Security Features Against Botnets: Azure vs. AWS

In our earlier post “What are the challenges in cloud security” we have included Botnets as one of the fastest mounting threats among malware. When I hear the word “Botnet” than it creates a picture of a sci-fi movie in my mind. But in this world of cloud technology, it’s a reality and one of the major threats as well. Before we see how our two major cloud players i.e. AWS and Microsoft Azure are dealing with this threat first we should know what are Botnets?

Botnets: Definition and Architecture

If we Google the term “botnet” then the first definition mentioned below in the wiki we can see.

“A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word “botnet” is a combination of the words “robot” and “network”. The term is usually used with a negative or malicious connotation.”

Botnets are analogous to Zombies. If we do an analogy of this whole Botmaster and botnets structure then we will conclude that these botnets are like virus-infected zombies who will infect the other device which comes into their contact or network.

The below figure depicts the basic architecture and working layout of this whole botnets attack.

Security Features Against Botnets

There are three major components of this attack which are given below.

1) BOTMASTERs are the one who uses the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit.

2) C&C-Servers (Command and Control) – Botmaster uses C&C servers to command and track the activities of infected computers in a network.

3) Bots/Infected Computers (Zombies) – Device which got infected by the malicious code from the master in a network.

In my point of view, this whole design reminds me of terrorist sleeper cells, where these infected computers are like sleeper cells that take orders from their masters to spread terrorism.

I hope you guys would have understood what botnets are and how they act upon. Now we will see the security measures taken by AWS and Microsoft Azure to tackle the botnets.

Security measures are taken by AWS

The AWS WAF Security Automations solution provides fine-grained control over the requests attempting to access the web applications. The diagram below presents the architecture we can build using the solution’s implementation guide and accompanying AWS CloudFormation templates.

Security Features Against Botnets

Basically, in order to deal with bad bots in AWS, we create a honeypot to lure and deflect content scrapers and bad bots. A discrete API Gateway endpoint (embedded in the web application) triggers a custom AWS Lambda function, which intercepts the suspicious request and adds the source IP address to the AWS WAF block list.

For more details, we can follow this link, how to configure AWS WAF.

Security Features Against Botnets by Azure

Azure security center (ASC) implements a new highly précised Machine Learning model based on the analysis of DNS query logs to detect the botnets. Roughly speaking it is believed that at least, 1 in every 10,000 machines are part of some known Botnet.

Machine Learning has been proved a boon for the cybersecurity domain is anomaly detection. Basically, the azure team collects DNS query and response data from Azure VMs. The logs contain around 50TB of data per day and include information such as the query name, queried domain name server, the DNS response, and other DNS logging information. In addition to this azure team also uses TI (threat Intelligence) based on machine-readable feed which includes  IP addresses of devices that are likely to be part of a Botnet as well as the IP addresses and domains of known CnC servers.

On the basis of the communication pattern below features are deduced.

Rare domains-Domain names of CnC servers are rare since they are seldom requested by legitimate users

Young domains –When a domain generation algorithm (DGA) is used the CnC server frequently acquires new domain names hence they tend to be recently registered. We use a massive daily updated data feed to map domain names to their registration date

Domains Idiosyncratic to Botnets – Botnets controlled by the same CnC server issue DNS queries which contain similarities to each other yet are different from others

Non-existent domain responses – When DGA is used, Botnets query many non-existing domains before they find the actual domain of their CnC server for that time

For more details about the whole process please follow the link.

In my opinion, Azure is capitalizing on the Machine learning capabilities in order to fight against the botnets whereas AWS is using a web application firewall to tackle this issue. I think ML is more effective in this combat against the botnets. Maybe in near future or I am not sure whether AWS has come up with an AI/ML integrated intelligent system to fight against this challenge.

References

https://en.wikipedia.org/wiki/Botnet

https://azure.microsoft.com/en-us/blog/large-scale-analysis-of-dns-query-logs-reveals-botnets-in-the-cloud/

https://aws.amazon.com/answers/security/aws-waf-security-automations/