Threat Level: green Handler on Duty: Russ McRee

SANS ISC: Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea - SANS Internet Storm Center SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea

 A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat.  However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.

First, the governmental is still operational.  This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work. 

 

While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points.  It does not seem that any new novel techniques are being used.  A new DDoS toolkit, perhaps, but well-known attacks.  Simply flood the target with requests beyond that which it can handle.

 

This leads to a lose-lose proposition.  Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online.  The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys.  On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose.  It's just a question of how much.

 

The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial.  The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.

 

The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.

 

Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts.  Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.

 

--

John Bambenek

bambenek /at/ gmail /dot/ com

John

248 Posts
ISC Handler
Regarding shifting the responsibility to the ISPs: why not shift the liability to those crafting the software that allows exploitation instead. If windows and IE weren;t so easy to exploit gatherign millions of machines in a botnet might be a bit more difficult. And if Microsoft, APlle and the like were made liable for damages resulting from the abuse of their products due to their vulnerabilities, maybe they'd actually care about end user security instead of their jedi handwave we get now.
Swa

760 Posts
I think the endpoint approach is flawed. As long as users are involved the endpoint will get owned, period, end of story. I believe the ISP approach is right, due to the fact that with great power comes great responsibility. Being an ISP is a privilege not a right. If a tier 3 ISP refuses to address the issue for whatever reason, their upstream provider should take action to block either the hosts or entire net blocks. In this case, its nothing new and the traffic is easily detectable. I don't think we should let software vendors off the hook either, but in this scenario responding to a DDOS should be a required ISP service mutually enforced by all ISPs.
Anonymous
Swa,

The problem with shifting the liability to the software is that some types of software can't be liable. For example, are we going to go after the OSS community for a PHP worm?

I don't *like* the idea of ISPs getting into the practice of dropping packets, both from the expense and the moral standpoint of ISPs getting between the client and server. If ISPs start blocking what they think is bad traffic, they will either start blocking good traffic by mistake or the botmasters will change their attacks to look more like legit traffic.

However, I can't think of better solution. At the very least, I think ISPs need to respond quickly to alerts that they have an attacking client. Do the ISPs have the tools to do this, though?
Jason

9 Posts
I think the endpoint approach is flawed. As long as users are involved the endpoint will get owned, period, end of story. I believe the ISP approach is right, due to the fact that with great power comes great responsibility. Being an ISP is a privilege not a right. If a tier 3 ISP refuses to address the issue for whatever reason, their upstream provider should take action to block either the hosts or entire net blocks. In this case, its nothing new and the traffic is easily detectable. I don't think we should let software vendors off the hook either, but in this scenario responding to a DDOS should be a required ISP service mutually enforced by all ISPs.
Anonymous
> end-users cannot (nor should not be expected to) secure their home hardware

Why not? We're not talking about having home users become security professionals but why can we not expect home users to do the simple, mundane things that actually for the most part prevent malware from being installed in the first place?

We expect people to lock their doors. We expect people to put bars on their windows if they live in a bad neighborhood. We expect people to protect themselves from the world all the time. Why is it too much to expect people to have a simple, consumer firewall (Linksys or ZoneAlarm for instance), AV, Malware software (i.e. Spybot if not included with your AV product) and actually update their software.

None of that requires any actual knowledge of security practices to run and install. There have been very good free AV, anti-malware and firewall software for a decade. A small Linksys box costs $30 or so. Windows update has existed since Windows 98 and it nags you about configuring it since XP SP2. A lot of software can check for itself online to see if there are updates.

Botnets and the problems they cause are not going away until this idea that the end user is just too stupid to do anything and therefore should get a free ride to enable others to screw over services on the Internet dies. End users absolutely should be expected to do the simple things to protect their own stuff, whether in the physical world or in the virtual world that is the Internet.
Anonymous
To build on Swa's point with a (somewhat lame) analogy: back in the early 80's, several individuals died after ingesting tainted Tylenol products. While the case was under investigation, retailers removed Tylenol products from their shelves; however, the burden of responsibility fell back on the manufacturer when the FDA set new national requirements for all OTC products to be tamper-resistant.

While the retailer (the ISP) may have a moral obligation to protect their customers, regulation should be imposed upon the product manufacturer.

IMHO, of course.
Anonymous
What if this is just a diversion from a more directed attack? Anyone think of that, while all resources are spent trying to address this issue, the hen-house is left unguarded..so to speak..
Brett

5 Posts
I agree 100% with SMB, end users should be responsible for their own security. I've seen my share of home computers connected directly to a cable modem, with no anti-virus or firewall.

Sounds like an interesting topic for a Poll ?
Joel B

8 Posts
I don't think anybody stated that end-users shouldn't be responsible for their security. My faith in users actually securing their desktops at home is very low. The suggestion that botnets would go away if people use home routers, desktop firewalls and AV isn't plausible. The best AV engines only achieve a 40-60% detection rate against stock malware. Home firewalls are typically configured to allow all traffic outbound, so scratch there. And this does nothing for the majority of machines that comprise botnets, which are people running pirated copies that don't receive patches. Expecting the average home user to do a good job at securing their desktop is less likely then completely secure MS OS. I just wish ISP's actually cooperated more to fix the DDOS problem.
Anonymous
> The problem is that end-users cannot (nor should not be expected to) secure their home hardware.

Disagree. The responsibility of SysAdmins is to promote security where ever and when ever.

However, it's my observation that mutlinational ISPs have not done enough to secure their networks, which includes the customer last mile.

Also don't forget companies can have their hands tied. Just look at Net Neutrality.

Microsoft has also done a great job of improving security processes over the years.
Anonymous
The Tylenol example breaks down when you consider that no one dies (or really even *notices*, for that matter) when the FTC or White House website goes down.

Just adding a little perspective.
Anonymous
Seriously, anybody who thinks that a significant portion of enduser and institutional users are capable of securing their default software really don't get out much. They purchase pre-loaded computers which work for their purposes. Any insecurities in those components are implemented by someone other than the purchaser who usually has no idea or concern about these issues.
Simplest solution might be to disable all network interfaces while Administrator is logged in.
H.M.

1 Posts
@DW - I *did* say "somewhat lame" analogy. :) Seriously, though, if the issue were addressed at the point of manufacturing - if we held the source accountable for security flaws in their product(s) that could lead to identity theft, fraud, botnets that take down businesses, etc., then we don't need to burden the ISP with handling an issue they didn't cause.
Anonymous
Looks like their attack strategy is changing !

http://www.computerworld.com/s/article/9135369/Korea_DDOS_virus_mission_shifts_to_destroying_erasing_data
Karl

14 Posts
The problem with expecting end users to secure their own systems is that they have little incentive. When they're a member of a botnet they may not even notice -- the problem affects someone else. The analogy with locking doors doesn't hold -- people lock their doors to protect their own stuff, not to protect someone else.

Perhaps the closest analogy would be the laws requiring fences around swimming pools, to protect little children from accidentally falling in. But how would we go about implementing a similar cyber-law, anyway? If a kid gets hurt due to an improperly guarded pool, we prosecute the owner of that pool for negligence. In a botnet attack, would it really be feasible to prosecute thousands or millions of computer owners for the negligence that allowed their computers to be taken over?

Much of this attack is coming from North Korea. Even if we had laws here that required computer owners to protect their systems, how would that help? Our diplomatic relations with Korea aren't so good.
Barmar

8 Posts
@kt--how do you hold the source accountable, though? Unlike a Tylenol bottle, which obviously came from a particular manufacturer, how are you going to determine that a machine became part of a botnet as a result of a particular software manufacturer's defect?
Barmar
4 Posts

Sign Up for Free or Log In to start participating in the conversation!