Customer Success: Stopping a Botnet Attack

A firewall is a common perimeter defense for many organizations. But what happens when the bad guys get past it? Network detection and response (NDR) provides the visibility organizations need to identify and stop malicious traffic in its tracks. Read on to learn how ExtraHop helped one organization do just that.

Uncovering an Active Botnet Attack

Recently, we received a call from an organization that had been notified by the American Registry for Internet Numbers (ARIN) that their IP addresses were being used in a large botnet attack. The organization provided us with the source port for the devices being used in the attack. With this key information, we started threat hunting.

Our first step was to collect all potential botnet traffic into a single view. We did this by searching 90 days of transactions using the identified source port as a key, tagging all the proxy devices using that source port in Reveal(x), and building a device group based on that tag.

With this view in place, we started examining peer devices. This is where things got suspicious. Reveal(x) showed a significant amount of traffic to international IP addresses, and when we plotted the geolocation for these addresses, the map lit up like a Christmas tree: Russia, China, all around the globe. With built-in ARIN lookup, we saw lots of traffic from the Caucasus region, specifically, Dagestan and Chechnya. Our client should have very little to no legitimate traffic in this region.

Now we knew for sure that a large-scale botnet attack was happening. Next we needed to find all the devices being used in the attack. We knew the traffic source, so we searched all flow records in Reveal(x) to see who was communicating over that port. Less than 30 seconds later, we realized the true scale of the attack—there were far more proxies in use than we originally thought. We could see that the communications were SSL encrypted, so once we established the exact SSL/TLS certificate being used, we confirmed the full scope.

Closing the Gate

We had a list of compromised devices, we’d validated the scope of the attack, and we could see the blast radius. So how do we stop the attack?

Based on what we could see, the firewalls in front of the proxies probably weren’t geo-blocking. In an instance like this, enabling geo-blocking should be the first step. If geo-blocking isn’t enabled, or would be difficult to implement quickly, blocking the source port would also stop the attack. Once the majority of the traffic had been blocked, the security team used ExtraHop to triage any remaining abnormal traffic and automatically remediate firewalls to block certain IPs and transactions.

A firewall isn’t enough in the modern security landscape. But when you combine it with all-seeing NDR, you’ll be able to validate that your firewalls are working like they should, and gain the capacity to see and stop malicious traffic in its tracks. With the power of ExtraHop, the affected organization did all this before even hanging up the phone.