UPDATED X1: Latest Updates on Ongoing DDoS on Governmental/Commercial Websites in USA and S. Korea
A quick update on the DDoS of various govermental/commercial sites in the US and South Korea. At this point, the security researcher community is still working on the particular malware involved, the sites involved and how to remediate the ongoing threat. However, what is clear is that more or less well-known techniques are being used to debilitate the online presence of the aforementioned governmental/commerical entities.
First, the government is still operational.  This attack, while problematic, doesn't stop the country from working. If ftc.gov is offline, the economy doesn't crash. Based on that alone, this attack cannot be labelled as cyberwarfare. That isn't to say it isn't significant or a problem. However, the key takeaway is that the governments of the US and S. Korea are still working and still operational. They do not rely on their public facing websites to work. 
While more technically specific writeups are conducted (and conference calls and the like are being held around the clock on this one), some quick points.  It does not seem that any new novel techniques are being used.  A new DDoS toolkit, perhaps, but well-known attacks.  Simply flood the target with requests beyond that which it can handle.
This leads to a lose-lose proposition.  Do nothing and those who accumulate a botnet of not remarkable size being able to debilitate the ability of entities from operating online.  The other side is spending enough resources to be able to handle the traffic which imposes costs on the victim which is still a "success" for the bad guys.  On the one hand, no service, on the other hand, very excessive cost to provide service. No matter which path we choose, we lose.  It's just a question of how much.
The core problem is that bandwidth is limited but the ability to control a vast army of machines (i.e. botnets) is trivial.  The solution to this problem isn't remediating DDoS per se, it's remediating the triviality of getting lots of end-users to get themselves infected with malware. This latest denial of service is just another indicator of the core problem.
The problem is that end-users cannot (nor should not be expected to) secure their home hardware.  They simply lack the skills (and we shouldn't lament this, these skills being a scarce commodity allows us to demand high salaries after all). The responsibility must be shifted to the person closest to the user with the resources and skills to remediate this problem, namely, the ISPs. Until we get to that point, these problems will keep recurring.
Until then, researchers continue to work around-the-clock to play whack-a-mole to the latest attempts. Thankfully, they are few and far between but in an increasingly "cyberwarfare" oriented world, that won't be for long.
UPDATE 07.10.09 @ 0100 GMT - Shadowserver has a nice writeup of the attack and a good analysis.  Key takeaway, there is NO EVIDENCE that N. Korea has launched a cyberwar against the United States.  Ignore the media and the "Fire up the B-52s" crowd.
--
John Bambenek
bambenek /at/ gmail /dot/ com
 
              
Comments
Swa
Jul 9th 2009
1 decade ago
CG
Jul 9th 2009
1 decade ago
The problem with shifting the liability to the software is that some types of software can't be liable. For example, are we going to go after the OSS community for a PHP worm?
I don't *like* the idea of ISPs getting into the practice of dropping packets, both from the expense and the moral standpoint of ISPs getting between the client and server. If ISPs start blocking what they think is bad traffic, they will either start blocking good traffic by mistake or the botmasters will change their attacks to look more like legit traffic.
However, I can't think of better solution. At the very least, I think ISPs need to respond quickly to alerts that they have an attacking client. Do the ISPs have the tools to do this, though?
Jason
Jul 9th 2009
1 decade ago
CG
Jul 9th 2009
1 decade ago
Why not? We're not talking about having home users become security professionals but why can we not expect home users to do the simple, mundane things that actually for the most part prevent malware from being installed in the first place?
We expect people to lock their doors. We expect people to put bars on their windows if they live in a bad neighborhood. We expect people to protect themselves from the world all the time. Why is it too much to expect people to have a simple, consumer firewall (Linksys or ZoneAlarm for instance), AV, Malware software (i.e. Spybot if not included with your AV product) and actually update their software.
None of that requires any actual knowledge of security practices to run and install. There have been very good free AV, anti-malware and firewall software for a decade. A small Linksys box costs $30 or so. Windows update has existed since Windows 98 and it nags you about configuring it since XP SP2. A lot of software can check for itself online to see if there are updates.
Botnets and the problems they cause are not going away until this idea that the end user is just too stupid to do anything and therefore should get a free ride to enable others to screw over services on the Internet dies. End users absolutely should be expected to do the simple things to protect their own stuff, whether in the physical world or in the virtual world that is the Internet.
SMB
Jul 9th 2009
1 decade ago
While the retailer (the ISP) may have a moral obligation to protect their customers, regulation should be imposed upon the product manufacturer.
IMHO, of course.
kt
Jul 9th 2009
1 decade ago
BDA
Jul 9th 2009
1 decade ago
Sounds like an interesting topic for a Poll ?
Joel B
Jul 9th 2009
1 decade ago
CG
Jul 9th 2009
1 decade ago
Disagree. The responsibility of SysAdmins is to promote security where ever and when ever.
However, it's my observation that mutlinational ISPs have not done enough to secure their networks, which includes the customer last mile.
Also don't forget companies can have their hands tied. Just look at Net Neutrality.
Microsoft has also done a great job of improving security processes over the years.
t-c
Jul 9th 2009
1 decade ago