cybershark
Expert Member
Cyber attacks with enough firepower to knock entire countries off the Internet have spiked in recent months, raising fresh concerns within the security community about weaknesses in the Internet infrastructure that help create such weapons of mass disruption.
These "distributed denial of service" or DDoS attacks use robot networks or "botnets" -- many hundreds or thousands of compromised PCs -- to flood targets with so much junk traffic that they can no longer accommodate legitimate visitors.
While DDoS attacks have been a common threat since the dawn of the commercial Internet, DDoS watchers, such as Arbor Networks, have tracked a recent spike in the number, sophistication and size of attacks against major Internet providers. Attackers also appear to be picking bigger targets.
"We've certainly seen in last 120 days an uptick in critical infrastructure impacting attacks," said Danny McPherson, Arbor's chief security officer. "Suffice it to say, 'interesting' activity in this area has indeed increased from our perspective over the past 6 months or so, and the virulence of infrastructure attacks continues to be evident."
ad_icon
For example, in late March, unknown hackers hit GoGrid.com, a cloud computing provider, which disrupted service to roughly half of its 1,000 customers.
Paul Lappas, vice president of engineering for GoGrid, said the attack came from thousands of severs around the Web, and targeted every last one of his company's Internet addresses. The attacks went on for several days, and then as suddenly as they began, abruptly stopped.
"Our systems were designed to handle extremely large DDoS attacks," Lappas said. "We've been in this business for eight years, and seen our share of attacks. But we haven't seen anything like this before."
On April 1, attackers struck Register.com, a Web hosting provider that also is one of the Internet's largest domain name registrars. The attack came in fits and starts, and disrupted service intermittently for millions of register.com customers for several days.
On April 6 and 7, The Planet, the world's largest privately held dedicated Web hosting provider, that serves more than 15 million Web sites, was hit by what the Houston-based company called a "massive" DDoS attack.
That same week, a concerted DDoS attack struck Telefonica in Brazil, an Internet service provider that provides Web connectivity to more than 2.1 million Brazilians. The assaults brought Web surfing to a halt for many Telefonica users for several days.
Typically, DDoS attacks are little more than a prelude to shakedowns from cyber thugs, who try to extort money in exchange for calling off the attacks. In most cases, the attacks go unnoticed, either because the target pays the ransom or quickly hires companies that specialize in fending off the assaults.
However, most of the companies mentioned in this story did not receive extortion threats. The Planet, which declined an interview request, did not confirm if this was true for them.
Many of the recent, high profile and successful attacks -- such as the barrage leveled against Telefonica -- were executed in precise intervals over a period of days, as if the attackers were flipping a switch on and off. Experts say this type of activity suggests the perpetrators may have been merely demonstrating their weaponry for criminals who rent out their attack services.
"Attackers like to illustrate their firepower of their botnets, and sometimes when you see these attacks that target large numbers of users, they are often just a demonstration," McPherson said.
Ken Silva, chief technology officer for Verisign, a Mountain View. Calif., company that provides a range of Internet infrastructure and security services, said attacks of this sort are designed to be noticeable enough to garner coverage by the news media.
"They are becoming more successful because we're reading about them a lot more in the press than we did in the past," Silva said.
These days, an increasing number at DDoS assault attack weaknesses in the domain name system (DNS), an essential component of the Internet. DNS is akin to the white pages of the Internet, translating Web site names like example.com into numeric addresses that are easier for computers to find. The machines that handle that translation, known as DNS servers, are the unseen workhorses responsible for routing everything from Web searches to e-mail and instant messaging.
ad_icon
While many companies operate multiple Web servers to accommodate high traffic volumes to their sites, few provide such redundancy for their DNS servers, Verisign's Silva said.
"All too often companies will put hundreds of servers out there for their Web site, and then run the whole thing off of two servers that serve up all of the incoming DNS requests," Silva said. "This is usually fine, until that organization comes under an attack on those DNS servers."
Also, the global DNS system doesn't yet have a widely deployed system for determining when someone requesting the location of a site is fibbing about his or her own location. As a result, DDoS assaults in which the attackers can spoof their true location are not only harder to block, but they allow attackers to achieve the same results with a much smaller botnet.
For example, an attacker can instruct a handful of compromised systems to query thousands of DNS servers, telling each to look up the location of washingtonpost.com, but send the answer back to someone else. This type of assault allows the attacker to trick DNS servers around the world into sending replies back to a third-party target, effectively making the DNS servers themselves foot soldiers in the attack.
This is what happened this month to SharkTech Internet Services, a company in Missoula, Mont., that provides anti-DDoS services to businesses that have suffered such attacks in the past. SharkTech owner Tim Timrawi said his business was knocked offline for five hours from a DNS attack that heaved more than 20 gigabits of traffic per second at his company's servers, or roughly the equivalent of the data contained in about 5,000 novels sent digitally every second.
"Imagine if someone using the U.S. mail sent a small letter to a company requesting a brochure of their information, but that person wrote your address as the return address. Naturally, this brochure is going to end up in your mailbox," said SharkTech owner Tim Timrawi. "Now imagine that the same person doesn't have to pay for stamps, and they have automated the process so that a new letter requesting a brochure in your name is sent out every second. Not only would this quickly fill up your mail box, but it would probably swamp the local post office in your area, and maybe even the regional post office for your area."
Also, the number botnets used for to pummel networks has largely increased due to Internet-wide pandemics, like the Conficker worm. However, attacks that leverage the blunt firepower of millions of hacked PCs visiting a targeted Web site are relatively easy to fend off: The victim simply works with their ISP to identify and drop traffic from the Internet addresses doing the attacking.
Arbor's McPherson said there are number of things that can be done to diminish the effectiveness of DDoS attacks, but that most require ISPs to do a better job adopting long-established Internet best practices, such as those that call on network providers to filter out incoming Web traffic that appears to be spoofed.
However, there is currently no authoritative and trusted source of information about the ranges of Internet addresses assigned to the world's thousands of ISPs, McPherson said. While there are several research projects ongoing at the Internet Engineering Task Force and the Department of Homeland Security aimed at making it easier for ISPs to defend their networks from DDoS attacks, the attackers will continue to have the advantage for some time.
"The asymmetry of risk involved here affords attackers plenty of flexibility," McPherson said. "A determined attacker is in pretty good shape today to take out some pretty big targets."
source
These "distributed denial of service" or DDoS attacks use robot networks or "botnets" -- many hundreds or thousands of compromised PCs -- to flood targets with so much junk traffic that they can no longer accommodate legitimate visitors.
While DDoS attacks have been a common threat since the dawn of the commercial Internet, DDoS watchers, such as Arbor Networks, have tracked a recent spike in the number, sophistication and size of attacks against major Internet providers. Attackers also appear to be picking bigger targets.
"We've certainly seen in last 120 days an uptick in critical infrastructure impacting attacks," said Danny McPherson, Arbor's chief security officer. "Suffice it to say, 'interesting' activity in this area has indeed increased from our perspective over the past 6 months or so, and the virulence of infrastructure attacks continues to be evident."
ad_icon
For example, in late March, unknown hackers hit GoGrid.com, a cloud computing provider, which disrupted service to roughly half of its 1,000 customers.
Paul Lappas, vice president of engineering for GoGrid, said the attack came from thousands of severs around the Web, and targeted every last one of his company's Internet addresses. The attacks went on for several days, and then as suddenly as they began, abruptly stopped.
"Our systems were designed to handle extremely large DDoS attacks," Lappas said. "We've been in this business for eight years, and seen our share of attacks. But we haven't seen anything like this before."
On April 1, attackers struck Register.com, a Web hosting provider that also is one of the Internet's largest domain name registrars. The attack came in fits and starts, and disrupted service intermittently for millions of register.com customers for several days.
On April 6 and 7, The Planet, the world's largest privately held dedicated Web hosting provider, that serves more than 15 million Web sites, was hit by what the Houston-based company called a "massive" DDoS attack.
That same week, a concerted DDoS attack struck Telefonica in Brazil, an Internet service provider that provides Web connectivity to more than 2.1 million Brazilians. The assaults brought Web surfing to a halt for many Telefonica users for several days.
Typically, DDoS attacks are little more than a prelude to shakedowns from cyber thugs, who try to extort money in exchange for calling off the attacks. In most cases, the attacks go unnoticed, either because the target pays the ransom or quickly hires companies that specialize in fending off the assaults.
However, most of the companies mentioned in this story did not receive extortion threats. The Planet, which declined an interview request, did not confirm if this was true for them.
Many of the recent, high profile and successful attacks -- such as the barrage leveled against Telefonica -- were executed in precise intervals over a period of days, as if the attackers were flipping a switch on and off. Experts say this type of activity suggests the perpetrators may have been merely demonstrating their weaponry for criminals who rent out their attack services.
"Attackers like to illustrate their firepower of their botnets, and sometimes when you see these attacks that target large numbers of users, they are often just a demonstration," McPherson said.
Ken Silva, chief technology officer for Verisign, a Mountain View. Calif., company that provides a range of Internet infrastructure and security services, said attacks of this sort are designed to be noticeable enough to garner coverage by the news media.
"They are becoming more successful because we're reading about them a lot more in the press than we did in the past," Silva said.
These days, an increasing number at DDoS assault attack weaknesses in the domain name system (DNS), an essential component of the Internet. DNS is akin to the white pages of the Internet, translating Web site names like example.com into numeric addresses that are easier for computers to find. The machines that handle that translation, known as DNS servers, are the unseen workhorses responsible for routing everything from Web searches to e-mail and instant messaging.
ad_icon
While many companies operate multiple Web servers to accommodate high traffic volumes to their sites, few provide such redundancy for their DNS servers, Verisign's Silva said.
"All too often companies will put hundreds of servers out there for their Web site, and then run the whole thing off of two servers that serve up all of the incoming DNS requests," Silva said. "This is usually fine, until that organization comes under an attack on those DNS servers."
Also, the global DNS system doesn't yet have a widely deployed system for determining when someone requesting the location of a site is fibbing about his or her own location. As a result, DDoS assaults in which the attackers can spoof their true location are not only harder to block, but they allow attackers to achieve the same results with a much smaller botnet.
For example, an attacker can instruct a handful of compromised systems to query thousands of DNS servers, telling each to look up the location of washingtonpost.com, but send the answer back to someone else. This type of assault allows the attacker to trick DNS servers around the world into sending replies back to a third-party target, effectively making the DNS servers themselves foot soldiers in the attack.
This is what happened this month to SharkTech Internet Services, a company in Missoula, Mont., that provides anti-DDoS services to businesses that have suffered such attacks in the past. SharkTech owner Tim Timrawi said his business was knocked offline for five hours from a DNS attack that heaved more than 20 gigabits of traffic per second at his company's servers, or roughly the equivalent of the data contained in about 5,000 novels sent digitally every second.
"Imagine if someone using the U.S. mail sent a small letter to a company requesting a brochure of their information, but that person wrote your address as the return address. Naturally, this brochure is going to end up in your mailbox," said SharkTech owner Tim Timrawi. "Now imagine that the same person doesn't have to pay for stamps, and they have automated the process so that a new letter requesting a brochure in your name is sent out every second. Not only would this quickly fill up your mail box, but it would probably swamp the local post office in your area, and maybe even the regional post office for your area."
Also, the number botnets used for to pummel networks has largely increased due to Internet-wide pandemics, like the Conficker worm. However, attacks that leverage the blunt firepower of millions of hacked PCs visiting a targeted Web site are relatively easy to fend off: The victim simply works with their ISP to identify and drop traffic from the Internet addresses doing the attacking.
Arbor's McPherson said there are number of things that can be done to diminish the effectiveness of DDoS attacks, but that most require ISPs to do a better job adopting long-established Internet best practices, such as those that call on network providers to filter out incoming Web traffic that appears to be spoofed.
However, there is currently no authoritative and trusted source of information about the ranges of Internet addresses assigned to the world's thousands of ISPs, McPherson said. While there are several research projects ongoing at the Internet Engineering Task Force and the Department of Homeland Security aimed at making it easier for ISPs to defend their networks from DDoS attacks, the attackers will continue to have the advantage for some time.
"The asymmetry of risk involved here affords attackers plenty of flexibility," McPherson said. "A determined attacker is in pretty good shape today to take out some pretty big targets."
source