>>Kicking things off I'm Lisa Martin with Richard Hummel manager of threat intelligence at NetScout in this segment, we're going to be talking about the rise of server class bot net armies. Richard. Good to see you >>Again, Lisa, as always >>Likewise, so botnet armies, it sounds a bit ominous, especially given the current global climate. Now the first botnets came in the early 1990s. Those were comprised of servers followed over the years by PCs and then it botnets. But recently in the second half of 2021, what have you seen with respect to botnets and the armies? >>Yeah, so I think it's important for us to look at the history of where did we come from? How did we get here? What kind of kicked off this phenomena of botnets specifically DDoSs related botnets and bonnets have existed for a long time. Lisa, you mentioned it in the nineties, and then we move into kind of the two thousands and talking about IOT devices entering the scene. And then 2013, you start to see, hear more about these IOT botnets and in their surge, but then it wasn't until 2016, when the Mariah code was publicly released. And we all heard about the dine attacks at the time, which were record-breaking oh man, we launched this 600 gigabit per second attack using an IOT button and the world's is on fire and everything's going to burn down. And that was kind of the feeling at the time. >>Uh, little did we know that IOT based botnets typically have limits? And the reason for that as an IOT device itself, doesn't have a whole lot of processing capability. Often they're sitting in home networks, home networks that maybe don't have high bandwidth high throughput. Now that is changing, right? The world is adopting this 5g. And even for jeez, you're using mobile hotspots and now IOT devices being directly connected to 5g networks, you're talking about much more bandwidth throughput capabilities. However, they're still limited to what that device is capable of doing. And so an IOT device itself probably can't generate a whole lot of throughput or bandwidth, but what happens if you're able to compromise really high powered devices, such as routers or even server grade routers or even servers themselves sitting in data centers. So inter kind of what we're seeing the second half of the year, I think a lot of us heard about some of the recent attacks with the nearest bottleneck taking down notable websites and Maris is a little bit different because it uses what's called HTTP pipeline. >>And essentially what that does is the bot itself will take all of its butted nodes. And in today is sitting on Microtech routers using a old vulnerability from 2018 managed to be able to compromise these things. And it will generate a bunch of these HTTP requests and then it will release the gate. And so all of these requests essentially flood a web server and the web server just can't handle it. So maybe the first few thousand it can process, but eventually it starts to slow, slow down before it completely chokes off. And so that's kind of how that attack works. Now, the Maris button itself leveraging these Microtech routers. And again, like I said, a vulnerability from 2018 that a lot of these used to compromise these routers on, but what was notable about that vulnerability is that you could force the router itself to give you the username and password, and even patching those routers in, unless you explicitly change the usernames and passwords and those persistent the patch. >>And so inter a new button that called the Venice that also takes advantage of this same existing vulnerability, but leveraging these credentials that then are able to compromise. So now you have two botnets operating on these Microtech riders that often sit in high bandwidth, high throughput networks, being able to launch these really fast potent attacks. Now into the third one here, getting a ride. This is a version of Mariah that has been forked and now uses your vulnerability or an exploit against get servers and where to compromise server grade hardware. So if it wasn't bad enough that you have these high powered routers. Now you're talking about a server that maybe it has a TIG 10 gig interface. What happens if you get a hundred or even a thousand of these things launching a really fast attack? And so, yes, it's the rise of a server class button at army and army I think is very apt here. >>Um, often we think about button ads and we used to use the term zombies or zombie network and ever really heard that too much lately because zombie is basically these things exist. They're kind of out there. They don't really get initiated until they're used, but in the DDoSs world, these botnets are typically always active. So I don't really consider them zombies, um, because they're always brute forcing, and they're always trying to propagate and they're doing this automatically. And so a lot of times when we see these connections coming into like things like our honeypot, these are Muray or Satoria Lucifer GAF kit XR DDoSs I could go on, right? There's a lot of these different IOT botnets out there, but more and more they're turning towards these more high powered hardware in these servers in order to up the potency of their attacks. >>Let's talk about speed for a second. You mentioned the new server class, Mariah botnets. One of the things that the report uncovered was that online criminals were able to really quickly employ them to launch attacks that were details had talks that were pretty vicious. Why were they able to do that so quickly? >>The ecosystem and the criminal underground is so fast. It's so rapid. They have no red tape. You know, let's look at it from a defensive standpoint, there's a new hardware software that rolls out. There's a new patch that rolls out. What do we have to do? We have to go through this process of validating, testing it against our network, figuring out is it going to tip anything over? Maybe we deploy a first to a staging environment. Then we have to get executive bless off and approval. It has to evaluate this. We have to go to industry standards, okay, is it meeting these benchmarks? And we have this whole process, right? And sometimes even for critical patches, it can take us months to be able to roll these out for deployment. Adversaries have none of that. They have no, they have no oversight. A new vulnerability comes out. New capability comes out new exploits, come out the very next day, we're seeing this in metal split modules. A couple of days later, we're seeing it in Mariah and various other IOT flavors of Mauer. And so these guys have super fast, rapid adoption of new things that are coming out with zero overhead. And so they can implement this in practice very, very quickly, not just in bots, but even in DDoS for hire platforms. They're starting to use these kinds of novel attack vectors very, very quickly after they'd been uncovered or reveal >>No overhead, no red table. That must be like another thing that I noticed in the report in the second half of 2021 was that NetScout saw the first known terabit class direct path DDoSs attack terabit class. What's the significance of that. >>And so the significance here is, like I said, with IOT, achieving those kinds of levels is very, very difficult because IOT devices cannot gen up to that amount of bandwidth. But with these botnets existing on segments of the internet that have one gig or even 10 gig of capacity and the power by which to generate enough traffic to achieve those volumes. So it's, it's something we've never seen before, even going all the way back to the diner tacks with the IOT and marae, we were talking to hundreds of thousands of devices here contributing to that 600 gigabit per second range. That was a lot by those standards, right. And I would say that we probably have more button that's existing today, but the more fragmented, right? So you might have 30,000 over here. You might have 50,000 over here. Maybe you have a hundred thousand over here. Um, and so a lot of these botnets are a little bit smaller, but now if we can do 10,000 routers with one particular button ad that has the capacity to do one gig each, I mean, we're talking massive amounts of traffic here. And so that's really, it, that's the evolution that we're seeing. And I think that the, the advent and introduction of 5g more and more across the world is going to make this exponentially worse in terms of what botnets are capable of launching. >>Let's dig into that in about a minute or so. The significance of 5g, you know, we were talking about that as so much opportunity that that's going to unlock, but is that potentially going to be a bad thing? >>It could be in the DDoSs world. Um, we have some statistics actually, where we're already starting to see more attacks against the wireless. And so wireless is in, uh, it used to be Latin time would have a lot of wireless and mobile type stuff because a lot of gamers over there use mobile hotspots, but we're seeing them move over to the lad time. And in fact, globally, we saw 32% increase in wireless attacks. And I believe firmly that a lot of that is attributed to this rollout of 5g across the world. >>Interesting. We'll have to keep our eye on that. Well, I'm sure not Scott. Well, another thing, if we think about one of the things that we've been through the last couple of years in the pandemic, the adoption and the embracing of this hybrid work model, that we're many of us still in, what does NetScout expect to see with respect to expansion of botnets into our homes, into our residences. >>That is the key question there, because what, what happened when COVID kicked off, everybody took their corporate machines. We took all of our devices that were sitting inside a corporate office. We went home, we went home behind routers that have no firewall that had no IDs to have no IPS. In fact, most of us probably don't even know how to log into our routers to change things. And so they're using your default usernames and passwords, or maybe you haven't patched it, or there's no auto patching setup. So you are taking all of your essential vital components for working in you're leaving the castle. And now you are out in an open field and adversaries have free reign to do whatever they want. Couple that with the fact that a lot of us don't even care about the security of our IOT devices, uh, I always like to use this example of Christmas day. >>You get these cool new gadgets and tech devices. And for me, that's pretty much all I get because I love tech. And if you see this now I've got four monitors, plus my laptop and all kinds of stuff here on my desktop. But when I get a new device on Christmas morning, it's not my first instinct or gut reaction to get online and change my default using passwords, or to make sure it's patched or to update it. Now, sometimes those are being forced now, which is awesome. We need to do more of that, but it's not your first reaction, but we know that as soon as an IOT device goes online, you have about five minutes at most before you start getting inundated with, through forcing attempts. And so, yeah, the, the global work from home has really changed how we need to think about security and how organizations and enterprises really should consider how they secure those at-home devices versus being inside the enterprise. >>A lot to think about Richard. And if you're not thinking about it first on Christmas day, then I certainly am not thinking about it. Thanks so much for talking to us about what you guys uncovered with respect to that armies. A lot of interesting evolution there, and the fact that there's no red tape. Wow. What an environment in a moment, Richard and I are going to be back to talk about the vertical industries where attackers zeroed in for DDoSs attacks. You're watching the cube, the leader in tech enterprise coverage.