Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

UPDATED X1: Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea

Published: 2009-07-09
Last Updated: 2009-07-11 02:48:03 UTC
by John Bambenek (Version: 2)
16 comment(s)

 A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat.  However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.

First, the government is still operational.  This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work. 

While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points.  It does not seem that any new novel techniques are being used.  A new DDoS toolkit, perhaps, but well-known attacks.  Simply flood the target with requests beyond that which it can handle.

This leads to a lose-lose proposition.  Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online.  The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys.  On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose.  It's just a question of how much.

The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial.  The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.

The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.

Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts.  Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.

UPDATE 07.10.09 @ 0100 GMT - Shadowserver has a nice writeup of the attack and a good analysis.  Key takeaway, there is NO EVIDENCE that N. Korea has launched a cyberwar against the United States.  Ignore the media and the "Fire up the B-52s" crowd.

--

John Bambenek

bambenek /at/ gmail /dot/ com

16 comment(s)
Diary Archives