Locked out.Most criminal behaviour - whether traditional or online - follows an all-too-predictable pattern: vulnerabilities are identified in the way valuable assets are protected and then those are exploited until the victims invest in protection. When the security exposure is closed down, the criminals move on to a new target. For the individuals and gangs of criminals that first saw the potential in using distributed denial of service attacks An assault on a network that floods it with so many additional requests that regular traffic is either slowed or completely interrupted. Unlike a virus or worm, which can cause severe damage to databases, a denial of service attack interrupts network service for some period. (DDoS) as a tool for extortion extortion, in law, unlawful demanding or receiving by an officer, in his official capacity, of any property or money not legally due to him. Examples include requesting and accepting fees in excess of those allowed to him by statute or arresting a person and, with , some obvious targets stood out - Internet gambling and online payment sites. For one, those businesses dealt with huge amounts of money; secondly, they were entirely reliant on Internet connectivity. Having their web presence shut down by the flood of spurious access attempts that accompanies a DDoS attack does not just lose them business, it can prove fatal. Just ask Peter Pedersen Peter Pedersen, (1954–), is a Swedish Left Party politician, member of the Riksdag since 1998. , the chief technology officer at Blue Square, the London-based online bookmaker owned by the gaming and entertainment giant, Rank Group. His organisation was the target of numerous DDoS attacks in 2004 as Russian-based groups swamped Blue Square's web site with bogus traffic. "We need to have an open front door 24x7, to allow customers to place a bet even if it is four in the morning," he says. "We cannot afford to have users' access to our website blocked by cyber-criminals." The attacks that temporarily closed Blue Square were highly sophisticated, Pedersen reports, and were followed by a demand for 'protection money'. The company refused to pay up and got together with others in the online betting industry - many of whom were also under attack - to form a united front against the extortion. But given the impact of such attacks, and the normally low demands of attackers, the option of paying out looked the best business decision to some - at least initially. At least one online betting group gave in and paid the five-figure sum demanded. The attacks stopped, but not for long; the company was soon faced with further DDoS attacks and further demands. In an earlier incident, in 2002, the same thing had happened to Costa Rican-based gambling site BetCris.com. "When it was a low-level thing, I paid $500 one time," says Mickey Richardson, general manager of BetCris.com. But never again. "Now [we understand] the going rate is $60,000 to $100,000 [for the criminals to halt a DDoS shut down]." BetCris and Blue Square are the exceptions. The vast majority of DDoS victims are reluctant to speak out about the threat, fearful of undermining consumer confidence in their online brand. But there have been some cases that are a matter of public record. In September 2004, US online payment-processing site Authorize.net received a hefty demand from DDoS initiators. And when Roy Banks, its president, refused to pay, the company had to deal with a torrent of website traffic "unprecedented in its severity and tenacity" that overwhelmed its service despite the company's use of various DDoS hardware and software counter-measures. Similarly, in the UK in October 2004, the Royal Bank of Scotland's Internet payment division, WorldPay, was hit by an attack that closed down its ability to process its affiliates' transactions - although it is unclear whether the prolonged attack was linked to an extortion racket. These are not isolated incidents, says Paul Lawrence, European VP at network protection vendor Top Layer. "You only have to look at the pattern of attacks through 2004 to realise that the extortionists kept trying," he says. "That strongly suggests that some companies were paying up." While reports of threats and attacks against gambling sites appear to have peaked in 2004, DDoS activity remains unabated un·a·bat·ed adj. Sustaining an original intensity or maintaining full force with no decrease: an unabated windstorm; a battle fought with unabated violence. . According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. estimates made by University of California The University of California has a combined student body of more than 191,000 students, over 1,340,000 living alumni, and a combined systemwide and campus endowment of just over $7.3 billion (8th largest in the United States). researchers, there are around 2,000 DDoS attacks launched each week. The criminals, it seems, are on the prowl for new victims. "We are definitely seeing a rise in DDoS attacks across the board as the criminals understand that any company that does all or even part of its business online is vulnerable," says detective superintendent Mick Deats, deputy head of the National Hi-Tech Crime Unit The National Hi-Tech Crime Unit (NHTCU) (2001—2006) formed part of the National Crime Squad, a British Police organisation which dealt with major crime. The National Hi-Tech Crime Unit was created in 2001 as a result of an Association of Chief Police Officers (ACPO) . And as many of the online gambling Online gambling is a general term for gambling using the Internet. This article provides a brief introduction to some of the forms of online gambling, as well as discussing general issues. sites have beefed up their defence capabilities, the extortionists armed with DDoS launch sites have moved on to target other vulnerable organisations. However, as Deats notes, "not all DDoS attacks are accompanied by an extortion demand. Attacks are being launched on companies by disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see ex-employees." Political and techno-activists also commonly launch attacks, he adds. While most businesses may take comfort from knowing that a DDoS attack is unlikely to be close them down permanently, they cannot afford to be complacent, says Kevin Regan, security consultant at networking giant Cisco. "You need to be making risk assessments now. You need to know what the likely effect is, what the impact to your brand will be. And even if the answer is that the cost of protection outweighs the risk, you still need to have quantified that risk." Brand perception is often overlooked when it comes to examining security issues, but it is likely to become increasingly important, says Richard Hackworth, head of group IT security at financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. giant HSBC HSBC Hongkong and Shanghai Banking Corporation HSBC Humane Society of Broward County (Florida) HSBC Humane Society of Bay County (Bay County, Michigan) . In the 2004 survey of international brand value by marketing consultancy Interbrand, HSBC's brand was reckoned to be worth $9 billion; the top ranked company, Coca Cola Noun 1. Coca Cola - Coca Cola is a trademarked cola Coke cola, dope - carbonated drink flavored with extract from kola nuts (`dope' is a southernism in the United States) , had an identity valued at $67 billion. "This is a real business issue, and the quality of your IT, your online presence, will affect your brand," says Hackworth. And it is not just criminal gangs that can wreak wreak tr.v. wreaked, wreak·ing, wreaks 1. To inflict (vengeance or punishment) upon a person. 2. To express or gratify (anger, malevolence, or resentment); vent. 3. havoc through DDoS attacks. Disgruntled former employees, political activists and challenged teenagers are all potential instigators. "Financial gain isn't the only reason for launching DDoS attacks. That makes it difficult to predict who will be affected," says Top Layer's Lawrence. The mechanisms of launching a DDoS attack are well understood. In essence a so-called botnet - an army of compromised network-attached computers, known as zombies Zombies Companies that continue to operate even though they are insolvent. Also known as living dead. Notes: It's advisable to avoid investing in zombies at all costs their life expectancies are highly unpredictable. - is recruited and then used to fire off massive amounts of traffic at an IP address until the server at the other end falls over. While a single DDoS attack may not overwhelm a site with high bandwidth Internet access See how to access the Internet. , thousands of these attacks coming from all over the globe will have the desired effect - hence the notion of distributed denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. . But what is worrying security analysts is the speed at which attacks can now be instigated. According to some, a large percentage of all viruses now sent out are installing Trojans; these infect the target computer and enslave en·slave tr.v. en·slaved, en·slav·ing, en·slaves To make into or as if into a slave. en·slave  ment n. it to the botnet. These infected computers can then
be used to log keystrokes, spying on users, picking up potentially
sensitive data; they can send spam; and finally, when they have served
their initial purpose, they can be used to launch DDoS attacks. This is
usually the end of the line for an enslaved Enslaved may refer to:
However, it may only take 10 machines in a botnet of potentially thousands of compromised computers to launch a DDoS attack. Like the mythical Hydra, once one head has been lopped off, another quickly grows back. "Using simple port scanning Sending queries to servers on the Internet in order to obtain information about their services and level of security. On Internet hosts (TCP/IP hosts), there are standard port numbers for each type of service. Port scanning is also widely used to find out if a network can be compromised. tools it is possible to infect several hundred machines within two to three hours," says David Harcourt, head of network security at BT Wholesale. As broadband becomes more pervasive, this opens up a whole new world of access points for the attackers - fast connections and end users that lack enterprise-level security protection provide a bumper harvest for the attackers. According to security vendor Symantec, in 2004, an average of 30,000 zombies were created each day. And this is not just a consumer problem - Trojans within the enterprise can consume huge amounts of corporate bandwidth and once a Trojan is sitting within a network it is often difficult to detect. Protection to such attacks is not simple, but approach is to monitor traffic leaving the corporate firewall. It may be possible to identify suspicious activity - traffic regularly sent to specific, unknown addresses. Well managed security patching can also minimise exposure to such exploits. However, the proliferation proliferation /pro·lif·er·a·tion/ (pro-lif?er-a´shun) the reproduction or multiplication of similar forms, especially of cells.prolif´erativeprolif´erous pro·lif·er·a·tion n. of mobile devices and the gradual blurring of corporate and home-use devices inevitably mean that the risk for infection is constant. As the threat from DDoS attacks has evolved, numerous different methods of tackling the problem have been tried. Traffic filtering at the router level can use access control lists to filter out malicious traffic; firewalls can be configured to only accept specific requests from approved external sources; and intrusion detection systems This article is about the computing term. For other uses, see Burglar alarm. An intrusion detection system (IDS) generally detects unwanted manipulations of computer systems, mainly through the Internet. can provide application-layer attack detection capabilities. Further strategies include altering the IP addresses of the attacked system and updating the domain name server (DNS (Domain Name System) A system for converting host names and domain names into IP addresses on the Internet or on local networks that use the TCP/IP protocol. For example, when a Web site address is given to the DNS either by typing a URL in a browser or behind the ), as well as simply throwing more bandwidth at the problem or using services such as Akamai that use large data pipes and distributed networks. But the problem with these approaches is that they are all reactive, meaning potentially important traffic may be lost, and they place a financial burden on businesses, says Miles Clement, project manager at bluechip IT user group the Information Security Forum. "There's an argument to say that dealing with DDoS should be done by the service providers. The attack traffic is being delivered via the service provider's network. If it can be turned off at that point, the end users need never notice they have been under threat," he says. According to Clement those launching the DDoS attacks are becoming more sophisticated. There is evidence that perpetrators are launching attacks, then waiting to analyse the victim's response and tweaking tweaking Vox populi Fine-tuning to produce optimal results the attack to respond. There are signs that service providers are beginning to accept the challenge. The Fingerprint Service Alliance, which includes members such as Cisco, BT and MCI (1) (Media Control Interface) A high-level programming interface from Microsoft and IBM for controlling multimedia devices. It provides commands and functions to open, play and close the device. (2) (Microwave Communications Inc. , have brokered an agreement to share cyber (1) From "cybernetics," it is a prefix attached to everyday words to add a computer, electronic or online connotation. The term is similar to "virtual," but the latter is used more frequently. See virtual. attack profiles - the fingerprints - helping to stop DDoS attacks more quickly and identify the source. Using technology from DDoS prevention specialist Arbor Networks, a service provider which identifies an attack automatically alerts others within the alliance to the new fingerprint, so compromised hosts can be identified and removed from the network. ISPs, such as Energis and Pipex, are already offering DDoS protection. By monitoring traffic across their networks they can divert illegitimate packages intended to swamp customers. But anti-DDoS services can be expensive: analyst house Gartner says $12,000 a month is not uncommon. It advises that a multi-layered approach to security is best (see box). This advice is echoed by BT's Harcourt: "There are several ways to mitigate DDoS, and, as a service provider, we use numerous different types of technology. The point of the Fingerprint Sharing Alliance is to speed up response times and to co-operate - none of us want to be carrying this traffic." But even as users look to service providers to mitigate attacks, they must see such efforts as only part of a co-ordinated security strategy to combat DDoS, he adds. Protective measures DDoS prevention: To prevent a DDoS attack, take these five steps: Insist that your Internet service provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. filters Arrange to have scalable bandwidth 'Harden' and protect your domain name servers Ensure availability through redundancy Invest in DDoS defences Gateway protection: To reduce the threat of malware entering the network, invest in these technologies that are deployed at the gateway: Gateway spam filtering Gateway antivirus Content/URL filtering Network access control (that is, scan and block) technologies that can quarantine quarantine (kwŏr`əntēn), isolation of persons, animals, places, and effects that carry or are suspected of harboring communicable disease. compromised hosts PC protection: PC security requires more than keeping standalone antivirus products up-to-date because emerging cyber attacks bypass traditional antivirus solutions. PCs must be kept up-to-date with security patches. To protect against the majority of software threats - including malware that turns a host into a bot (1) (roBOT) A program used on the Internet that performs a repetitive function such as posting a message to multiple newsgroups or searching for information or news. Bots are used to provide comparison shopping. Bots also keep a channel open on the Internet Relay Chat (IRC). - corporate PCs should run these technologies: Antivirus Anti-spyware Personal firewalls or host-based intrusion prevention See IPS and IDS. systems Source: Gartner |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion