[ISN] Thwarting the Zombies

From: InfoSec News (isnat_private)
Date: Thu Apr 03 2003 - 02:14:43 PST

  • Next message: InfoSec News: "[ISN] Homeland Security Department tackles enterprise architecture"

    By Dennis Fisher
    March 31, 2003 
    Eighteen thousand computers tied together in less than 24 hours; a
    virtual army of machines, standing ready to do the will of their new
    master. Think of the possibilities that kind of processing power
    holds: cracking immense encryption keys or helping to sequence the
    human genome or even aiding the search for transmissions from
    But the controller of these zombie machines has a different purpose in
    mind: a massive, DDoS (distributed-denial-of-service) attack or
    perhaps several smaller attacks launched against key peering points or
    backbone routers on the Internet. Downstream ISPs and their end users
    will be suddenly shut off as technicians and engineers struggle to
    filter the tidal wave of traffic choking the target machines.
    Traffic in several segments of the global network will slow to a crawl
    as the malicious packets keep on coming. It will be several hours
    before normal service is restored and experts can go about the
    business of assessing the damage and trying to find out what happened.
    What sounds like a doomsday scenario concocted by a marketing
    executive desperate for sales, is, unfortunately, real life. And the
    harsh reality, experts say, is that it could be far worse than the
    situation described above.
    Vendors are trying to do their part. Security companies such as Arbor
    Networks Inc. are rolling out applications with sophisticated
    defensive features designed to detect and throttle DDoS attacks at the
    service provider so that downstream networks and users never feel the
    attack's effects.
    But even with these new defenses, some experts say it will take a sea
    change in the way end users and administrators think about security to
    truly solve the DDoS problem.
    "There needs to be a fundamental change in the way we educate users on
    security and the way they use a PC," said George Bakos, a senior
    security expert at the Institute for Security Technology Studies at
    Dartmouth College, in Hanover, N.H. "We're going to get spanked over
    and over again with this. Hopefully, it won't take too many more
    lessons, but I fear it will."
    For several weeks now, experts at government agencies, private
    security companies and universities have been monitoring several very
    large networks of machines that have been compromised and loaded with
    "bots," which are tiny applications that allow remote attackers to
    control the machines via Internet Relay Chat. Hundreds or thousands of
    these machines can then be used in concert to launch DDoS attacks.
    Bill McCarty, an associate professor of Web and information technology
    at Azusa Pacific University, in Azusa, Calif., said a Windows 2000
    "honey pot" machine that he runs has been added to several bot
    networks, or botnets, in recent weeks. (A honey pot is a machine
    connected to the Internet and left defenseless so that security
    experts can observe hackers' activities or methods.) One of these
    networks amassed more than 18,000 PCs in about 24 hours. Meanwhile,
    officials at the CERT Coordination Center, in Pittsburgh, said they
    are aware of several large botnets, one of which stood at more than
    140,000 machines earlier this month.
    Unleashing an attack on a single target—especially one such as a small
    government agency or enterprise—from a network of that size would be
    devastating. Even the most well-prepared and vigilant security staff
    would be overwhelmed by that level of malicious traffic.
    To help ISPs and telephone companies defend against these attacks,
    Arbor Networks last week introduced a new version of its Peakflow
    anti-DDoS software. Peakflow SP integrates many of the techniques that
    security staffs have developed over the years in fighting DDoS
    attacks. Among the new features is support for both black-hole routing
    and sinkhole routing, two common defensive techniques.
    Black-hole routing allows the administrator to take all malicious
    traffic and route it to a null IP address or drop it. Sinkhole routing
    is similar, except that the traffic is sent to an IP address where it
    can be examined. Both techniques are often used by administrators at
    the enterprise level. But they're far more effective when the ISPs
    employ them, as this prevents the malicious traffic from reaching the
    customer's network.
    Most, if not all, ISPs have some level of DDoS traffic crossing their
    networks virtually all the time. And while this costs them money in
    terms of bandwidth and annoys customers, many filtering and routing
    defenses catch legitimate traffic as well. This puts the service
    providers in a tight spot.
    "It's not that the service providers are a bunch of idiots. It's that
    they're saddled with this network and a bunch of issues that are
    directly in conflict with their customers' interests," said Ted
    Julian, chief strategist at Arbor Networks, based in Waltham, Mass.
    But in the end, curtailing or halting DDoS attacks will take a
    coordinated effort from end users up through the service providers,
    the security institute's Bakos said.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 05:34:11 PST