What are DDoS Botnets?

A DDoS (Distributed Denial of Service) botnet is a network of compromised computers or IoT devices used to overwhelm websites with traffic, making them unavailable to legitimate users.

How DDoS Attacks Work

  1. Infection: Attackers compromise devices with malware
  2. Command & Control: Infected devices connect to C&C servers
  3. Coordination: Attacker sends commands to botnet
  4. Attack: Thousands of bots flood target simultaneously
  5. Disruption: Legitimate traffic can’t reach the site

Types of DDoS Attacks

Volume-Based Attacks

Overwhelm bandwidth with massive traffic:

  • UDP floods: Random UDP packets
  • ICMP floods: Ping flood attacks
  • Amplification attacks: DNS/NTP reflection

Protocol Attacks

Exploit server resources or network equipment:

  • SYN floods: Half-open TCP connections
  • Ping of Death: Malformed packets
  • Smurf attacks: ICMP amplification

Application Layer Attacks (Layer 7)

Target web application resources:

  • HTTP floods: Massive GET/POST requests
  • Slowloris: Keep connections open slowly
  • Zero-day exploits: Target application vulnerabilities

Common Botnet Types

Mirai Botnet

  • Targets IoT devices (cameras, routers)
  • Uses default credentials
  • Massive DDoS capabilities
  • User agents: Often mimics legitimate devices

Meris Botnet

  • Exploits MikroTik routers
  • Record-breaking attacks
  • HTTP/S floods

Emotet/TrickBot

  • Banking malware turned DDoS tool
  • Self-propagating
  • Modular capabilities

Detection Signs

Traffic Patterns

  • Sudden traffic spikes (10x-1000x normal)
  • Traffic from unusual geographic locations
  • Single IP or subnet sending massive requests
  • Identical user agents in bulk

Performance Indicators

  • Slow site performance
  • Timeouts and connection errors
  • Server CPU/memory at 100%
  • Network bandwidth saturated

Request Characteristics

# Suspicious patterns:
- Same User-Agent across thousands of IPs
- Requests to non-existent pages
- Malformed HTTP headers
- Missing headers (Host, Accept, etc.)
- Very short sessions

How to Detect DDoS Bots

1. Analyze User Agents

Attack bots often use:

- Default library strings (Python-urllib, Go-http-client)
- Outdated browsers (IE 6.0)
- Identical agents across many IPs
- Malformed or missing agents

2. Check Request Patterns

# Find top requesting IPs
awk '{print $1}' access.log | sort | uniq -c | sort -rn | head -20

# Check user agent distribution
awk -F'"' '{print $6}' access.log | sort | uniq -c | sort -rn

3. Geographic Analysis

  • Traffic from unexpected countries
  • Many requests from hosting providers
  • Residential IPs behaving like servers

4. Behavioral Analysis

DDoS bots typically:

  • Don’t execute JavaScript
  • Don’t load images/CSS
  • Don’t accept cookies
  • Have no referrer
  • Request at mechanical intervals

Defense Strategies

Immediate Response

1. Enable DDoS Protection

  • Cloudflare “I’m Under Attack” mode
  • AWS Shield
  • Azure DDoS Protection
  • Google Cloud Armor

2. Rate Limiting

# Nginx rate limiting
limit_req_zone $binary_remote_addr zone=ddos:10m rate=10r/s;
limit_req zone=ddos burst=20 nodelay;
limit_conn_zone $binary_remote_addr zone=addr:10m;
limit_conn addr 10;

3. Block Attack Sources

# Block IP range
iptables -A INPUT -s 192.168.1.0/24 -j DROP

# Block country (using GeoIP)
iptables -A INPUT -m geoip --src-cc CN -j DROP

Long-term Protection

1. Use CDN/WAF

  • Cloudflare
  • Akamai
  • Fastly
  • AWS CloudFront + WAF

2. Implement Rate Limiting

  • API rate limits
  • IP-based throttling
  • Session-based limits

3. Optimize Infrastructure

  • Auto-scaling
  • Load balancing
  • Caching static content
  • CDN for asset delivery

4. JavaScript Challenges

<!-- Require JS execution -->
<script>
// Proof of work challenge
// Only real browsers can solve
</script>

5. CAPTCHA Under Attack Show CAPTCHA when:

  • Request rate exceeds threshold
  • Suspicious user agent detected
  • Known attack pattern identified

Monitoring and Alerts

Set up alerts for:

  • Traffic spikes (>200% of normal)
  • Server CPU >80%
  • Error rate increases
  • Bandwidth anomalies
  • Failed connection attempts

Tools:

  • Monitoring: Prometheus, Grafana, Datadog
  • Log analysis: ELK Stack, Splunk
  • Traffic analysis: Wireshark, tcpdump

Response Plan

Before Attack:

  1. Choose DDoS protection provider
  2. Document emergency contacts
  3. Test failover procedures
  4. Establish baseline metrics

During Attack:

  1. Activate DDoS mitigation
  2. Enable additional rate limiting
  3. Block attack sources
  4. Scale up resources if needed
  5. Communicate with users

After Attack:

  1. Analyze attack vectors
  2. Review logs for patterns
  3. Update security rules
  4. Document lessons learned
  5. Improve defenses
  • DDoS attacks are illegal in most countries
  • Document attacks for law enforcement
  • Report to ISP and authorities
  • Consider cyber insurance

Prevention Tips

  1. Keep systems updated: Patch vulnerabilities
  2. Strong authentication: Prevent device compromise
  3. Network segmentation: Limit attack spread
  4. Monitor continuously: Detect attacks early
  5. Plan ahead: Have DDoS protection ready

DDoS attacks are inevitable for popular sites. The key is preparation - have protection in place before you need it, not during an attack.

Understand Your Bot Traffic

Learn which bots access your website with our free bot detection tools. Test robots.txt rules and verify crawler access:

Learn More About Bot Management: