Hi, today I'm going to spend some time with you on botnets and the impact of botnet can have on a target network. So, it's a little bit of arithmetic that we'll go through to try to build up and understanding of the kind of consequence that you might see from a botnet that's aimed at some target for the purpose, presumably of denial of service. So I think that's, for the most part, the primary mechanism that we see today for denial of service. You could do it using other sorts of things, but think about it. If I can hit you with multiple sources of traffic versus one, probably makes sense to do multiple. Now, one thing as we think through the arithmetic that I want to make sure you keep in mind, is that there really are a couple of different kinds of botnets. There's ones that are very happy to be honest about their source IP address. Meaning, your server, whatever. I'm going to connect to a target and actually go through the three step TCP handshake in order to establish a connection, so I can really hit you with some traffic. So, that's the first. The second would be a botnet where the individual bots are lying about their source IP address. So that way you can't attribute where the traffic is coming from. So, I'm Alice, you're Bob, I whip a SYN packet at you but I don't say that I'm Alice, I say that I'm George. Now what that means is that I'm not going to see the SYN-ACK response, I'm not going to be able to open a session. But I also hide myself. So, in either case, there are pros and cons, right? But certainly in the first case, I can create a lot more traffic. If I establish a session with you, at the application level [LAUGH] I can ask you, download the stuff, I can throw traffic at you, I can do all kinds of really crazy things. Versus in first case or rather second case where I'm hiding or spoofing certain IP address, I'm just throwing one SYN pack at it, just something we would call SYN flood. So let's assume that we're probably dealing with bots that are establishing a connection to a server for the purpose of really jacking things up. Now, if you go back to the 1990s, the kinds of connection that you would have to the Internet would have been pretty bad, right? [LAUGH] It's just sort of learning how to connect to the Internet. And we had this thing in Telecom called the T1 connection, maybe some of you may be familiar with that, it's a 1.5 MB connection which today I bet on your iPhone you get the multiple time zap. But at that time, that was a rocking connection. Like bunch of hippies here in the United States, out in San Francisco would all go live in a hippie dorm, and just live on top of each other, literally to get access to a shared T1 connection. Can you imagine? Well, think about that a minute. If you're talking about 1.5 meg, then the arithmetic we do as we build botnets and try and understand the lethality or the consequence of a botnet, let's figure out how much traffic can I generate from one bot at a target, okay? So, then if I've get 10 of them then I do 10 times that number and that's the collective aggregate traffic being thrown at a target. Does that make sense? That's the methodology. So let's think about, now let's fast forward to the future to now, where we all broadband connections, or connections at work, wherever you're connecting up to the Internet. You might do it from a local public spot, a library, a school, wherever you're connected. So your PC, the one you're using, if it has malware on it, bot software, then that bot software if it wants to attack somebody is going to be generating traffic outbound from your computer, right? Duh, that's how it would work. So, the malware sits on your machine and it emanates traffic out. So, would it be smart, if you are a designer, to generate so much traffic from the malware that it eats up your entire connection? Well, if you did do that you generate a lot of traffic, but you are also going to get the owner of the PC pretty annoyed. They are going to notice that something is a mess clearly. So that may not be the best thing to do. Might make more sense that if you know the size of the outbound connection, or if you can sort of pause it the size of the outbound connection, let's say it's a 3 meg connection, the outbound, not unreasonable to assume that. How about, if you design the board to just use a third of that? So, it's not all of it, it's a third. So here is what it would mean to the user. The user would notice a PC that's a little sluggish. When you walk in a room the PC is going like this, [SOUND], you know that noise? So if you do that and you have an owner who maybe is reasonably permissive in accepting of a sluggish PC, like most of us, well then you can get away with it for a long time. You might be able to leave that bot in place, virtually indefinitely. I'll tell you my mother [LAUGH] has a PC at home, when I walk in the house it's [SOUND] you hear the noise, it's sluggish, I say mom what are you doing? Hey, leave it alone, it's fine. Not realizing that the bot software is probably attacking some country all day long. So, the design concept is to use a portion of that outbound connection and hopefully, their botnet would be able to rely on that bot being somewhat persistent. So, let's assume that you're stealing 1 meg outbound. So if you were and you were targeting a T1 connection, then I really only need one and a half computers with bots on them to be attacking. And then you can see in the chart I have a list there of bots and outbound capacity, and so on. If I was at 75 then 2 of them takes out a T1. Nobody has a T1 connection, so it's almost a silly arithmetic to do. But again, it gets us going. So let's continue on. So, what if you have 10,000 of these things? And is 10,000 a large botnet? I would say no. In fact, I would say anything from 0 to 50,000 is considered somewhat pedestrian where you wouldn't name it. You might keep track of it. But yeah, botnet of 50,000 it's not that big a deal. Talk to me when you get to a million then you've got a botnet that looks like it has some real consequence. Like the ones you read about, the kinds of botnets that make their name known in the magazines and so on. They're usually a million, but let's say you got 10,000. And at 10,000 I'm stealing 1 of the 3 meg outbound. Do the math. That's a lot of traffic, that's 10 gig. And I will tell you that the vast majority of you listening, probably work for a company, or go to a university, or live in a town where there are buildings and companies and groups that are using 10 gig connections. In fact, that might be way less than that bdepending on what country you're in. Here in the United States, very typical business connection to a data center, 10 gig. So what I'm saying is, just a reasonably pedestrian botnet of 10,000. Really small at 1 meg per bot will take out a business. Now, that freaks me out a little bit, because [LAUGH] you had some bigger numbers, I had some listed there, that I didn't want to get to. You've got a million at a meg, and you really start talking about tearing down the fabric of the infrastructure. I've been worried about this for some time. And a few years ago, again here in the United States, I got invited to give a talk at the White House. So I get there and I'm giving a talk and there's a big crowd there and I notice there's some pretty interesting looking people there like cabinet people and I think, well, it's pretty interesting. So I get up and I was talking about what we're talking about right now. This concept of bot arithmetic and so on. And as I'm speaking, President Obama walks in. He walks into the room, I see Secret Service making the little thing with their finger meaning, hey, I'd get off the podium. So I step back, President Obama walks over. I shake hands with them and I sat down. And before I get to what he was talking about, I tell you I was sitting right behind him. And right there on the screen, you can see a picture that I took. I needed proof, so I took a picture of the back of the President and we'll make sure we have that for you on the video to look at that. [LAUGH] Well, I need a proof that I actually met him I was talking about. But the reason I bring it up, is he got up and he started talking about this topic that we're talking about on the video right now. This topic. This is not some theoretical issue. The President of the United States was concerned with the arithmetic that we were dealing with in terms of bot capacity and the type of damages that can be produced from a collection of bots and a botnet at a target. So it's somewhat unsafe for those of you who are watching, who maybe thinking about graduate studies in computer security maybe a PhD in computer security. This is a topic that you should be looking at. The ability to mitigate to shape, to thwart, to block, to divert botnet traffic, is an important consideration particularly in the context of IoT devices which number in the billions. So, if you have billions of devices generating a bunch of traffic at a target, how are Are we going to stop this? And I will tell you that this is still an open question. So, now just to test our understanding here, a little bagaga brief little quiz question for just a little math. The answer is half as many as we talked about before. Before we said a 10,000 member botnet, I'd only need five if I double the capacity outbound on e-GRAS. So it gets even easier if you're willing to take up more of the e-GRAS connection. So, again I hope this discussion gives you a better feel for the threat of botnets, the kinds of capacity arithmetic I take that we all need to be concern with as just citizens who rely on the Internet everyday for our personal and business use. So, we’ll see you in the next video.
