Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.
(Credit: Arbor Networks)
Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.
The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.
Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."
In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."
One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.
While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.
Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.
The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.
But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."
(Credit:
Arbor Networks)
One year ago, the Estonian government moved a war memorial honoring Russian-Estonians who died fighting the Nazis, a move that may have triggered what some believe is the first instance of a sustained, international cyberwar.
Now, Gadi Evron, a former Israeli Government CERT manager who was in Estonia at the time of the attacks, has revisited the events with an article in the Georgetown Journal of International Affairs and reprinted here online (PDF).
Evron said what could be described as a "flash mob" created the disturbances in the Estonian Internet during May 2007. "Not only did the cyber riot start almost simultaneously with the actual riots, fresh posts in the Russian-language blogosphere continuously appeared with new targets and instructions. These details suggest that the cyberattackers reacted to Estonian defenses," he wrote.
On the subject of who was orchestrating the events, Evron doesn't blame Russia, but he doesn't shy away from mentioning the country either. He writes: "Once bloggers started reporting their small-scale attacks, more experienced players became involved. Before long, botnets were being used. The involvement of the Russian government in the affair cannot be confirmed. What raised speculation, however, is the failure--or unwillingness--of the Russian authorities to stop the cyber riot against Estonia for over three weeks after the initial attack."
The events in Estonia began on April 27, 2007, when Estonian officials relocated the Bronze Soldier, a Soviet-era war memorial, to a park outside the nation's capital. The decision provoked rioting by ethnic Russians, who took to the streets of the capital, Tallinn, in protest. The pro-Russia protesters blockaded the Estonian Embassy in Moscow. And in a rather unique way, a few even took their ire to the Internet.
Evron previously recounted his experience at last summer's Black Hat security conference in Las Vegas.
Not everyone is buying Evron's account. Viktor Larionov, posting on Bugtraq from Tallinn, Estonia, takes issue with Evron's story, not just the political but the technical side of it, calling it one big bluff. "In general," Larionov writes, "a lot of IT experts around here are concerned that no 'cyberwar' has never happened (and) maybe 10 to 20 DDoS attacks which took place" simply caught some sleeping admins off-duty. He adds, "Tell me, how many attacks or...attack attempts does your corporate network suffer during the day?"
Two toolkits designed to help ordinary people participate in denial-of-service attacks against Western media have surfaced on the Internet, according to one researcher.
In a blog Tuesday, Jose Nazario of Arbor Networks says one of the toolkits is easier to use than the other though both are designed for "the masses." This isn't new, and toolkits such as these have been created for other political protests in the past.
AntiCNN.exe was the first of the two tools found on the Internet. Nazario reports that it opens a flood of HTTP connections and attempts to hurt the servers with volume.
Sdos.exe is the second tool. According to Nazario, "This one lets you specify a target server and a port, uses a simple connect() loop for the TCP flood."
Nazario says there is a third toolkit out, but it includes a backdoor back to its authors and could be used for other purposes.
Although CNN escaped a distributed denial-of-service (DDoS) attack planned for Saturday, the site has experienced either random outages or inflated response times over the last 72 hours, according to one Internet research company.
Netcraft reported Tuesday that during a three-hour period on Sunday morning, the CNN.com site was unavailable from its listening post in Pennsylvania. And on Monday, the site experienced inflated response times. CNN.com did suffer a minor DDoS last Thursday, but recovered by limiting access from certain geographic areas, mainly Asia.
Also on Tuesday, The Dark Visitor, a site that tracks Chinese hackers, said a downloadable tool is now available for those wanting to participate in future attacks. Over the weekend, The Dark Visitor reported on the structure in place for launching attacks on Western media. The individuals, loosely calling themselves "Revenge for the Flame" and "HackCNN" feel that Western media have not presented a balanced view in reporting on the protests in Tibet and the Olympic torch runs through major world cities.
For the most part, CNN appears to have avoided the brunt of the Chinese DDoS attacks.
That wasn't the case with The Sports Network. On Monday morning, the site (not affiliated with CNN) was down due to a "political entity in China." Blogger Christine Lu has screenshots of the message and the defaced Sports Network page (scroll down). The group HackCNN has claimed responsibility for The Sports Network attack.
Several groups of Internet organizers plan to show on Saturday that they can mobilize patriotic Chinese Internet users and wield their influence worldwide against what they say is anti-Chinese media in the Western world.
The Dark Visitor, a site that tracks the activities of Chinese computer hackers, is reporting that a distributed denial-of-service (DDoS) attack on CNN.com is planned for 8 p.m. Beijing time, or 5 a.m. PT in the United States.
But the organizers themselves (Google translated page) appear to be waffling, and Jose Nazario of Arbor Networks reports that there has been little preattack activity within the last 24 hours.
Calling their action the "Revenge of the Flame," a group of computer protesters in China appears to have learned from both last year's cyberattacks on Estonia and the more recent anonymous attacks on the Church of Scientology. But Revenge of the Flame organizers stress that their attacks will not be a crime.
"We want to be patriotic," one organizer wrote, arguing that they intend to link Chinese Internet users together against one target: CNN.com. Should the attack be successful, the Revenge of the Flame planners will then consider immediately dissolving the flame of revenge ("after all, cybercrime is cybercrime," says the organizer), continue to attract more users, and "enhance the people's awareness of network security."
In the real world, a separate, perhaps unrelated, group is planning (Google translated page) for simultaneous protests on Saturday in Berlin, Amsterdam, London, and Paris.
Meanwhile, yet another Internet site, Anti-CNN.com, claims that protests in favor of China have not been published fairly by Western media in Germany, France, Canada, and the United States.
A banner on the Anti-CNN.com says (translated from the Chinese), "We are not against the Western media, but against the lies and fabricated stories in the media." The site includes example headlines from Der Spiegel, The Washington Post, and Fox News, in which it claims that photos of the police attacking the Monks are Napalese, not Tibetan.
This week we've seen two Internet events that are more alike than dissimilar. On Wednesday, an Estonian court convicted a 20-year Russian for his part in last spring's distributed denial-of-service (DDoS) attacks on that nation. On Thursday, word of mounting DDoS attacks on the Church of Scientology spread. Ultimately, both events could have larger repercussions.
The attack on the Estonian Web sites was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. Gadi Evron of Beyond Security said at last year's Black Hat USA that he found only one case of unique code used in the attacks which lasted from April 27 through mid-May. Evron said the attack had the appearance of an Internet flash mob, and now, with the conviction, it appears to have been loosely organized by a group of college kids. Evron cited evidence of at least one e-mail inciting Internet action on a particular date at a particular time during Estonian attacks.
A similar event is happening now. DDoS attacks against the Church of Scientology appear to be coming from a loosely organized group of individuals calling themselves Anonymous or Anon. The attacks, according to Jose Nazario of Arbor Networks, appear to use common code and early attacks originated from one IP address.
As with the events in Estonia, as news spread, more individuals may now be targeting the Church of Scientology in a sort of "me too" frenzy. A Web site called Project Chanology continues to detail present and future actions by Anonymous and others.
The idea that a handful of skilled individuals could decide to "take out" a particular group or company or government for any reason is a very disturbing one indeed.
A 20-year-old Russian has been convicted for organizing some of the attacks on Estonia's government sites during spring 2007, the Agence France-Presse reported on Thursday.
"Dmitri Galushkevich is the first hacker to be sentenced for organizing a massive cyberattack against an Estonian Web page," Gerrit Maesalu, spokesman for the regional prosecutor's office in northeast Estonia, told the AFP. Galushkevich was fined 17,500 krooni (about $1,600). He admitted his guilt, said Maesalu.
The distributed denial of service (DDoS) attacks, which some security experts have alternatively called a flash mob or the first-ever cyberwar, was prompted by an Estonian government plan to move a statue and grave sites honoring Russian-Estonians who died fighting the Nazis. From late April through mid-May 2007, various Internet-based services within Estonia were not accessible.
Estonians rely heavily on the Internet for basic services such as paying for food, water, and gas, said Gadi Evron, security evangelist for Beyond Security. Evron has studied the incident thoroughly. "The more technology there is within a country, the more dependent the country is on technology and therefore, the more vulnerable," he said.
- prev
- 1
- next
