Spamhaus Project Releases Annual Report, Cites 32% Increase in Number of Botnet Command & Control Servers

Spamhaus Project Releases Annual Report, Cites 32% Increase in Number of Botnet Command & Control Servers

The number of botnet Command and Control (C&C) IP addresses has dramatically increased in the past year, according to the 2017 annual report from The Spamhaus Project. Spamhaus is an international nonprofit organization that tracks spam and related cyber threats such as phishing, malware and botnets; among other things, it issues Spamhaus Block Lists (SBLs), IP addresses from which Spamhaus does not recommend the acceptance of electronic mail.

Whenever Spamhaus Malware Labs comes across a botnet controller, they issue a special kind of SBL listing: A BCL listing. The BCL, which stands for Botnet Controller List, is a “drop all traffic” list intended for use by networks to null route traffic to and from botnet controllers. The Spamhaus BCL lists only IP addresses of servers set up and operated by cybercriminals for the exclusive purpose of hosting a botnet controller. According to Spamhaus, “Because these IP addresses host no legitimate services or activities, they can be directly blocked on ISP and corporate networks without risk of affecting legitimate traffic, effectively rendering harmless infected computers that may be present on their networks.”

The report includes the following findings:

  1. Nearly 1 out of every 7 SBLs that Spamhaus issued was for a botnet controller;
  2. Botnet “C&C” listings increased by a massive 32% in 2017. The majority (6,588 or 68%) of botnet controllers Spamhaus found in 2017 were hosted on servers that had been ordered by cybercriminals for the sole purpose of hosting a botnet controller;
  3. Cybercriminals are using fraudulent names to get C&C servers hosted on legitimate cloud providers (including Amazon and Google); some cloud providers are reportedly overwhelmed with the task of trying to curb so many fraudulent listings that are created with stolen or fake identities;
  4. The number of IoT botnet controllers more than doubled from 393 in 2016 to 943 in 2017;
  5. The statistics exclude botnet controllers that are hosted on the dark web (like Tor).

The fact that botnet controllers are growing in number is not surprising, because hackers often compromise poorly secured IoT devices and recruit them into botnets. Combined with new DDoS attack vectors and techniques, such as the recent appearance of so-called pulse-wave attacks, the increase in botnet controllers increases the risk of distributed denial of service (DDoS) attacks.

The forecast for botnet activity is dire, so what should organizations do? For starters, Spamhaus recommends its products like the Botnet Controller List (BCL), Malware Domain List or Zero Reputation Domain (ZRD) to protect not only your IoT devices but also spot potential intruders and infected machines in your network. But that approach won’t completely protect your network from DDoS attacks, so another important step is to deploy some sort of DDoS protection for your network, whether you purchase DDoS Protection as a Service from your ISP or hosting provider, or install it on-premises.

For more information, contact us.