[ISN] ISPs take on DDoS attacks

From: InfoSec News (isn@private)
Date: Wed Nov 19 2003 - 22:11:48 PST

  • Next message: InfoSec News: "[ISN] My Own PR Assault against Microsoft"

    http://www.computerworld.com/securitytopics/security/story/0,10801,87343,00.html
    
    Story by Denise Pappalardo
    NOVEMBER 19, 2003
    NETWORK WORLD
    
    Although the number and intensity of distributed denial-of-service
    attacks are on the rise, users are hard-pressed to find tangible new
    services to However, the largest ISPs are doing more behind the scenes
    and are promising new tools by next year that will help predict and
    better defend against worms and viruses that act like distributed DoS
    attacks and true distributed DoS strikes.
    
    "There have been more attacks in the last six months than there have
    been in the last 10 years," said Hossein Eslambolchi, president of
    AT&T Labs, at a recent press conference.
    
    Carnegie Mellon University's CERT Coordination Center for reporting
    Internet security problems backs up such claims. Through the end of
    September, there were 114,855 security breaches reported by users and
    ISPs, which is 32,761 more than all of 2002. These reports include all
    types of security policy violations from distributed DoS to hacker
    attack.
    
    Although there are more security violations, the types of distributed
    DoS attacks have not changed much in 12 to 18 months, says Paul
    Morville, director of product management at Arbor Networks Inc., which
    offers PeakFlow network behavior anomaly detection products to service
    providers. What has changed is the size and scope of these attacks.
    
    "Attacks used to be largely assigned to an individual host. These
    days, the attacks are very large coming from multiple points on the
    Internet and are targeted at a network," he says. Arbor is seeing
    zombie armies, which are compromised host machines, with as many as
    50,000 hosts attacking one network, Morville says.help thwart or
    defend against such assaults.
    
    While VPNs and managed firewall services are available from many ISPs,
    the primary goal of these offerings is to secure traffic that travels
    over the Internet. The largest business ISPs don't commonly offer
    intrusion-detection services that include anomaly detection aimed at
    mitigating the effects of distributed DoS attacks.
    
    But that likely will change in the next 12 months.
    
    MCI, like AT&T Corp. and Sprint Corp., is testing tools that are
    designed to detect distributed DoS attacks, and worms and viruses that
    act like distributed DoS by trying to eat up a target's bandwidth.
    
    "Around mid-next year we'll deploy a solution that will enhance our
    detection ability so we can be more proactive," says Bob Blakely,
    security services product manager at MCI. The tools that MCI is
    looking at deploying include anomaly and intrusion-detection elements.  
    MCI says it's testing a number of vendor products, including Arbor
    gear.
    
    While MCI says it's been doing in-house traffic analysis, it has not
    deployed network-wide anomaly detection gear because the tools haven't
    been mature enough and there have been network scalability issues,
    says Christopher Morrow, manager of network router security at MCI.
    
    In the meantime the service provider recently has put a couple of
    projects in place to better deal with the slew of attacks.
    
    Morrow says that in the past it was difficult to find the correct
    person to notify at another ISP when an attack was originating from
    its network. Now many of the large ISPs are part of an e-mail and
    voice-over-IP mailing list of sorts. Network administrators
    communicate regularly over this informal system in an effort to stop
    an attack quickly.
    
    MCI also says it's sharing best-practice guidelines with peers and
    customers. These guidelines deal with traffic surges stemming from a
    distributed DoS attack or from a worm or a virus that is sending a
    flood of traffic. MCI assists a customer to block, or blackhole, this
    traffic, or customers do it themselves based on the ISP's guidelines.
    
    "In most attacks we can blackhole traffic within two to three
    minutes," Morrow says. While the ability to react quickly is helpful
    to customers, the ISPs and users agree it's essential to be proactive
    instead of reactive when dealing with distributed DoS.
    
    One analyst agrees. "A number of clients have expressed
    dissatisfaction with their ISP's responsiveness regarding security,"  
    says Trent Henry, an analyst at Burton Group. "After the IT bubble
    burst, it seemed staff reductions across the board might have left
    some of the ISPs a bit strapped."
    
    It's tough to say if the ISPs have done enough up until this point to
    protect against these types of attacks, Henry says.
    
    "It's easy for a security analyst to cry wolf" and say the service
    providers should have known attacks would increase, he says. But it's
    not just about the security on the ISP's networks, but the lack of
    security patching from Microsoft and the number of Internet desktops
    with always-on connections. Microsoft platforms have been used in
    almost every zombie attack, Henry says.
    
    Network behavior anomaly detection technology that's now available is
    an ISP's best bet at keeping a distributed DoS attack as close to the
    source of the attack as possible, which is key in mitigating the
    damage of these types of attacks across the Internet, Henry says. Now
    it's just a matter of getting this technology deployed.
    
    AT&T says that it has built in some proactive, network-based security
    into its backbone, and it's looking at anomaly detection gear from
    Arbor. AT&T is looking at combining off-the-shelf tools with
    anti-distributed DoS technology that AT&T Labs has developed over the
    years.
    
    "Arbor has a component that we rely on in terms of analysis, in
    addition to router logs," says Sanjay Macaw, director of IP security
    services at AT&T. Macaw, like his competitors, says there is no one
    technology or tool that will stop these attacks, but a combination of
    tools when used together should let ISPs reduce network downtime and
    damage from distributed DOS strikes.
    
    In the past 12 to 18 months, Macaw says AT&T has put a lot of
    attention on developing the edge of its network through traffic
    analysis and other security measures. The carrier is spending more in
    terms of the number of employees it has focusing on distributed DoS
    and other security threats, and the technology it uses to defend its
    networks.
    
    Sprint too is focused on deploying new tools in its network to better
    arm itself. Sprint is specifically focusing on distributed DoS
    mitigation and intrusion-detection products that it plans to deploy in
    its backbone within the next year, says John Pardun, senior product
    manager of network-based IP VPN and security services at the carrier.
    
    Today Sprint says it has a "strong network-based platform," that uses
    stateful inspection in its edge routers to examine traffic, Pardun
    says.
    
    Sprint plans to offer customers an "additional level of monitoring and
    mitigation" to customers as an add-on service that it will charge for,
    Pardun says. Both MCI and AT&T also say they will charge customers for
    their planned distributed DoS services.
    
    Although these additional services are not yet available, some
    customers say their ISPs are protecting their Internet connections to
    a degree. Flowserve works with AT&T, KPN, MCI, Sprint and Yipes to
    connect its five Internet gateways around the world.
    
    "Each [ISP] has some preventive measures in place," says Pieter
    Scholhijs, director of worldwide IT infrastructure Flowserve. But "I'm
    not sure if they've been put to the test for our particular
    connections," he says.
    
    Scholhijs says that although the number of distributed DoS attacks has
    increased, it would be fair to say that his company has not seen an
    increase in bandwidth problems. This could be an indication of how
    well Flowserve's ISPs are protecting the company's network
    connectivity, he says.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Nov 20 2003 - 01:59:40 PST