CenturyLink tracked 104M botnet targets per day in 2017

A computer keyboard with the word ransomware highlighted in red
CenturyLink says that botnets have become a bigger threat to its business and residential customer bases. (Getty/BeeBright)

CenturyLink says that botnets, a network of private computers infected with malicious software and controlled as a group without the owners' knowledge, are something that businesses, governments and even consumers should be more aware of as a real-life cyberthreat.

In its 2017 report, CenturyLink Threat Research Labs tracked an average of 195,000 threats per day impacting, on average, 104 million unique targets—from servers and computers to handheld or other internet-connected devices—due to the work of botnets.

RELATED: CenturyLink expands threat management tools to monitor 114B sessions per day

Mike Benjamin, head of CenturyLink’s Threat Research Labs, told FierceTelecom that the report identified various metrics from its analysis.

“CenturyLink’s Threat Research Labs was able to understand what the threats were and then look for geographic location as well as what the impact was on individuals on the internet,” Benjamin said.  

From a geographic perspective, CenturyLink noted that areas that have strong or rapidly growing IT networks and infrastructure continue to be the primary source for cybercriminal activity. The service provider said the top five countries by volume of global malicious internet traffic in 2017 include the United States, Russia, China, Brazil and Ukraine. Likewise, the top five countries hosting the most command and control (C2) servers, which amass and direct botnets, were the United States, Russia, Ukraine, China and Germany.

CenturyLink's global IP backbone enables it  to more effectively respond and keep cyberthreats at bay. This critical infrastructure supports CenturyLink’s global operations and informs its comprehensive suite of security solutions, including threat detection, secure log monitoring, DDoS mitigation and network-based security solutions.

Greater visibility

Since it acquired Level 3, CenturyLink now collects 114 billion NetFlow records daily. Specifically, CenturyLink captures over 1.3 billion security events daily and monitors 5,000 known C2 servers on an ongoing basis. But CenturyLink is doing more than just thwarting DDoS attacks for its customers.

“CenturyLink’s focus on the data set is not just about DDoS protection services we do offer,” Benjamin said. “We also think it’s important to lean forward into the overall security problem and help to clean up internet threats.”

Benjamin added that it continues to remove more C2 servers, a process that not only benefits its own customers but also the broader internet.  

“We are removing 40 command and control of these botnets a month from the internet,” Benjamin said. “We are knocking down proactively for our customers, for our network, and ultimately the internet at large.”   

Gafgyt attacks remain high

Mirai and its botnet variants continue to draw attention due to the large-scale attacks that have have been carried out in recent years.

Dyn, a managed DNS provider to a number of major websites, confirmed that the Mirai botnet was behind the widespread distributed-denial-of-service (DDoS) cyberattack that caused an internet outage on the East Coast in 2016, for example.

But CenturyLink noted that Gafgyt attacks, which are the precursor to Mirai, continued to affect more victims and with noticeably longer attack durations. 

“The Gafgyt malware family preceded the Mirai botnet, but we have not seen it go away,” Benjamin said. “We continue to see Gafgyt C2s be very prolific and the botnets that derive from them.”

In 2017, CenturyLink tracked 532 Gafgyt C2 servers. By comparison, the service provider only tracked 339 Mirai botnets.

“We thought that comparison was very important to be aware of so the internet community and security community are not focused on Mirai alone,” Benjamin said. “The DDoS problem extends far beyond that particular malware family.”

IoT raises targets

The ever-emerging IoT concept, with more elements with an internet connection that hackers can pursue, is also making it more challenging for CenturyLink to mitigate threats. A recent IHS Markit report revealed that the number of connected IoT devices globally will grow to more than 31 billion in 2018. The commercial and industrial sector, powered by building automation, industrial automation and lighting, is forecast to account for about half of all new connected devices between 2018 and 2030.

While countries and regions with modern communication infrastructure unknowingly supplied bandwidth for IoT DDoS attacks, they also represented some of the largest victims based on attack command volume. The top five target countries of bot attack traffic were the United States, China, Germany, Russia and the United Kingdom. Additionally, the top five countries by volume of compromised hosts or bots were the United States, China, Brazil, the United Kingdom and Germany.

Benjamin said that this proliferation of devices creates a bigger security issue for consumers and businesses alike.

“We see the explosion of devices on the internet being an incredible technology opportunity for the world, but also a large security problem,” Benjamin said. “As you have more devices with less centralized control, they are apt to be in unsecured state and be taken over and joined by these botnets.”

Benjamin added that “we see the IoT device count being a potential problem for the long term.”