Monday, May 28, 2007
Then What? -- Cyberwarfare Update
As I noted a few days ago (well, about a week ago), some of the mainstream media (but far from all) were reporting on the massive DDoS (distributed denial of service) attacks hitting Estonian institutions for a month. But then what happened? Are the attacks continuing, as they did for a month before they received press coverage? Have they ceased? Where are the updates?
Admittedly, there are difficulties with this type of news story. If the attacks continue, there is something to notice and report; but if they seem to stop, what can you say? If no enemy surrenders or is captured, can one conclude that the story is over?
The articles keep on coming, and the message is typically: this is bad stuff, and someone should figure out what to do about it before it hits us! This is the case of one in Slate from 22 May, and on 24 May an article in the Economist, Cyberwarefare update, and another in Information Week,Estonian Attacks Raise Concern Over Cyber 'Nuclear Winter'
On the other hand, there are also some interesting tech notes and discoveries. Jose Nazario of ArborSERT, an expert who has published books and articles on this and related subjects, did some data mining on 17 May.
In my first reading, I missed the significance of his attacks by date table: 31 on the 8th, 58 on the 9th, none on the 10th, one last one on the 11th...in the data he mined on the morning of the 17th. There had been no more attacks for a week when the story broke?
Via Technorati I found a couple of blog posts from three days ago ( SecuriTeam Blogs and Credit Union InfoSec which relay info from Prolexic Technologies and Netcraft : Botnets are old-fashioned, P2P networks are the thing now.
Darren Rennick, CEO of Prolexic, a company that provides DDoS mitigation as a service, in Banking Business Review,
In one other article (the reference of which I have lost somehow) there was a discussion of the need to include the physical infrastructure in planning and providing security against such attacks. However, the infrastructure is largely privately owned, and it will likely be difficult to impose regulations which require investment. But never mind that I've lost that article, a note from 22 February 2006, Cybersecurity Demands Physical Security covers it much more thoroughly and professionally:
So, I ask again, then what?
Technorati Tags: dDoS, reporting, follow-up, cyberwar
Admittedly, there are difficulties with this type of news story. If the attacks continue, there is something to notice and report; but if they seem to stop, what can you say? If no enemy surrenders or is captured, can one conclude that the story is over?
The articles keep on coming, and the message is typically: this is bad stuff, and someone should figure out what to do about it before it hits us! This is the case of one in Slate from 22 May, and on 24 May an article in the Economist, Cyberwarefare update, and another in Information Week,Estonian Attacks Raise Concern Over Cyber 'Nuclear Winter'
On the other hand, there are also some interesting tech notes and discoveries. Jose Nazario of ArborSERT, an expert who has published books and articles on this and related subjects, did some data mining on 17 May.
We’ve seen 128 unique DDoS attacks on Estonian websites in the past two weeks through ATLAS. Of these, 115 were ICMP floods, 4 were TCP SYN floods, and 9 were generic traffic floods. Attacks were not distributed uniformly, with some sites seeing more attacks than others:
Largest attacks we measured: 10 attacks measured at 90 Mbps, lasting upwards of 10 hours. All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years.
In my first reading, I missed the significance of his attacks by date table: 31 on the 8th, 58 on the 9th, none on the 10th, one last one on the 11th...in the data he mined on the morning of the 17th. There had been no more attacks for a week when the story broke?
Via Technorati I found a couple of blog posts from three days ago ( SecuriTeam Blogs and Credit Union InfoSec which relay info from Prolexic Technologies and Netcraft : Botnets are old-fashioned, P2P networks are the thing now.
Darren Rennick, CEO of Prolexic, a company that provides DDoS mitigation as a service, in Banking Business Review,
"we foresaw from the outset that a time would come when there would be big attacks not for extortion but actually to damage the economy and, potentially to destroy the defense system of a country."In the same article, Robert Shaw, head of the ICT applications and cybersecurity division at the International Telecommunication Union in Geneva,
Of particular concern, he went on, is the development of what managed security services provider MessageLabs is calling Spam-Thru Botnets, which as peer-to-peer networks mean there is no absolute master controller as in normal botnets. "Any machine can be the controller, and they even have some software built on the Kaspersky AV technology that actually removes other botnet software from a machine before installing themselves," said Shaw.
In one other article (the reference of which I have lost somehow) there was a discussion of the need to include the physical infrastructure in planning and providing security against such attacks. However, the infrastructure is largely privately owned, and it will likely be difficult to impose regulations which require investment. But never mind that I've lost that article, a note from 22 February 2006, Cybersecurity Demands Physical Security covers it much more thoroughly and professionally:
The economics underlying the telecommunications industry is a major problem today. Governments, militaries, corporations and especially international financial institutions expect to use international telecommunications at virtually no cost. They employ sophisticated groups of experts to manage reduced prices of competing carriers to the point where the network services providers are barely able to provide service. This alone explains to a large degree the aggregation of the cheapest bandwidth into shared facilities at lowest cost and most vulnerable security. This must change. Customers of the system will have to pay a fair price to maintain the security of a distributed telecommunications system. The other option is a catastrophic attack on the international system.Although the author was primarily addressing risks of physical damage from attacks, sabotage, or natural disaster, he does also state:
Today's technology permits more and more traffic to be carried by fewer and fewer carrier hotels, cable providers and network services suppliers. The cost of an international telecommunications voice and data call per minute is approaching zero. This is putting extreme profit margin pressure on international submarine cable and network operators. Some analysts argue that the total capital value of the undersea cable network is less than the annual costs of maintaining the system in a hostile underwater environment. The system is quite likely bankrupt.
The combined vulnerabilities of the undersea cable networks in conjunction with the nonsecure carrier hotels that feed into them makes apparent the magnitude of the threat from terrorist organizations, natural disasters or the potential for network-based or information warfare among more traditional combatants.
So, I ask again, then what?
Technorati Tags: dDoS, reporting, follow-up, cyberwar
Powered by ScribeFire.
# posted by Maurice Lanselle @ 8:29 PM 
