Botnet of More Than 17 Million Devices Dismantled

An anonymous reader quotes a report from Ars Technica: Authorities in the Netherlands said they dismantled a botnet that comprised more than 17 million devices and were managed by 200 servers in a joint operation by the police and the National Cyber Security Center. The action, announced Thursday, came about after a security researcher reported the sprawling network to authorities. The host infrastructure was located in the Netherlands. "The police then seized several botnet servers from a hosting provider for investigation," the NCSC said. "The botnet was taken offline by the provider because it was used for criminal purposes."

According to a report Thursday by the NL Times, the botnet was linked to ASOCKS, a Russia-based company that provides residential proxy services. These services cater to people and organizations who want to obscure their locations or identities by proxying their Internet traffic through third-party devices. Proxy services are often used for illicit or unethical purposes such as performing DDoS attacks, running botnet command-and-control servers, operating phishing operations, and scraping website content. [...] It's unclear how the 17 million devices controlled by the botnet taken down by the Dutch police came to be that way.

Dibs ...

[PPH]

... on the memory!

I knew this would happen eventually

[swillden]

Many people incorrectly think of proxies and VPNs (especially VPNs) as a security and privacy enhancement, but unless you're operating the proxy/VPN server yourself they're just as likely to be a massive security and privacy risk. The problem is that they concentrate all of the traffic you'd most like to keep secret in one server, and depending on exactly how the system works, may require installing software on your local machine with ~root permissions. If the operator is malicious, this is a really dangerous combination.

These are useful tools for location shifting and -- in fairly rare cases, and with VPNs only -- from hiding traffic from malicious. But third-party proxy/VPN services should always be viewed with suspicion. Obviously this is even more true when the provider is Russian... though it's pretty likely that wasn't made clear to the people who used the service.

Re:

[Vlad_the_Inhaler]

Whoosh?

Thank you

[SoCalChris]

Thanks for explaining to Slashdot what a proxy is. I had no idea.

Re:

[twocows]

Not all nerds are IT nerds. The editors here get a lot of complaints in the comments for under-explaining various terms because there are so many domains to cover. I'd rather they explain a simple networking term (that I can just skip past) than not explain some simple term in another domain I'm not familiar with so I have to look it up.

I noticed

[gmiller123456]

I have a site that's been getting pounded by bots for the last few years, and had gotten really bad in the last few months. But it suddenly stopped last week. The scann8ng seemed to involve over 100k IP addreses. I managed to block some of them, and a few subnets. Even the blocked IPs would continue to hit the server, generating millions of 403 errors per day. But the overwhelming majority of them only hit the site a few times per day, so really hard to tell from authentic users.

Re:

[LordAba]

I really need to set up my own server again to see how many attacks still try to use overflow to run malicious code. Used to get a bunch of them per day from China back 20 years ago.

Re: I noticed

[DingerX]

I'm convinced it's AI scraping. At least some of the bots were following the Analytics links (Fathom), and I could see them swarm the site. Suddenly 100,000 IPs from China are each grabbing one or two pages.

200 servers?

[CEC-P]

I bet it had better uptime than Office 365 services.

If you're curious about the business side...

[Tschaine]

This article talks more about what Asocks does.

https://www.techtimes.com/arti... [techtimes.com]

And to answer another Slashdotter's question, yes, there is an Android component here.