Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.
(Credit: Arbor Networks)
Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.
The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.
Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."
In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."
One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.
While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.
Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.
The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.
But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."
(Credit:
Arbor Networks)
(Credit:
Jose Nazario, Arbor Networks)
Don't click on that silly April Fools' Day e-mail, says one security expert.
In a blog, Arbor Networks' Jose Nazario reports that within the last 24 hours he's seeing new releases of the Storm worm designed to take advantage of the first day of April. This new spam campaign is a lure to infect new computers that will become part of the larger Storm worm botnet.
The e-mail body is spartan: the words "Doh! April Fools" followed by a numeric URL. If a user clicks on that URL, the default Internet browser will open to a page with a cartoon character. A download is supposed to start within five seconds and, according to the message, "If your download does not start, click here and then press 'Run.'"
The compromised computer will then install the downloaded file as C:\WINDOWS\aromis.exe. Nazario reports that the botnet file opens the firewall using the netsh firewall set command, makes a lot of outbound connections, then listens on a random UDP port.
The FBI is warning that Valentine's Day e-mails you see this year might be coming not from loved ones, but from the Storm worm botnet. In a press release Tuesday, the FBI warns users to be on the lookout for e-mail that "directs the recipient to click on a link to retrieve the electronic greeting card (e-card). Once the user clicks on the link, malware is downloaded to the Internet-connected device and causes it to become infected and part of the Storm worm botnet."
Dr. Jose Nazario of Arbor Networks said the authors of Storm have launched a carefully orchestrated series of lure campaigns to bring new members into the network. One of them is Valentine's Day-themed. Nazario said the creators of Storm have in recent weeks "grown the network by as much as 50 percent."
Nazario blamed fresh spam and incomplete antivirus protection on users' desktops for the new botnet infections.
"Generally speaking, when you only have something like 25 percent or less who are updated with the current patches and Best Practices in AV software, it doesn't really matter. You can be caught up with the latest AV fix, but if other people aren't really applying it, it doesn't really matter."
If you don't have antivirus protection, get some. See CNET's latest antivirus performance test results here. If you already have an antivirus product installed, make sure your subscription and the data files are both up to date.
This week we've seen two Internet events that are more alike than dissimilar. On Wednesday, an Estonian court convicted a 20-year Russian for his part in last spring's distributed denial-of-service (DDoS) attacks on that nation. On Thursday, word of mounting DDoS attacks on the Church of Scientology spread. Ultimately, both events could have larger repercussions.
The attack on the Estonian Web sites was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. Gadi Evron of Beyond Security said at last year's Black Hat USA that he found only one case of unique code used in the attacks which lasted from April 27 through mid-May. Evron said the attack had the appearance of an Internet flash mob, and now, with the conviction, it appears to have been loosely organized by a group of college kids. Evron cited evidence of at least one e-mail inciting Internet action on a particular date at a particular time during Estonian attacks.
A similar event is happening now. DDoS attacks against the Church of Scientology appear to be coming from a loosely organized group of individuals calling themselves Anonymous or Anon. The attacks, according to Jose Nazario of Arbor Networks, appear to use common code and early attacks originated from one IP address.
As with the events in Estonia, as news spread, more individuals may now be targeting the Church of Scientology in a sort of "me too" frenzy. A Web site called Project Chanology continues to detail present and future actions by Anonymous and others.
The idea that a handful of skilled individuals could decide to "take out" a particular group or company or government for any reason is a very disturbing one indeed.
Last week, the FBI announced the end of the second phase of Operation Bot Roast, an ongoing investigation into botnets, and the criminal activity associated with them. I recently asked Dr. Jose Nazario of Arbor Networks where in the world the bot herders, the people who control the botnets, might be. Here are some excerpts:
We see a few major groups. We see Americans and Western Europeans often interested in using the botnet to make money either directly or indirectly by selling services, or stealing information from those botnets to sell and use credit card information bank information, etc.
There are some botnets out of South America, but mostly South America seems dominated by the Brazilian, what folks used to call the banker Trojan, the browser helper object that steals information right out of the browser from banks from online banking or e-commerce transactions. Some of the more high-profile botnets we've dubbed TeamUSA and Peruvian Power. These have been long running and relatively successful. But they're not exactly household names.
The botnet community is also taking off in the Russian language part of the Internet. Lately I've been watching a lot of DDoS attacks come out of Russia, commanded by Russians. Possibly for pay, as retribution, or as punishment to those who try an stop some of the other illegal activities, such as fraud and theft.
I have been tracking lately Russian DDoS bot code run by different groups. The code itself is bought and shared between them. One of the big ones is a code base called Black Energy. The author is a Russian language speaker who offers his help files and other things in the Russian language and sells it on the Russian language forums anywhere from $40 on up. Black Energy is strictly a DDoS botnet
We have watched some botnets from China but I don't see a whole lot of botnet activity coming out of there.
You can read more of Nazario's comments in this Security Watch column. And you hear more of my interview with Dr. Nazario in this Security Bites podcast.
- prev
- 1
- next
