UPDATED X1: Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea

Published: 2009-07-09. Last Updated: 2009-07-11 02:48:03 UTC
by John Bambenek (Version: 2)
16 comment(s)

 A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat.  However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.

First, the government is still operational.  This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work. 

While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points.  It does not seem that any new novel techniques are being used.  A new DDoS toolkit, perhaps, but well-known attacks.  Simply flood the target with requests beyond that which it can handle.

This leads to a lose-lose proposition.  Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online.  The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys.  On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose.  It's just a question of how much.

The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial.  The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.

The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.

Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts.  Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.

UPDATE 07.10.09 @ 0100 GMT - Shadowserver has a nice writeup of the attack and a good analysis.  Key takeaway, there is NO EVIDENCE that N. Korea has launched a cyberwar against the United States.  Ignore the media and the "Fire up the B-52s" crowd.

--

John Bambenek

bambenek /at/ gmail /dot/ com

16 comment(s)

Comments

Regarding shifting the responsibility to the ISPs: why not shift the liability to those crafting the software that allows exploitation instead. If windows and IE weren;t so easy to exploit gatherign millions of machines in a botnet might be a bit more difficult. And if Microsoft, APlle and the like were made liable for damages resulting from the abuse of their products due to their vulnerabilities, maybe they'd actually care about end user security instead of their jedi handwave we get now.
I think the endpoint approach is flawed. As long as users are involved the endpoint will get owned, period, end of story. I believe the ISP approach is right, due to the fact that with great power comes great responsibility. Being an ISP is a privilege not a right. If a tier 3 ISP refuses to address the issue for whatever reason, their upstream provider should take action to block either the hosts or entire net blocks. In this case, its nothing new and the traffic is easily detectable. I don't think we should let software vendors off the hook either, but in this scenario responding to a DDOS should be a required ISP service mutually enforced by all ISPs.
Swa,

The problem with shifting the liability to the software is that some types of software can't be liable. For example, are we going to go after the OSS community for a PHP worm?

I don't *like* the idea of ISPs getting into the practice of dropping packets, both from the expense and the moral standpoint of ISPs getting between the client and server. If ISPs start blocking what they think is bad traffic, they will either start blocking good traffic by mistake or the botmasters will change their attacks to look more like legit traffic.

However, I can't think of better solution. At the very least, I think ISPs need to respond quickly to alerts that they have an attacking client. Do the ISPs have the tools to do this, though?
I think the endpoint approach is flawed. As long as users are involved the endpoint will get owned, period, end of story. I believe the ISP approach is right, due to the fact that with great power comes great responsibility. Being an ISP is a privilege not a right. If a tier 3 ISP refuses to address the issue for whatever reason, their upstream provider should take action to block either the hosts or entire net blocks. In this case, its nothing new and the traffic is easily detectable. I don't think we should let software vendors off the hook either, but in this scenario responding to a DDOS should be a required ISP service mutually enforced by all ISPs.
> end-users cannot (nor should not be expected to) secure their home hardware

Why not? We're not talking about having home users become security professionals but why can we not expect home users to do the simple, mundane things that actually for the most part prevent malware from being installed in the first place?

We expect people to lock their doors. We expect people to put bars on their windows if they live in a bad neighborhood. We expect people to protect themselves from the world all the time. Why is it too much to expect people to have a simple, consumer firewall (Linksys or ZoneAlarm for instance), AV, Malware software (i.e. Spybot if not included with your AV product) and actually update their software.

None of that requires any actual knowledge of security practices to run and install. There have been very good free AV, anti-malware and firewall software for a decade. A small Linksys box costs $30 or so. Windows update has existed since Windows 98 and it nags you about configuring it since XP SP2. A lot of software can check for itself online to see if there are updates.

Botnets and the problems they cause are not going away until this idea that the end user is just too stupid to do anything and therefore should get a free ride to enable others to screw over services on the Internet dies. End users absolutely should be expected to do the simple things to protect their own stuff, whether in the physical world or in the virtual world that is the Internet.
To build on Swa's point with a (somewhat lame) analogy: back in the early 80's, several individuals died after ingesting tainted Tylenol products. While the case was under investigation, retailers removed Tylenol products from their shelves; however, the burden of responsibility fell back on the manufacturer when the FDA set new national requirements for all OTC products to be tamper-resistant.

While the retailer (the ISP) may have a moral obligation to protect their customers, regulation should be imposed upon the product manufacturer.

IMHO, of course.
What if this is just a diversion from a more directed attack? Anyone think of that, while all resources are spent trying to address this issue, the hen-house is left unguarded..so to speak..
I agree 100% with SMB, end users should be responsible for their own security. I've seen my share of home computers connected directly to a cable modem, with no anti-virus or firewall.

Sounds like an interesting topic for a Poll ?
I don't think anybody stated that end-users shouldn't be responsible for their security. My faith in users actually securing their desktops at home is very low. The suggestion that botnets would go away if people use home routers, desktop firewalls and AV isn't plausible. The best AV engines only achieve a 40-60% detection rate against stock malware. Home firewalls are typically configured to allow all traffic outbound, so scratch there. And this does nothing for the majority of machines that comprise botnets, which are people running pirated copies that don't receive patches. Expecting the average home user to do a good job at securing their desktop is less likely then completely secure MS OS. I just wish ISP's actually cooperated more to fix the DDOS problem.
> The problem is that end-users cannot (nor should not be expected to) secure their home hardware.

Disagree. The responsibility of SysAdmins is to promote security where ever and when ever.

However, it's my observation that mutlinational ISPs have not done enough to secure their networks, which includes the customer last mile.

Also don't forget companies can have their hands tied. Just look at Net Neutrality.

Microsoft has also done a great job of improving security processes over the years.

Diary Archives