Security Features Against Botnets: Azure vs. AWS
In our earlier post “What are the challenges in cloud security” we have included Botnets as one of the fastest mounting threats among malware. When I hear a word “Botnet” than it creates a picture of sci-fi movie in my mind. But in this world of cloud technology it’s a reality and one of the major threats as well. Before we see how our two major cloud players i.e. AWS and Microsoft Azure are dealing with this threat first we should know what are Botnets?
Botnets: Definition and Architecture
If we Google the term “botnet” then the first definition mentioned below in wiki we can see.
“A botnet is a number of Internet-connected devices, each of which is running one or more bots. Botnets can be used to perform distributed denial-of-service attack (DDoS attack), steal data, send spam, and allows the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word “botnet” is a combination of the words “robot” and “network”. The term is usually used with a negative or malicious connotation.”
Botnets are analogous to Zombies. If we do an analogy of this whole Botmaster and botnets structure then we will conclude that these botnets are like virus infected zombies who will infect the other device which comes into their contact or network.
Below figure depicts the basic architecture and working layout of this whole botnets attack.
There are three major components of this attack which are given below.
1) BOTMASTERs are the one who uses the bots to gather keystrokes or use form grabbing to steal online credentials and may rent out the botnet as DDoS and/or spam as a service or sell the credentials online for a profit.
2) C&C-Servers (Command and Control) – Botmaster uses C&C servers to command and track the activities of infected computers in a network.
3) Bots/Infected Computers (Zombies) – Device which got infected by the malicious code from the master in a network.
In my point of view this whole design reminds me of terrorists sleeper cell, where these infected computers are like sleeper cells which takes order from their masters to spread terrorism.
I hope you guys would have understood what botnets are and how they act upon. Now we will see the security measures taken by AWS and Microsoft Azure to tackle the botnets.
Security measures taken by AWS
The AWS WAF Security Automations solution provides fine-grained control over the requests attempting to access web application. The diagram below presents the architecture we can build using the solution’s implementation guide and accompanying AWS CloudFormation templates .
Basically in order to deal with bad bots in AWS we create a honeypot to lure and deflect content scrapers and bad bots. A discrete API Gateway endpoint (embedded in the web application) triggers a custom AWS Lambda function, which intercepts the suspicious request and adds the source IP address to the AWS WAF block list.
For more details we can follow this link, how to configure AWS WAF.
Security measures taken by Azure
Azure security center (ASC) implements a new highly précised Machine Learning model based on analysis of DNS query logs to detect the botnets. Roughly speaking it is believed that at least, 1 in every 10,000 machines are part of some known Botnet.
Machine Learning has been proved boon for cybersecurity domain in anomaly detection. Basically azure team collect DNS query and response data from Azure VMs. The logs contain around 50TB of data per day and include information such as the query name, queried domain name server, the DNS response, and other DNS logging information. In addition to this azure team also uses TI (threat Intelligence) based on machine readable feed which includes IP addresses of devices which are likely to be part of a Botnet as well as the IP addresses and domains of known CnC servers.
On the basis of communication pattern below features are deduced.
Rare domains-Domain names of CnC servers are rare since they are seldom requested by legitimate users
Young domains –When a domain generation algorithm (DGA) is used the CnC server frequently acquires new domain names hence they tend to be recently registered. We use a massive daily updated data feed to map domain names to their registration date
Domains Idiosyncratic to Botnets – Botnets controlled by the same CnC server issue DNS queries which contain similarities to each other yet are different from others
Non-existent domain responses – When DGA is used, Botnets query many non-existing domains before they find the actual domain of their CnC server for that time
For more details about the whole process please follow link.
In my opinion Azure is capitalising the Machine learning capabilities in order to fight against the botnets where as AWS is using web application firewall to tackle this issue. I think ML is more effective in this combat against the botnets. May be in near future or I am not sure whether AWS has come up with any AI/ML integrated intelligent system to fight against this challenge.