50,000 ‘zombies’ triggered recent denial of service attacks

A report from security firm Symantec Corp. said the botnet that perpetrated the recent distributed denial of service attack (DDoS) attacks on several key U.S. and South Korean government, financial and media Web sites used around 50,000 zombie computers.

Size-wise, though, that’s a mere fraction of the botnet created by the Downadup/Conficker worm, which estimates say included a few million machines at its peak.

Earlier this week, the Symantec Security Response unit began monitoring a DDoS attack that is believed to have started sometime Monday. A third wave is believed to have begun Thursday.

High profile U.S. Web sites affected include: the White House site; Web sites for the Department of Homeland Defense, the State and the U.S. Treasury, and the Washington Post, among others.

Targets in South Korea included: the South Korean President’s homepage; sites for U.S. forces in Korea; Internet Auction, one of the country’s largest online auction services; the Kookmin Bank, and the site for Chosun Ilbo daily newspaper.

Canadian firms or individuals transacting with these sites would likely have experienced slower service if they are able to enter the site at all,
said Dean Turner, Toronto, Canada-based director of global intelligence network at security software firm Symantec Corp. headquartered in Cupertino, Calif.

“Generally there’s a slowdown or disruption of service, which can be very inconvenient for people visiting these sites.”

Worries aplenty, options few

Canadian security experts who’ve followed such attacks closely say they leave hapless victims with few options.

All they can do is batten the hatches, hunker down and seek “upstream intervention” to cut down the massive online traffic overloading their network.

There’s really very little an outfit hit with such an attack can do to stop the threat, and that’s the biggest problem with DDoS, says James Quin, senior research analyst at Info-Tech Research Group, based in London, Ont.

He said businesses and public sector organizations could provision greater bandwidth to cope with the online traffic surge. But there’s no guarantee an attacker won’t be able to flood that level of connectivity.

“The only real option is to work with your Internet Service Provider (ISP) to implement upstream filtering,” the analyst said.

Related stories:
My motive wasn’t criminal, says Mafiaboy

Eavesdropping, fraud, denial of service can threaten IP telephony systems

Terrible Trojan

The Symantec Threat Bulletin said a portion of the current attack is being carried out by a piece of malware identified as w32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.

W32.dozer is distributed mainly via e-mail attachments. Once the user clicks on the attachment, the threat downloads a package on to the system that contains the following:

  • Trojan.dozer, a Trojan horse that wrests control of the computer and turns it into a botnet
  • A list of host sites, which the botnet is instructed to attack
  • MyDoom worm that’s currently believed to be used for its mass mailing capabilities to redistribute w32.dozer

Both Quin and Turner note that it’s difficult to categorically identify the motives behind the attack.

They say there’s no evidence the attacks are being perpetrated by North Korea, as earlier reports suggested.

“Given the targets, it is reasonable to assume the attack is politically motivated, though until sufficient data has been collected, it is really impossible to make any kind of determination,” said Quin.

He recalled how the 2007 cyber attack on Estonia was attributed to the Russian government but subsequent investigations didn’t turn up any evidence to corroborate that claim.

What you can do

Companies should look at the attacks as a reminder to test their preparedness, says Amit Yoran, CEO of security firm NetWitness and the former head of the National Cyber Security Division at the U.S. Department of Homeland Security.

“If this can happen to mature organizations that really understand what the threat environment looks like, and still fall [prey], it’s an ominous signal for other companies that might not be as ready.”  

A key requirement for relieving an overburdened network is to quickly determine the source of unwanted traffic, noted Symantec’s Turner.

“Your best bet would be to identify where the such traffic is coming from and have your system drop it or redirect it to a ‘sink hole’ – an alternative page or location.”  

This strategy, he said, would free up some bandwidth and give the affected party breathing space until its ISP is able to completely cut off the unwanted traffic.

Typically, the main aim of a denial of service or distributed denial of service attack is to make a computer resource unavailable to intended users. Targets are often sites or services hosted on high profile Web servers.

One common method involves saturating the target machine with external communication requests so it cannot respond to legit traffic or slows down to the point of ineffectiveness.

Yoran and other experts suggest that data-center and hosting operators, as well as businesses, use such attacks to check their defences.

They suggest the following steps to handle an attack:

1. After identifying the source of the unwanted traffic, use filtering tools to drop the traffic or divert it to sink hole.

2. Make sure your outside facing Web site is separated from your network’s critical services and applications. “Create a virtual DMZ (demilitarized zone) to prevent critical databases and servers from being affected by an attack,” said Turner.

3. Coordinate action with your ISP. “Communicate immediately to your ISP what traffic needs to be filtered out or stopped,” Turner said. Better yet, cultivate a good working relationship with your ISP so that you know who to contact even before an attack occurs.

4. Don’t try to keep the attack a secret. Yoran said the U.S. government initially released very little information about the attack. Such restrictions on information access caused all sorts of issues, Yoran said.  When people are misinformed, they “jump to the wrong conclusions.”

With files from Robert Lemos – CIO.com

Share on LinkedIn Share with Google+