The War against botnets and DDoS attacks

In one of my previous posts talking about botnet herders I pointed out how experiments tend to dominate, and while botnets protection is still a buzz word, major security vendors are actively working on product line extensions. DDoS attacks are the result of successful botnet, and so are the root of the problem besides the distributed concept. Techworld is reporting that McAfee is launching a "bot-killing system", from the article :

"Unlike conventional DDoS detection systems based on the statistical analysis of traffic, the first layer of the new Advanced Botnet Protection (ABP) intrusion prevention system (IPS) uses a proxy to pass or block packet traffic dependent on whether or not it is “complete”. "

The best thing is that it's free, the bad thing is that it may give their customers a "false sense of security", that is, while the company is actively working on retaining its current customers, I feel "SYN cookies" and their concept has been around for years. Moreover, using a service provided by a company whose core competencies have nothing to do with DDoS defense can be tricky. Companies worth mentioning are Arbor Networks, and Cisco's solutions, besides the many other alternative and flexible ways of dealing with DDoS attacks.

In my research research on the Future trends of Malware, I pointed out some of the trends related to botnets and DDoS attacks, namely, DDoS extortion, DDoS on demand/hire, and with the first legally prosecuted case of offering botnet access on demand, it's a clear indication that of where things are going. Defense against frontal attacks isn't cost-effective given that at the bottom line the costs to maintain the site outpace the revenues generated for the time, hard dollars disappear, soft ones as reputation remain the same.

My advice is to take into consideration the possibility to outsource your problem, and stay away from product line extensions, and I think it's that very simple. A differentiated service on fighting infected nodes is being offered by Sophos, namely the Zombie Alert, which makes me wonder why the majority of AV vendors besides them haven't come up with an alternative given the data their sensor networks are able to collect? Moreover, should such as service be free, would it end up as a licensed extensions to be included within the majority of security solutions, and can a motivated system administrators successfully detect, block, and isolate zombie traffic going out of the network(I think yes!)? 

As far as botnets are concerned, there were even speculations on using "Skype to control botnets", now who would want to do that, and under what reason given the current approaches for controlling botnets, isn't the use of cryptography or security through obscurity("talkative bots", stripping IRCds) the logical "evolution" in here?

Something else worth mentioning is the trend of how DoS attacks got totally replaced by DDoS ones, my point is that the first can be a much more sneaky one and easily go beneath the radar, compared to a large scale DDoS attack. A single packet can be worth more than an entire botnets population, isn't it?

How do you think DDoS attacks should be prevented, active defense such as the solutions mentioned, or proactive solutions? What do you think?

You can also go though other resources dealing with DDoS attacks and possible solutions to the problem :

Dave Dittrich's DDoS attacks and protection page

Recommendations for the Protection against Distributed Denial-of-Service Attacks in the Internet

Botz-4-Sale: Surviving Organized DDoS Attacks That Mimic Flash Crowds

Defense Against DoS/DDoS Attacks

DDoS: Undeniably a global Internet problem looking for a global solution

Scalable Protecting Against DDoS and Worm Attacks

An Analysis of Using Reflectors An Analysis of Using Reflectors

Attacking DDoS at the Source

A Taxonomy of DDoS Attacks and DDoS Defense Mechanisms

A Survey of DDoS Defense Mechanisms

A summary of DoS/DDoS prevention, Monitoring and Mitigation Techniques in a Service Provider Environment

Experience in fighting DDoS attacks

Distributed Defense Against DDoS Attacks

On the Effectiveness of DDoS Attacks on Statistical Filtering

The Spamhaus Don't Route or Peer List (DROP)

The Prolexic Zombie Report

Technorati tags :

security, information security, malware, botnets, DDoS, McAfee, Sophos, AntiVirus Continue reading →

A top level espionage case in Greece

Starting shortly after the Olympic games in 2004 and up to March 2005, the mobile phones of : Prime Minister Costas Caramanlis, minister of foreign affairs, defense, public order and justice, top military officials, a number of journalists, and human rights activists (hmm?) have been tapped by an unknown party though the installation of "spy software" (that's too open topic) , mind you, Vodafone's central system, and were diverted to a pay-as-you-go mobile phone.

At the bottom line, who's behind it? Interested parties within the Greek government, or external ones? To me this is the job of a dead insider's job or someone who had the incentive to Vodafone's security, which I doubt. Though, it is disturbing how easily these mobile numbers could be obtained as the majority of media representitives already have them! My point is that you should count them as the weakest link, besides accessing a mobile provider's database and other sources. UPDATE : Vodafone's statement UPDATE 2 : Cryptome featured more info on the The Greek illegal wiretapping scandal: some translations and resources.

Another recent spy case was the rock transmitter found in a Moscow park and while the Russian president Putin is cheering the discovery and keeping it diplomatic, the FSB (a successor to the KGB) is taking a note on this one. You can actually go through a collection of videos and references on the case.

I guess it's the silence that's most disturbing in the "Silent War".

Technorati tags :

security, information security, espionage, Intelligence, Greece, Insider

Continue reading →

Security Awareness Posters

Security is all about awareness at the bottom line. The better you understand it, the higher your chance of "survival", and hopefully progress!
 

Enjoy the following collections of witty and amusing security awareness posters :

1, 2, 3 (you may also be interested in going through my talk on security policies and awareness with K Rudolph from Native Intelligence as well), 4, 5, 6, 7, 8.

Technorati tags:

security, information security, security training, security education Continue reading →

Hacktivism tensions

It was about time the freedom of the press and the democratic nature of joking with politicians takes its hit. But why with spiritual leaders? The contradictive Muhammad cartoons sparkled a lot of anger, and with the recent tentions in France all we needed was a hacktivism activity from angry muslims. Remember how the China vs U.S cyberwar was sparkled due to the death of a Chinese pilot crashing into an AWACS that was sort of "keeping it quiet"?

Zone-H is reporting on massive defacements of Danish sites, and if you take the time to go through the reported reasons you'll find out that :

"political reasons"

"just for fun"

"I just want to be the best defacer"

"revenge against that web site"

"patriotism"

tend to dominate. As far as defacements as concerned, in one of my previous posts "FBI's 2005 Computer Crime Survey - what's to consider?" you can see that according to the report, organizations lost approximately $10,395M due to web site defacements. Moreover, in some of my previous research on Cyberterrorism I've indicated the use of script kiddies for PSYOPS and how such defacements have a favorable psychologic effect on future initiatives.

And while they have the motivation to deface, I wonder would someone strike back and under what justification?

Technorati tags:

security, information security, defacement, Zone-H, hacktivism, cyberterrorism, Muhammad cartoons, hacking, Denmark Continue reading →