Thwarting the Zombies

[InfoSec News <isn () c4i org>]

http://www.eweek.com/article2/0,3959,985389,00.asp

By Dennis Fisher
March 31, 2003 

Eighteen thousand computers tied together in less than 24 hours; a
virtual army of machines, standing ready to do the will of their new
master. Think of the possibilities that kind of processing power
holds: cracking immense encryption keys or helping to sequence the
human genome or even aiding the search for transmissions from
extraterrestrials.

But the controller of these zombie machines has a different purpose in
mind: a massive, DDoS (distributed-denial-of-service) attack or
perhaps several smaller attacks launched against key peering points or
backbone routers on the Internet. Downstream ISPs and their end users
will be suddenly shut off as technicians and engineers struggle to
filter the tidal wave of traffic choking the target machines.

Traffic in several segments of the global network will slow to a crawl
as the malicious packets keep on coming. It will be several hours
before normal service is restored and experts can go about the
business of assessing the damage and trying to find out what happened.

What sounds like a doomsday scenario concocted by a marketing
executive desperate for sales, is, unfortunately, real life. And the
harsh reality, experts say, is that it could be far worse than the
situation described above.

Vendors are trying to do their part. Security companies such as Arbor
Networks Inc. are rolling out applications with sophisticated
defensive features designed to detect and throttle DDoS attacks at the
service provider so that downstream networks and users never feel the
attack's effects.

But even with these new defenses, some experts say it will take a sea
change in the way end users and administrators think about security to
truly solve the DDoS problem.

"There needs to be a fundamental change in the way we educate users on
security and the way they use a PC," said George Bakos, a senior
security expert at the Institute for Security Technology Studies at
Dartmouth College, in Hanover, N.H. "We're going to get spanked over
and over again with this. Hopefully, it won't take too many more
lessons, but I fear it will."

For several weeks now, experts at government agencies, private
security companies and universities have been monitoring several very
large networks of machines that have been compromised and loaded with
"bots," which are tiny applications that allow remote attackers to
control the machines via Internet Relay Chat. Hundreds or thousands of
these machines can then be used in concert to launch DDoS attacks.

Bill McCarty, an associate professor of Web and information technology
at Azusa Pacific University, in Azusa, Calif., said a Windows 2000
"honey pot" machine that he runs has been added to several bot
networks, or botnets, in recent weeks. (A honey pot is a machine
connected to the Internet and left defenseless so that security
experts can observe hackers' activities or methods.) One of these
networks amassed more than 18,000 PCs in about 24 hours. Meanwhile,
officials at the CERT Coordination Center, in Pittsburgh, said they
are aware of several large botnets, one of which stood at more than
140,000 machines earlier this month.

Unleashing an attack on a single target—especially one such as a small
government agency or enterprise—from a network of that size would be
devastating. Even the most well-prepared and vigilant security staff
would be overwhelmed by that level of malicious traffic.

To help ISPs and telephone companies defend against these attacks,
Arbor Networks last week introduced a new version of its Peakflow
anti-DDoS software. Peakflow SP integrates many of the techniques that
security staffs have developed over the years in fighting DDoS
attacks. Among the new features is support for both black-hole routing
and sinkhole routing, two common defensive techniques.

Black-hole routing allows the administrator to take all malicious
traffic and route it to a null IP address or drop it. Sinkhole routing
is similar, except that the traffic is sent to an IP address where it
can be examined. Both techniques are often used by administrators at
the enterprise level. But they're far more effective when the ISPs
employ them, as this prevents the malicious traffic from reaching the
customer's network.

Most, if not all, ISPs have some level of DDoS traffic crossing their
networks virtually all the time. And while this costs them money in
terms of bandwidth and annoys customers, many filtering and routing
defenses catch legitimate traffic as well. This puts the service
providers in a tight spot.

"It's not that the service providers are a bunch of idiots. It's that
they're saddled with this network and a bunch of issues that are
directly in conflict with their customers' interests," said Ted
Julian, chief strategist at Arbor Networks, based in Waltham, Mass.

But in the end, curtailing or halting DDoS attacks will take a
coordinated effort from end users up through the service providers,
the security institute's Bakos said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.