Read Bennett Gold LLP's privacy policies and practices regarding this web site.
LINK TO: Bennett Gold LLP's Privacy Policies and Practices. E-CommerceALERT.com is part of the Bennett Gold LLP web site network.
LINK TO: Bennett Gold LLP, Chartered Accountants, home page.
LINK TO: E-CommerceALERT.com Home Page.
CLICK to GO BACK to Main Page.

Research and retrieval of news articles by Bennett Gold LLP, Chartered Accountants


SPECIAL NOTE TO ALL VISITORS:
Effective December 31, 2012, articles are no longer being updated on this web site.
The site is now maintained as an historical archive, covering articles from the period 1999 to 2012.


50,000 'ZOMBIES' TRIGGERED RECENT DENIAL OF SERVICE ATTACKS

Source: ITbusiness.ca

Posted on July 10, 2009

      A report from security firm Symantec Corp. said the botnet that perpetrated the recent distributed denial of service attack (DDoS) attacks on several key U.S. and South Korean government, financial and media Web sites used around 50,000 zombie computers.

      Size-wise, though, that's a mere fraction of the botnet created by the Downadup/Conficker worm, which estimates say included a few million machines at its peak. Earlier this week, the Symantec Security Response unit began monitoring a DDoS attack that is believed to have started sometime Monday. A third wave is believed to have begun Thursday.

      High profile U.S. Web sites affected include: the White House site; Web sites for the Department of Homeland Defense, the State and the U.S. Treasury, and the Washington Post, among others. Targets in South Korea included: the South Korean President's homepage; sites for U.S. forces in Korea; Internet Auction, one of the country's largest online auction services; the Kookmin Bank, and the site for Chosun Ilbo daily newspaper.

      Canadian firms or individuals transacting with these sites would likely have experienced slower service if they are able to enter the site at all, said Dean Turner, Toronto, Canada-based director of global intelligence network at security software firm Symantec Corp. headquartered in Cupertino, Calif. "Generally there's a slowdown or disruption of service, which can be very inconvenient for people visiting these sites."

Worries aplenty, options few

      Canadian security experts who've followed such attacks closely say they leave hapless victims with few options. All they can do is batten the hatches, hunker down and seek "upstream intervention" to cut down the massive online traffic overloading their network.

      There's really very little an outfit hit with such an attack can do to stop the threat, and that's the biggest problem with DDoS, says James Quin, senior research analyst at Info-Tech Research Group, based in London, Ont. He said businesses and public sector organizations could provision greater bandwidth to cope with the online traffic surge. But there's no guarantee an attacker won't be able to flood that level of connectivity. "The only real option is to work with your Internet Service Provider (ISP) to implement upstream filtering," the analyst said.

Terrible Trojan

      The Symantec Threat Bulletin said a portion of the current attack is being carried out by a piece of malware identified as w32.dozer and variants of the MyDoom worm that appear to be infecting computers globally.

      W32.dozer is distributed mainly via e-mail attachments. Once the user clicks on the attachment, the threat downloads a package on to the system that contains the following:
• Trojan.dozer, a Trojan horse that wrests control of the computer and turns it into a botnet;
• A list of host sites, which the botnet is instructed to attack;
• MyDoom worm that's currently believed to be used for its mass mailing capabilities to redistribute w32.dozer.

      Both Quin and Turner note that it's difficult to categorically identify the motives behind the attack. They say there's no evidence the attacks are being perpetrated by North Korea, as earlier reports suggested. "Given the targets, it is reasonable to assume the attack is politically motivated, though until sufficient data has been collected, it is really impossible to make any kind of determination," said Quin.

      He recalled how the 2007 cyber attack on Estonia was attributed to the Russian government but subsequent investigations didn't turn up any evidence to corroborate that claim.

What you can do

      Companies should look at the attacks as a reminder to test their preparedness, says Amit Yoran, CEO of security firm NetWitness and the former head of the National Cyber Security Division at the U.S. Department of Homeland Security.

      "If this can happen to mature organizations that really understand what the threat environment looks like, and still fall [prey], it's an ominous signal for other companies that might not be as ready."

      A key requirement for relieving an overburdened network is to quickly determine the source of unwanted traffic, noted Symantec's Turner. "Your best bet would be to identify where the such traffic is coming from and have your system drop it or redirect it to a 'sink hole' - an alternative page or location." This strategy, he said, would free up some bandwidth and give the affected party breathing space until its ISP is able to completely cut off the unwanted traffic.

      Typically, the main aim of a denial of service or distributed denial of service attack is to make a computer resource unavailable to intended users. Targets are often sites or services hosted on high profile Web servers.

      One common method involves saturating the target machine with external communication requests so it cannot respond to legit traffic or slows down to the point of ineffectiveness.

      Yoran and other experts suggest that data-center and hosting operators, as well as businesses, use such attacks to check their defences. They suggest the following steps to handle an attack:

      1. After identifying the source of the unwanted traffic, use filtering tools to drop the traffic or divert it to sink hole.

      2. Make sure your outside facing Web site is separated from your network's critical services and applications. "Create a virtual DMZ (demilitarized zone) to prevent critical databases and servers from being affected by an attack," said Turner.

      3. Coordinate action with your ISP. "Communicate immediately to your ISP what traffic needs to be filtered out or stopped," Turner said. Better yet, cultivate a good working relationship with your ISP so that you know who to contact even before an attack occurs.

      4. Don't try to keep the attack a secret. Yoran said the U.S. government initially released very little information about the attack. Such restrictions on information access caused all sorts of issues, Yoran said. When people are misinformed, they "jump to the wrong conclusions."




CLICK to GO BACK to Main Page.

E-Commerce Alerts are issued by Bennett Gold LLP, Chartered Accountants as situations develop. Bookmark this site and check back often. Our e-mail address is: info@BennettGold.ca

In accordance with United States Code, Title 17, Section 107 and Article 10 of The Berne Convention on Literary and Artistic Works, the news clippings on this web site are made available without profit for research and educational purposes.


ALERT
ARCHIVES
Final Entries
2012
2011
2010
2009
2008
2007
2006
2005
2004
2003
2002
2001
2000
1999


LINK TO: Bennett Gold Chartered Accountants: A Licensed Provider of WebTrust Services.

WebTrust Is Your
Best Defense
Against
Privacy Breaches.

Get WebTrust
Working For
Your Site.