Like this article? We recommend
Like this article? We recommend
Like this article? We recommend
Solutions
Good news—defenses are developing as fast as the threat. If you're responsible for a large enterprise, you can get a free month trial from two new companies that specialize in defenses against these blended, directed threats.
FireEye is taking advantage of technologies developed, in part, under research funded by the Defense Advanced Research Projects Agency (DARPA). In a phone interview, FireEye's chief scientist Stuart Staniford said, "We capture attacks as they go on," and then run a "wire replay on [a] copy of Windows running on [a] virtual machine." This gives a clear picture of what any given attack is doing, without having to resort to signatures. The advantage, says Staniford, is "low false positives." FireEye's virtual machine is proprietary, lessening the danger of an attacker learning how to compromise it.
FireEye deploys sensors around the globe in addition to those it provides to its customers. These sensors identify C&C nodes, enabling FireEye's system to block communications with customer networks. They allow the customer's IT staff to determine what actions to take when FireEye discovers a botnet attack underway. One fix is to block communication with its C&C nodes right away, and then rebuild infected machines at leisure. When network access is less crucial, the infected machines may be denied access immediately.
Damballa has created its own technology to track and defend against bot armies. The company's Failsafe solution identifies compromised hosts inside enterprise networks, without using signatures or behavior-based technologies. In a press release about Failsafe, Bill Guerry notes, "[W]e discover, on average, that 3–5% of enterprise assets are compromised—even in the presence of the best and most up-to-date security. That's a huge gap that's not being addressed by traditional security technologies."
Other companies with expertise targeted at botnets include SecureWorks and eEye Digital Security.
DDoS attacks still can be a problem for smaller organizations and those that run controversial businesses. Even as long ago as 2004, Alan Paller, director of research for the SANS Institute security organization, estimated that "Six or seven thousand organizations are paying online extortion demands." Specifically, he asserted, "Every online gambling site is paying extortion. ...Hackers use DDoS [denial-of-service] attacks using botnets to do it. Then they say 'pay us $40 thousand or we'll do it again.'"
Large, respectable web-based companies no longer get driven off line by botnets. Their solution is simple. MySpace, for example, relies on Akamai's distributed servers, which handle 10–20% of all web traffic. A DDoS attacker would have to overwhelm this globally distributed network, which is able to handle up to 650 gigabits/sec of traffic.
However, Akamai and similar providers such as Limelight are not silver bullets. At one time, Al-Jazeera hosted its website with Akamai. But when Al-Jazeera showed pictures of dead and captive U.S. soldiers during the 2003 invasion of Iraq, DDoS attacks materialized. Akamai responded by booting off its unpopular customer. (See "Akamai as Censor" for an in-depth analysis.)
Smaller or more controversial organizations can dodge the DDoS bullets by choosing their Internet access providers carefully. Some providers demand terms of service agreements that allow them to dump customers that come under attack. Others will work with their customers at the backbone level to identify and filter out attacks.
Admittedly, the remedy may be drastic, as when much of Estonia came under attack from botnets in 2008. According to Rutgers professor Michael Lesk, "That attack was really cheap, and yet it forced the whole country to break its connections with the Internet." He estimates that bot herders charged approximately $100,000 for their DDoS attacks.
The bottom line, however, is that bot herders are reluctant to use their assets for DDoS attacks. These activities are so visible and so crude that they make it easy for defenders to isolate and even eradicate these botnets. Crime organizations typically reserve their assets for tasks that make more money and expose them to less risk.
And then there's click fraud, which consists of setting up a website and contracting with advertisers who pay by the click. A botnet then commands thousands of its zombies to behave as if real people were browsing these websites and clicking links. Quite a number of businesses offer defenses against click fraud: