Security

Arbor Networks found that DDoS attack size (in gigabits) nearly doubled in 2008 from the previous year.

(Credit: Arbor Networks)

Internet service providers now spend most of their IT security resources detecting and mitigating distributed denial-of-service attacks, concludes a report from Arbor Networks.

The fourth edition of the Worldwide Infrastructure Security Report, released Tuesday, was based on how 70 lead security engineers responded to 90 questions. As in the previous three reports, ISPs reported attacks where their networks were overloaded with packets, what's called a distributed denial-of-service (DDoS) attack. However, this year, the ISPs indicated the attacks were not only larger in size but that most of them were stretching the upper limits of their security resources in order to deal with such attacks.

Rob Malan, founder and chief technology officer of Arbor Networks, said the DDoS attacks seen this year broke the 40-gigabit barrier, nearly double the volume of last year's attacks. He warned that if next year's attacks again double in size, "most carriers will be unable to deal with those attacks."

In assessing the attacks, Arbor Networks found "brute force," a catch-all term, was the dominant method used. The security firm looked at traditional means of DDoS--syn flood, udp flood--as well as anything else that artificially created network congestion. Malan told CNET News that despite the massive size, the attacks themselves demonstrated "little sophistication" and were simply "trying to overwhelm network bandwidth."

One consequence of this method was that upstream providers of the targets were increasingly being affected. "If an attacker takes out capacity of (the upstream) routers you're (also) starving the target," he said. Malan said attackers were also using reflective attacks, which use different pieces of DNS structure to redirect traffic away from a target.

While flood-based attacks represented 42 percent of the attacks reported, followed by protocol exhaustion-based at 24 percent, Arbor Networks also saw a sharp increase this year in application-based attacks, which accounted for 17 percent of the attacks.

Malan explained that with application-based attacks, bot-infected computers worldwide make connections to a targeted site, then "use an application protocol to deliver a perfectly valid request, not a vulnerability, not something that an IDS or other type of firewall would necessarily flag." For example, a botnet might instruct its zombie computers worldwide to do a back-end query off a database. "By itself it's not bad, but if you have multiple such requests, then you tie up the application--in this case database--resources on the back end," he said.

The report does contain some good news. Arbor Networks found detection and mitigation of these attacks to be increasing as well. Fifteen percent of the respondents said, on average, they can mitigate an attack within 10 minutes of detection. However, 30 percent said mitigation still takes them over an hour.

But finding the criminals responsible for these attacks is not a high priority. Arbor Networks found that ISPs have little time to involve law enforcement. "It's hard on carriers," said Malan. "They get paid on traffic, not to do forensic analysis. So it's hard from their perspective to make the economics work."

(Credit: Arbor Networks)

The daily volume of spam produced by the Storm botnet during 2008.

(Credit: Marshall)

The creators of the Storm botnet have either ceased sending out spam or have moved on to a newer botnet, security researchers have concluded.

Marshal, a security vendor that specializes in spam protection, on Tuesday noted a marked downturn in the amount of spam attributed to hosts infected with Storm within the last month. For the last few weeks other researchers have also noticed the sharp decline.

"We don't know what happened here, if somebody put the kibosh on them or not," said Jose Nazario, a security researcher for Arbor Networks. "In terms of the number of hosts out there, there are still a lot of hosts--they're just sort of quiet."

Storm started and got its name from an infected e-mail promising information about a large winter storm in Europe in early 2007.

At its peak, in mid-2007, Storm accounted for up to 20 percent of all spam sent. Then, in September 2007, Microsoft included a removal signature in its Malicious Software Removal Tool. Security experts say that update alone removed up to a quarter million infected hosts and greatly diminished Storm's ability to produce large spam campaigns despite a few attempts earlier this year.

Botnets are proving to more resilient and harder to shut down.

That's largely due to an increased use of methods people use to obscure the domain by constantly mapping to different bots within the network, according to a recently released study (PDF).

The study's authors, Jose Nazario of Arbor Networks and Thorsten Holz of the University of Mannheim, tracked the traffic of 900 fast-flux domain names used by botnets within the first six months of 2008. "Fast-flux" is a term to describe how the botnets use constant changes in the mapping of the hard-coded domain name to different bots within the network. This makes it difficult for law enforcement to identify the main server and shut it down. It also adds a layer of anonymity to those operating the botnet, since the infected computers used can be located worldwide.

The study found that fast-flux botnets were often active for a few hours to a few months. The domains that were used were registered, but sometimes laid dormant for several months. Online fraud and crime most associated with these botnets included phishing sites, pharmacy sites, and malware distribution sites.

The authors also found some botnets to be "promiscuous," harboring hundreds of domain names associated with them.

The information in the report has been shared previously with industry groups such as Forum for Incident Response and Security Teams and Internet Corporation for Assigned Names and Numbers (ICANN). This is the study's first public availability, and it was released to coincide with Malware 2008, which is being held Tuesday and Wednesday in Alexandria, Va.

Initial information suggests that Internet attacks on Georgian Web sites over the last two weeks are the work of kids, according to one researcher, while another says the intensity of these attacks is short-lived when compared with attacks in Estonia last year.

In an e-mail to CNET News, Gadi Evron, founder of the Zero Day Emergency Response Team, said that "although the impact on their Web sites is clear, I believe this may end up being just some kids who got overexcited, with Georgia being ill-prepared to say the least. "

Posting on CircleID, Evron wrote that there are botnet attacks against .ge Web sites, but the Internet infrastructure doesn't appear to be directly attacked. "Not every fighting is warfare," wrote Evron. "While Georgia is obviously under a DDoS attacks and it is political in nature, it doesn't so far seem different than any other online aftermath by fans. Political tensions are always followed by online attacks by sympathizers."

In May 2007, the Baltic nation of Estonia was attacked online and its Internet infrastructure crippled.

On Tuesday, Jose Nazario of Arbor Networks offered in a blog more information on the strength and duration of the attacks. "Compared to the May 2007 Estonian attacks, these are more intense but have lasted (so far) for less time. This could be due to a number of factors, including more sizable botnets with more bandwidth, better bandwidth at the victims, changes in our observations, or other factors."

Nazario also said that there is evidence that the Georgians had responded by attacking a Russian newspaper Web site.

This graphic shows the flow of botnet commands targeting Georgian Web sites.

(Credit: Arbor Networks)

Researchers studying botnets have reported an increase in attacks on Georgian Web sites, including that of the country's president, within the last two weeks. While the attacks--Web site defacement and denial-of-service packet floods--are reminiscent of the Internet attacks waged against Estonia in May 2007, Jose Nazario, security researcher for Arbor Networks, told CNET News that he's seeing evidence that Georgia is apparently fighting back, attacking at least one Moscow-based newspaper site.

As to the source, Nazario said that "almost all of the attacks are broadly and globally sourced. One attack appears to be very narrowly focused, possibly someone with some basic ping flood scripts." He said the exact tools being used had not been determined.

In a presentation at July's Usenix conference in San Jose, Calif., Nazario said Internet wars make for a "great, level playing field" because they're inexpensive to mount.

He also pointed out that Internet-based wars did not start last year with Estonia. He cited previous attacks on Kosovo, during its civil war in the late 1990s; Israel-Pakistan hacking peaked in the fall of 2000; and the 2002 winter Olympics, when a South Korean speed skater was ejected from a competition.

More recently, he said, there were attacks on the Ukraine in the fall of 2007; Chinese national attacks on CNN.com in April 2008; and attacks upon the Democratic voice of Burma in July. In July hundreds of Web sites were attacked in Lithuania.

Internet wars do make for plausible deniability; we may never know who's ultimately responsible (governments or agitated nationals) for these attacks.In each of these cases, Nazario said, "I can't go and talk to these people, so I have to infer what their intent was."