Real-Life DDoS and How To Live (Through) It

Steve Gibson recently published a lengthy discussion of his experiences with a prolonged distributed denial-of-service attack against his company’s web site (www.grc.com) by a 13 year-old (yes, you read it correctly) hacker named Wicked (Full story.) Over the course of 17 days his web site was attacked a total of six times as each preventative measure was systematically defeated. Steve was finally able to convince the perpetrator to stop by penetrating several of the hacker’s defenses to locate him and make a personal plea.

The account is instructive on several levels: it highlights the vulnerabilities of production routers and servers, the infrastructure that they sit on, and the ease with which “always on” home PCs can be compromised and turned into “zombies” silently awaiting instructions from a master to unleash a flood of packet requests on a particular target.

The hacker had amassed a zombie army of 474 PCs that could generate literally billions of false requests against a target. Worse yet, the PCs had been infected with a Trojan called Sub7Server, which captures every keystroke and reports it back to its “Master.” No wonder people are reluctant to give out credit card information over the Internet.

The attack also highlights the failure of companies that derive revenue from selling operating systems, routers, and hosting services to take adequate steps to prevent these outbreaks. The largest concentration of theses PCs reside on popular residential high-speed Internet connections, for which their ISPs were surprisingly indifferent about the situation. The same was true for the hosting service provider, although it ultimately had the best defense against the attacks.

THE HURWITZ TAKE:

Whose problem is this, anyway? In this real-life example, the “zombie” PC ISPs and the customer’s hosting service provider were in the best position to not only defeat the attackers but to prevent the attack from occurring in the first place. However, they were also among the least interested in doing anything about the situation. Many DDOS solutions are now available on the market (Arbor, Asta, Captus, MazuNetworks, to name a few).

However, most of these solutions require the hosting provider to install and/or monitor equipment and make changes to their routing tables when the attack is underway (as was the case at GRC). Given the economic woes facing most hosting service providers, it seems unlikely that they are going to want to spend dollars to help solve this problem. The service-level agreements in place proved equally fragile as they seemed to be designed for peacetime and were not able to withstand a massive DDOS attack. Unless you spend several million dollars a month with your hosting service provider, don’t expect quick response.

Securing the endpoints becomes critical. As long as there are vulnerable PCs out there the DDOS and perhaps more importantly the data and identity theft problem will persist. Antivirus, personal firewalls, and better policy enforcement by the “always on” ISPs will help. Wave Systems has a unique approach to the Sub7Server threat a secure chip that can provide “provable” security all the way to the keyboard once it gets installed.

Moving from intrusion detection/prevention to threat management. The intrusion detection space is quickly expanding into a threat management discipline. Companies like Recourse Technologies are exploring new boundaries in data collection, event correlation, and forensics that are building a more important picture for enterprises caught up in the nearsighted world of false positives. This is another weapon in the war against DDOS.

Don Quixote is dead. Don’t expect Microsoft, Cisco, Sun, etc. to redesign their operating systems to prevent these types of attacks from occurring in the future. They will do what suits their own needs first. Don was never that good at getting the windmills to move, anyway.