent. The nonconsensually-patched IoT devices could also send out a beacon to a benevolent C&C server to indicate that they haven't rebooted yet. That way when they do reboot it'd be easier to re-patch them before the bad actors get back in.

@captsutter Maybe proactively breaking into and fixing devices when the alternative is that they'll almost surely join a malicious botnet could be justified on whatever legal grounds have allowed abandoned houses with, e.g. West Nile mosquitoes breeding in the unmaintained swimming pool, or whatever public nuisance, to be remediated. Trying to notify the owner of the device and allowing that owner to decline the remediation might as well be part of the process too.

Sancho_PMarch 3, 2017 6:18 PM

@Dirk Praet

I have LS on my Mac but due to my ignorance it is really hard to grasp what’s going on. Simply check the Google Software Update, or Apple system software demands. Details are rare, e.g. fanboys at Apple support cry foul when mentioning LS.
Looking at the changing domain names it seems some companies lost track of their own activities.

Also @Nick P

With regards to our certificate system I doubt hardened (micro)kernals would help. A chain is as strong as the weakest link.
We can’t have secure systems because of weak foundation and permanent progress.
This is the reason why there is "little marked demand" for awkward software.
Look at Win10, you can’t run it without permanent update backdoor.
Security patches in bulk since years. More console commands than ever.
No, they are not just a couple of idiots, it’s difficult when the target is in motion.

My statement stands:
Devices will remain insecure, the provider performs the DDoS attack.
Don’t complicate what is really simple.

J b y a p, d n m t n o t g y.March 5, 2017 4:52 PM

@Nick P,

Keep irritating the hive. If you're publicly cataloging things for everyone to see you're forcing their hand to either discredit you (inform us) or to up their game vs the competitors you're potentially handing cheatsheets to.

Win win scenario, keep agitating them if you're on their radar it's beneficial.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of IBM Resilient.