According to a CenturyLink report on distributed denial of service (DDoS) attacks worldwide, the United States holds the dubious distinction of leading the world as the most common point of origin for malicious internet activities. Russia and China follow in second and third place, respectively.
CenturyLink’s research is compiled by its Threat Research Labs, which culls its data from its own internet connections. CenturyLink recently acquired Level 3, and the combined company owns one of the world’s largest internet backbones.
One thing the CenturyLink Threat Research Labs tracks is botnets. The exploitation of internet-connected devices to create botnets for DDoS attacks began in earnest in 2014 with the Gafgyt malware. Botnets became even more damaging with the Mirai malware that was responsible for the largest DDoS attack on record, which occurred in 2016.
Botnet malware enlists unsecure devices that are connected to networks — such as a compromised server, a computer, a cell phone, or any internet of things (IoT) device such as a DVR, security camera, or sensor. The malware turns these devices into “bots” to bombard a targeted site with requests.
A compromised device that has been infected by malware communicates with a command and control (C2) server. “Each of the millions of bots CenturyLink Threat Research Labs tracks was witnessed communicating with a known C2 server,” states the CenturyLink report. “The most dangerous botnets contain hundreds of thousands of members waiting to attack at a moment’s notice.”
To track botnets, CenturyLink’s security researchers collect data from 114 billion NetFlow records each day, capturing over 1.3 billion security events daily and monitoring for 5,000 known command and control (C2) servers. The company identifies the origins of C2 servers and the bots they control.
“Traffic between a network and any C2 server is a powerful risk indicator that a vulnerable and potentially compromised host exists,” states the report. “Tracking C2 data reveals victim hotspots and activity hubs favored by malicious actors.”
CenturyLink cannot fully deactivate a C2 that is not within its sphere of control. And many of these C2s are hosted in other countries at “bullet-proof” hosting sites. But CenturyLink does stop the C2 from accessing its network and resources. And the company works with the broader internet community to resolve the risk.