Definitions

  • Botnet

    Botnets are collections of compromised hosts that attackers remotely control for their own nefarious purposes.
    Once installed and running, a malicious bot will attempt to connect to a remote server to receive instructions on what actions to take. The most common command and control (C&C) protocol used for this is Internet Relay Chat (IRC). While a legitimate protocol for online chat, IRC is often used by attackers due to the relative simplicity of the protocol along with the ready availability of bot software written to use it. After connecting, a bot-controlled host can be controlled by an attacker and commanded to conduct malicious actions such as sending spam, scanning the Internet for other potentially controllable hosts, or launching DoS attacks.

  • Attacks

    In most cases the attacker is trying to take control of the target via a published exploit for a known vulnerability. A variety of exploit tools exist and are usually written specifically for each attack vector.
    Exploit attempts and attacks are most often launched from bots (hosts under an attacker's control), which will automatically try to exploit any possible host on the Internet. Attack origins are usually not spoofed, although the source host may be compromised or infected with malware.

  • DDos Attacks

    Denial of Service attacks overwhelm a target with either too many connection requests or too much bandwidth. The intended result is to make the target inaccessible, although other infrastructure elements (routers, switches, load balancers, etc.) may suffer collateral damage along the path of an attack. A variety of attack types, including connection floods, TCP SYN floods, ICMP and UDP floods may be used in such an attack.
    DoS attacks are often launched against high profile targets by using a network of zombie machines in a botnet. Sources can be forged, although targets are usually not forged.

  • Scans

    Host scanning is a process whereby automated network sweeps are initiated in search of hosts running a particular service. This may be indicative of either legitimate host scanners (including network management systems and authorized vulnerability scanners) or an attacker (or automated malicious code, such as a worm) trying to enumerate potential hosts for subsequent compromise.
    Scans are often the prelude to an attack, and services scanned by attackers usually indicate known vulnerabilities for those services. Types of port scans include "connect()" scans, "SYN" scans, stealth scans, bounce scans, XMAS and Null scans. All reveal to the attacker which services on what hosts are listening for connections. Scans may be launched from compromised hosts, and their sources may be forged.