WEBVTT 00:00:00.980 --> 00:00:07.120 Let's take a look at botnets. Botnets is a very commonly used term that stands 00:00:07.120 --> 00:00:11.610 for robotically controlled networks, or botnets for short. 00:00:12.260 --> 00:00:17.850 The idea of botnets is that a botnet allowed a whole 00:00:17.850 --> 00:00:23.620 series of remotely or robotically controlled devices to be 00:00:23.810 --> 00:00:27.410 engineered to attack a victim. 00:00:28.010 --> 00:00:33.760 For example, we could take a botnet at the top, we have the botnet herder. 00:00:34.300 --> 00:00:39.660 The botnet herder, or the owner of the botnet, has several devices they 00:00:39.660 --> 00:00:46.590 use for command and control, the second tier in our diagram. Then those 00:00:46.590 --> 00:00:51.820 command and control devices control a number of infected machines. We're 00:00:51.820 --> 00:00:54.670 showing you here servers or desktops, 00:00:54.670 --> 00:01:00.220 but in many cases those infected machines could be a digital video recorder, 00:01:01.030 --> 00:01:04.120 a smart TV, an IP camera, 00:01:04.480 --> 00:01:09.910 anything that can be engineered and controlled by another 00:01:09.910 --> 00:01:13.040 system to do what that other system wants. 00:01:13.740 --> 00:01:18.970 So let's say, for example, a person goes to the owner of a botnet and says, 00:01:19.270 --> 00:01:22.300 I would like to arrange a distributed 00:01:22.300 --> 00:01:25.940 denial‑of‑service attack against this victim. 00:01:26.690 --> 00:01:30.160 They can rent the botnet for a time period. 00:01:30.240 --> 00:01:35.840 The owner of the botnet will tell all of the command and control machines to 00:01:35.840 --> 00:01:40.340 tell the machines that they control to now flood that victim, 00:01:40.340 --> 00:01:44.770 for example, with say, for example, a SYN flood type of attack. 00:01:45.470 --> 00:01:50.980 And because that attack can come from literally hundreds of thousands up 00:01:50.980 --> 00:01:56.610 to millions of machines. That overwhelms the pipeline going to the 00:01:56.610 --> 00:02:01.680 victim, and the victim now is under a denial of service. But since it 00:02:01.680 --> 00:02:06.050 comes from distributed locations, it can be kind of sometimes hard to 00:02:06.050 --> 00:02:08.350 actually stop that attack as well. 00:02:10.090 --> 00:02:16.350 Another type of attack was to send a request, and we see from the left‑hand 00:02:16.350 --> 00:02:22.110 side machine here, to a DNS server, who is pluralsight.com. 00:02:22.730 --> 00:02:25.660 When I send that request to a DNS server, 00:02:25.790 --> 00:02:29.430 it comes back with all of the information I would need 00:02:29.440 --> 00:02:32.820 to route traffic to pluralsight.com. 00:02:33.540 --> 00:02:37.010 The result of that is that the amount of information that comes 00:02:37.010 --> 00:02:41.780 back is far more than the size of the request. 00:02:41.790 --> 00:02:47.020 The request was a simple one‑line sentence, but I get about, in many 00:02:47.020 --> 00:02:54.070 cases, at least 15‑30 times the amount of traffic back when it replies 00:02:54.070 --> 00:02:58.920 to that request, and that's good, we need that. We can also do this to 00:02:58.920 --> 00:03:01.070 something like network time protocol. 00:03:01.150 --> 00:03:02.120 What time is it? 00:03:02.420 --> 00:03:06.970 And the Network Time Protocol will reply back with the exact time at that 00:03:06.970 --> 00:03:11.910 time. But that also is much larger than the simple request. 00:03:12.440 --> 00:03:18.100 So what happens if I then send a request to, say, a DNS or NTP 00:03:18.100 --> 00:03:25.950 server, but I say my name is victim. And so that server now sends 00:03:25.960 --> 00:03:30.070 the response to the request to the victim. 00:03:30.730 --> 00:03:35.960 Now the poor victim is overwhelmed because I have not just sent a 00:03:35.960 --> 00:03:40.780 simple request to the victim, but I send a flood of traffic that has 00:03:40.780 --> 00:03:46.630 been, we call it amplified, or made a lot larger so it can conduct 00:03:46.630 --> 00:03:48.570 that attack against the victim.