ZIFFPAGE TITLETo The Bridge, OnBy Kevin Fogarty | Posted 2005-02-09 Email Print
Modernizing Authentication — What It Takes to Transform Secure Access
A new breed of online extortionists is threatening to attack Web sites unless the companies pay up. Some big-name sites, including Microsoft and Google, were saved from harm last June with concerted combat against an army of bots.The Double">
To The Bridge, On The Double
"We had the full team on the bridge in a matter of minutes," Ellis says. "We had about 20 people on the phone. There were about nine of us in an 8-by-8 office with three conference bridges open and a raft of cell phones."
Ellis split the team into subgroups, one of which had charge of forensics-capturing packets and decoding the request pattern to profile the attack and recommend countermeasures.
Other teams fanned out to notify federal law enforcement agencies and Internet service providers, both to help them shut out any subsequent attack and to ask for any help they could offer. A third group evaluated the impact the attack was having on customers, which, after all, hire Akamai to keep attacks like this one from affecting them.
One team launched an application the intrusion-detection group had developed that was designed to filter and identify rogue packets more quickly than the existing set of custom-developed tools Akamai used. "We were waiting to put it in until we needed it," Ellis says.
"We had the attack mostly mitigated within about 90 minutes, but we got a little lucky," he adds.
Normally, address-spoofing makes it hard to identify the zombies in a botnet, let alone the machines that are controlling them. But while an Akamai network architect was warning a colleague in a university data center about the attack, the data-center manager noticed there was not only a lot of traffic streaming from his site to Akamai, but also a lot of IRC traffic. It turned out the attacker was controlling the invasion through corrupted machines within the university's network. It didn't take long to shut the controllers down.
At the request of the data-center manager, who prefers not to be known as the supervisor of the launching point for the most serious attack on Akamai during 2004, Ellis won't reveal the location of the data center: "We sent the FBI that way, though." So far, no one has been arrested for the attack.
Akamai did well by responding to the attack that quickly, according to Johannes Ullrich, chief technology officer for the Internet Storm Center, a unit of the SANS Institute security education company. The attack's focus on the DNS servers made it a serious challenge for Akamai, he maintains. "If they get 10 major attacks a year and this is the only one that had any real impact, that's pretty good," Ullrich says.
Akamai can handle north of a billion bits per second, has a distributed-network design and a full-time, fast-response security team. That's why customers sign up with it rather than try to build similar capabilities themselves. "They're where you go to help avoid DDOS attacks. You don't want to go there to find them," Ullrich says.
Akamai said only 1% of its 1,100 customers suffered enough in the attack that more than 20% of their visitors saw any effect. Only 2% of its customers saw any performance degradation, according to the company.
Still, a problematic attack on Akamai makes the case stronger for botnet masters whose goal isn't just to interrupt Internet traffic, but to make money off it.
"Extortion is big right now," says Marty Lindner, team leader for incident handling at the Computer Emergency Response Team (CERT) Coordination Center at Carnegie Mellon University. "If I have a botnet army and you have a big commercial Web site, I can go to you and say, 'Pay me a lot of money or I'll DOS you off the face of the Earth.'"
Though it doesn't track the number of extortion attempts connected with botnet attacks, Symantec's Internet Security Threat Report estimates that during the first six months of 2004, the number of actively controlled compromised machines on the Internet went up from 2,000 per day to more than 30,000 per day on average, with peaks to 75,000 in one day. About 16% of botnet attacks are against commercial Internet sites, an increase of 400% from 2003, which may indicate a shift toward profit as a goal rather than reputation.