How to Tell If You Have Bots

Detecting bots on your network

Bots use malicious code to infect network hosts. They are transmitted by malicious people and previously infected hosts. Bots are often precipitated by unsecured, always-on broadband connections, which allow the code to spread undetected from one machine to another.

Bots insert themselves on the hosts and then execute commands sent from a remote location. Commands range from relaying unwanted spam to using the hosts bandwidth as part of a distributed denial-of-service (DDoS) attack. Bots have infected millions of hosts. Basic strains, like "sdbot," one of the most effective bots known to mutate often, have 4,000 or more variants now spreading. DDoS attacks using bots have reached nearly 10GB of aggregate attack bandwidth. Individual infected hosts often don't know they're infected or that theyre infecting others and spreading spam and DDoS attacks.


Ordinary bot symptoms include network sluggishness, periodic unavailability of network resources and unusual traffic spikes. In acute cases, computers cease to operate or the Internet will become unavailable. These symptoms also describe normal, far less serious network disruptions, making bots hard to diagnose. A strain of bots can infect the operating system kernel and mask its own symptoms, making it even harder to identify.


Analyzing traffic may be enough to determine if bots are present. Unusually high rates of outgoing traffic could signal the presence of bots. Traffic flowing through Port 6667 (used for Internet Relay Chat, or IRC) in corporations is usually a strong indication of the presence of bots, as bots often receive instructions on how to act from a "master bot" communicating through IRC. Other ports to watch include Port 25 (e-mail or spam relay) and Port 1080 (often used for proxy servers such as Socks, which manages connections between clients and servers). Traffic saturation attacks (two examples are Syn floods and UDP floods) are evidence of the presence of bots. Many of these symptoms can be diagnosed using the DOS prompt "Netstat -an" which will show all network activity from the host. Network sniffers can be used to this end too. Those who suspect bots should run antispyware programs against their hosts, though newer bot variants may not yet be covered by those programs. Analysis of firewall logs could also help diagnose bots. Published lists of malicious IP addresses like the Bogons (derived from the phrase "bogus IP announcements") list of nonlegitimate IP addresses can be matched against network activity to determine if bots are present.


Preventative: Network activity should be baselined, whether or not the network is suspected of having bots. This allows you to track traffic rates and transaction types (both approved and disapproved) for each network host. If it doesnt have bots, the baseline will be used to measure against unusual traffic flows. If the network is infected, the baseline will show what traffic flow looks like when the network is infected. Honeypots can be used to capture and analyze malicious traffic in an environment where it cant do damage to the "real" part of the network. A highly segmented network will help contain the spread of bots, as long as security policies are enforced between network segments. Segmentation can be by user groups, geography or technology, or all three. Monocultures—networks using a single technology—are much riskier.

Reactive: Deleting the malicious code is challenging and sometimes impossible, as some bots will regenerate. Treatment of infection often entails the pain of reimaging machines to eradicate the bots (and losing the data on those machines). You need vigilant backup and disaster recovery practices to prevent serious data loss and a pandemic bots outbreak.

Copyright © 2005 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)