Skip to main content
  • Cybersecurity

Boxing Out Botnets: How DNS security is combatting botnets to improve the internet for Canada

By Jon Ferguson

New data from CIRA Canadian Shield makes it clear that botnets are creating unexpected—and frequently unseen—threats to individual Canadians and organizations across the public and private sectors. Often used to unleash large-scale DDOS attacks, botnets can also be employed for a wide variety of other malicious purposes, including stealing personal data, sending spam emails, mining digital currencies and launching online fraud campaigns. They’re also highly unpredictable. After months of lying dormant in the network avoiding detection, they can be activated without warning, causing a sharp spike in activity that can last for several days.


Late May saw an enormous spike in botnet blocks

Between May 22 and May 26, this is precisely what happened. During this five-day period, CIRA Canadian Shield blocked an enormous spike in botnet activity. In the weeks and months prior to this surge, botnet blocks were consistently low, not exceeding 250,000 per day. Then this rose from 76,294 on May 20 to a peak of 3,206,145—an increase of about 4,000 per cent— with hourly blocks approaching 180,000. This pattern continued until May 26 when it dropped to just over 2 million blocks per day, as shown in the following graph. By May 27, the daily total returned to the level that preceded the spike, and that’s approximately where it has remained in the weeks since.

What’s the reason for this sudden rise in botnet blocks? Data from CIRA Canadian Shield reveals that the five-day spike was the result of a pseudo-random subdomain (PRSD) attack, which in this case used the hostname “webserve systems” as its call-home. This type of attack, as its name suggests, uses pseudo-random algorithms to launch botnet attacks on authoritative name servers (e.g. by sending a large number of DNS queries for non-existent subdomains of the target domain (e.g. Eventually, these illegitimate queries result in a denial of service for legitimate queries sent by real users.


DNS-layer security is a critical insurance policy against botnet attacks

While these and other types of botnets tend to fly under the radar, and may not pose a threat every day, when activated, they can have devastating consequences. For individuals, having a device infected with a botnet means they’re liable for any attacks that are launched from that device, even if they’re unaware that it’s infected. For businesses and other organizations, successful botnet attacks can lead to substantial reputational and financial losses. Botnets can also be a huge problem for internet service providers (ISPs), since the illegitimate traffic they generate steals bandwidth from legitimate traffic. This slows down internet performance as a whole for ISP customers and creates additional operating costs. That means that, even if you aren’t personally impacted by botnets, you still pay the price through slower performance and a higher monthly bill.

That’s why protecting against botnets is crucial. No single cybersecurity solution is completely effective in combatting cyber threats, but a DNS layer of security is a good place to start. CIRA’s offering for households, CIRA Canadian Shield, is a free-to-use service that protects your privacy and helps combat cyber threats that target the DNS layer. Even with other cybersecurity protections in place, Shield acts as an added layer that will help to keep your devices and networks secure. A protected DNS service combats botnets by preventing them from accessing the internet and launching attacks. For organizations of all types, DNS-layer security acts as an insurance policy against botnets; while they might not be a problem right now, that can change quickly, and that’s why having the right protection in place is crucial when it’s needed most.

At work, organizations can add a DNS layer of security through services like CIRA DNS Firewall. It runs on the same technology as Canadian Shield but enhances administrator control through custom security policies. By ensuring important organizations like hospitals, universities and municipalities can continue to function in the face of cyber attacks such as botnets, CIRA DNS Firewall plays a key role in CIRA’s mission of building an internet that everyone in Canada can trust.

The CRTC recently recommended that Canada take a consistent approach to botnet blocking. CIRA strongly supports this approach and views it as essential for blocking botnets and protecting Canadian internet users, organizations, and the country’s internet infrastructure.

Read more about how CIRA Canadian Shield can provide protection from botnets and many other types of malware online.

If you’re looking for enterprise-level protected DNS resolution and filtering, check out CIRA DNS Firewall.

About the author
Jon Ferguson

Jon Ferguson leads the Cybersecurity & DNS services unit at CIRA that builds upon the organization’s world class DNS services to provide cybersecurity services and training to Canadians and the global internet community. For the past 15 years, Jon has worked in product leadership roles for organizations building globally distributed Internet of Things and Cybersecurity solutions.