ZIFFPAGE TITLEBig Business For CybercriminalsBy Kevin Fogarty | Posted 2005-02-09 Email Print
A new breed of online extortionists is threatening to attack Web sites unless the companies pay up. Some big-name sites, including Microsoft and Google, were saved from harm last June with concerted combat against an army of bots.
Big Business For Cybercriminals
Not unusual, however, was the fact that the botnet attack focused on a company or companies with a major online presence. So-called denial-of-service attacks, which were once the exclusive tool of pranksters and vandals, have become big business for criminals who have found that extortion can be done online as easily as in person.
Online credit-card processing vendor 2Checkout, for example, reportedly rebuffed such a demand for an extortion payment last April and was hit with a series of denial-of-service attacks lasting more than a week. Another credit-card processor, Kentucky-based Card Solutions International, also was hit with a similar attack in April, after its owner refused what he said was a demand for $10,000 from a group of Latvians. Credit-card processing service Authorize.net received a series of attacks in September after refusing to respond to a demand for money that was sent to its general e-mail box.
In August, Saad Echouafni, head of a satellite data reseller called Orbit Communications, was indicted by a federal grand jury in Los Angeles for allegedly launching distributed denial-of-service (DDOS) attacks on three of his competitors, resulting in losses to those companies ranging from $200,000 to more than $1 million. The 37-year-old Moroccan subsequently disappeared, according to the FBI, which suspects he may have fled the country.
The indictment was the first for a distributed attack launched purely for commercial purposes, according to the FBI, which has put Echouafni on its most-wanted list.
Bots also are believed to have helped spawn the growing scourge of financial fraud from "phishing" for credit-card information on the Web. From September to October, the number of phishing sites doubled, according to Websense, which says the spike was probably due to the ability of bot networks to spew out e-mail as well as host the imitation sites that "phish" for individuals' financial information.
Given its high profile, Akamai is not an unlikely target for a bot attack, but it's not an easy target, either. Rather than connect its 15,000 servers by a private network, Akamai locates them in 69 countries and connects them via the fabric of the Internet itself, which uses enough transmission channels that it's almost impossible for one packet flood to choke them all.
The result of the attack wasn't instantaneous, but it didn't take more than a minute or so for people at Akamai to notice, according to Andy Ellis, the company's director of information security. He spotted the slowdown himself when his request for a customer's site was slow to resolve, indicating one of his DNS servers was misbehaving. Another try got the same result.
But even as virtual alarms went off in his head, real ones flashed in the Network Operations Command Center (NOCC) down the hall, where traffic
volumes spiked on Akamai's DNS servers and intrusion-detection specialists started calling for help.
First to respond was the White Hat team, a hand-picked group of Akamai's best architects, operations, security and development engineers. Always on call, the team follows a precisely structured emergency response procedure.
The initial step is a conference call to define the problem and divide up the tasks involved.
"By the time I called the NOCC to say we needed to initiate the White Hat conference bridge, they were already dialing," Ellis says. "By the time I got on as the host a few seconds later, there were already four people waiting."
The first problem is figuring out exactly who and what is under attack, which isn't as obvious as it seems. If Microsoft were under a denial-of-service attack in which thousands of computers each sent bogus requests for connections at the same time, much of the traffic would flow through Akamai's servers. In this case, however, loads were spiking all over Akamai's DNS servers, not just on those for one or two particular customers.
Ellis won't talk about specifics, but typical strategies to fend off a denial-of-service attack include rate limiting (servers are configured to accept only a certain number of requests per second) and packet filtering (suspect packets are simply ignored or turned away by the server). To filter packets, however, you have to know what kind are involved in the attack and at what source they're addressed.
That often requires on-the-fly reconfiguration of filters that are already in place. And rate limiting can slow the response of servers that Akamai's customers use specifically because response times are fast.
Both of those techniques can make the problem worse, in fact, by restricting legitimate traffic and accepting bogus requests that look legitimate because the botnet is programmed to hide the IP address from which they send the packets, and to change the address from which they're pretending to work.
Botnets can also avoid telegraphing their presence. When a virus infects a machine, it often uses Address Resolution Protocol requests to find other potential targets on the network. That jabber helps security administrators discover the problem earlier and nail it down sooner by shutting off the ports the virus attempts to penetrate. Botnets, however, can be programmed to target a specific range of IP addresses; that makes them more stealthy and effective because all the traffic they generate is aimed at specific targets rather than on attempts to expand, as in a virus attack.
Ellis says Akamai has gotten good at identifying distributed attacks quickly, separating legitimate from illegitimate packets, and shutting down access from addresses that seem to be the real source of attacks. The quickest way to respond is to identify the specific attack pattern and get teams of experts working on different parts of the effort to shut it down.