|
Attack of the Killer Bots
June 4, 2007
Imagine that you own a smallish Canadian company that has enjoyed steady growth over the past 10 years. Unlike your dad, who was in the mail-order business, you dont have to worry about rising fuel costs or looming postal strikes because your products are expertly refined packets of information that you deliver with the click of a mouse. The Internet has become such an integral part of your workplace that its hard to imagine that not very long ago web-based commerce was virtually nonexistent, and the most futuristic technology in your office was a temperamental coal-fired contraption called a fax machine.
Youre feeling pretty good about all this. But one spring morning trouble arrives at your head office, in the form of a computer meltdown. Your IT specialists leap into action and discover that your site is being deluged with requests for PDF uploads and other information. The messages are coming from around the world and there are thousands per minute, far more than your system can handle. The techies are baffled, and by the end of the day, your server is still crippled. This is costing thousands of dollars per hour, and no one seems to know what to do.
At 7 p.m., as everyone else in the city is enjoying dinner, youre fighting off a rising wave of panic. What the hell is going on? Then, as mysteriously as it began, the tsunami subsides, and your system begins to recover. A few minutes later your computer beeps and a message appears in your e-mail inbox.
How do you like us so far?
You type in a response. Who are you?
A second later the answer appears. You dont need to know that. What you need to know is that we can attack you any time, and take you down for as long as we please. Your only remedy is to send US$25,000 to a bank of our choosing by noon tomorrow, your time, or youre out of business.
You try a bluff. I have close contacts with the police.
A happy face pops up on the screen. Good luck with that.
You work the phone all evening, trying to find someone who can help. You call your so-called close contact in the police, in fact your second cousin Bob, who works in fraud on the West Coast. Bobs on the road, so you leave a message. You call a company in the United States that acts as an emergency responder in these kinds of cases. They have an after-hours 911 service, and their on-call specialist assures you they can get you back up and running. But your heart sinks at the priceits even more than the extortionists are demanding. Your cousin Bob finally returns your call and listens patiently to your story. Its not exactly his jurisdiction, but hes familiar with these types of scams. Theyre called distributed denial of service attacks, and theyre becoming a real problem for web-based businesses. He gives you a couple of numbers for computer crime specialists at your local police department and the RCMP, but he doesnt sound assuring. This is between you and me, he says. But it might be easiest just to pay them off and hope they dont come back.
As Canada becomes swept up in the digital revolution, governments and businesses are increasingly using the Internet to deliver crucial information and services. Doing business on the Net is fast and easy, and it eliminates many of the costs associated with infrastructure and delivery. E-commerce, in fact, is turning into one of the most dramatic revolutions in the history of Canadian business. But its not without its risks. The same accessibility that makes the Internet useful makes it open to criminal abuse.
No retailer would leave his store unsupervised and unlocked while he went for lunch, but user-friendly interconnectedness leaves companies wide open to round-the-clock visitors, and cyber criminals enjoy the added benefit of anonymity and low risk. Police forces are for the most part only geared up to deal with criminals in their own jurisdictions. And when an e-business owner finds himself in the sudden and very unpleasant situation of being shaken down by nameless thugs from Guangzhou or Belarus, theres not much the local police can do except make some dutiful phone calls and offer a consoling slap on the back.
There are literally hundreds of ways that companies can be attacked over the Internet. The scenario described abovea distributed denial of service extortion attemptis one of the most problematic, because conventional firewalls and security measures are nothing more than a minor nuisance for the sort of skilled criminals who specialize in DDoS attacks. According to police and security experts, DDoS scams typically involve a group of criminals who may live in different countries and conspire over the Internet. The main player, the botmaster, is often a bright young freelancereither amateur or professionalwho writes a mini-program called a Trojan, which he distributes via the Internet to thousands, sometimes tens of thousands of private computers around the world. Like the hollow wooden horse after which it is named, his Trojan enters the host computer and installs a zombie program or bot (short for robot). Now, by remote control, he can force those computers to do his bidding.
Getting the word out in the online community through Internet message boards or by posting advertisements on obscure websites, the botmaster offers to rent his zombie army to anyone willing to pay his price. (The average rental price is about 4c per computer.) A group of extortionists in a foreign country might answer his ad and agree to lease his computers on a short-term basis, which they then use to launch an attack on some vulnerable e-business, besieging its website with so many requests for information that its system crashes.
RCMP Sergeant George Wiegers heads up a unit of computer crime investigators based in London, Ont. It is made up of three teams, each one specializing in a different type of investigative work. (His main task is to investigate threats to Canadas critical IT infrastructure.) The OPP, the Toronto Police Service, and the federal RCMP all have similar teams, each with its own mandate. Wiegers says the first wave of a DDoS attack is often just a show of force, a way of getting the victims attention, after which the extortion demand is delivered. Its not always a big company theyll go after, he says. Theyre not usually going to try and take down eBay or Amazon because their security is too effective. Theyll do their research and go after smaller companies that are more vulnerable.
Wiegers says DDoS attacks have been around for several years, but most government agencies and companies dont know much about them. We first began investigating botnets in 2004, he says. But the average Canadian still doesnt understand their power and danger. I would say that the courts and law enforcement arent much more knowledgeable. I doubt very much that your average cop, for example, has ever heard of a botnet. But computer crime is getting to be a big concern, and its not going away any time soon.
In the United States, a young computer whiz from Downey, Calif., was convicted last year for transmitting malicious code over the Internet to find and exploit vulnerable computers. The FBI charged that Jeanson James Ancheta, then 20, built a botnet of 400,000 computers and rented it to other users who used it to launch DDoS attacks. Ancheta also earned $60,000 using his botnet to distribute adware for companies including two based in Quebec and attacked and intentionally damaged computer systems used by the U.S. military. Ancheta pleaded guilty, and admitted that he explained to his customers the best way to implement the DDoS attacks, suggested the number of bots they would need, tested the botnets with them and advised them on how to properly maintain and strengthen their army of zombie computers. The authorities seized Anchetas computer equipment, a large amount of cash and his BMW, and the judge sentenced him to 57 months in prison.
The case got a lot of attention in the American news media. But given the fact that Symantec Corp. (a prominent Internet security firm) says it sees up to 50 new botnets a day scouring the Internet for victims, the average business owner might take little comfort in the fact that Ancheta, so far, has been the only person in the United States prosecuted for a DDoS attack. If he had lived in say, Omsk, Russia, rather than Downey, he might still be in business. And, in hindsight, it also might have been smarter if he hadnt attacked a computer network belonging to the Weapons Division of the United States Naval Air Warfare Center.
Canadian companies have come under DDoS attack, but its impossible to know how many have been hit because victims are invariably reluctant to come forward. I wont say how big the problem is, says the RCMPs Wiegers. And thats not an answer Im giving for tactical reasonsits simply because I dont know, and neither does anyone else. If I had to take a guess, I would say its a growing problem.
Businesses are reluctant to admit that theyve been extorted because clients tend to become alarmed if they discover a companys Internet security has been compromised. (Several Canadian companies that have been attacked by DDoS hackers declined to be interviewed for this story.) Even if victims report an attack, Wiegersadmits that the police usually have little to go on. These kinds of investigations take time, and theyre often multinational in scope, so if someone is under DDoS attack theres not much we can do to help.
So what are the options? In Britain, experts estimate that up to 25% of the computers in the country are zombies. At one point in 2005, the large Internet service provider Pipex was recording up to five DDoS attacks on its clients every day. When they call for help, Pipex sometimes recommends a product called Cisco Guard, which diverts mail through its own massive servers and analyzes legitimate messages from the malicious sort. Cisco Guard is costly, sometimes even more expensive than the blackmail demanded. (One small online cash service had to pay L20,000 upfront and another L3,000 per month for Cisco Guard after it was shaken down by Russian extortionists.) But ongoing protection at least guarantees that the criminals wont be back for more.
The worlds leading specialist in what it calls DDoS mitigation is run by Canadians. Keith Laslop, 35, was born in Edmonton, educated in London, Ont., and after living for six years in London, England, got a call from an old acquaintance, who suggested he get into the field. Laslop moved to Hollywood, Fla., where he now serves as president of Prolexic Technologies Inc. Prolexic has about 40 specialists working out of six offices around the world, and it maintains a 24-hour-a-day emergency 911 line. It might all sound a bit melodramatic, but Laslop says denial-of-service attacks are no joke. These criminals are hugely skilled, he says. And your everyday security system is no challenge to them. They have many ways of getting around whatever protection a company uses, and they keep changing their tactics to stay ahead of the game.
Laslop says large firms like banks and airlines are by no means immune to DDoS hackers. In one case, they crashed an Australian banks website, then sent e-mails to thousands of customers, explained that the website was down and asked for accountinformation. The messages looked very official, and anyone smart enough to look on the web saw that indeed the website was down. So a number of people were defrauded. Other DDoS attacks are motivated by revenge or rivalry. We see companies taken down by their competitors during busy sales seasons, and weve seen airlines taken down by disgruntled former employees.
Only a few years ago, online porn and gambling sites were the main target of DDoS blackmailers, many of whom were based in Russia. There wasnt a lot of sympathy for the victims in those cases, but thats changing. China is the new headquarters for cyber crime, and botmasters prey on any businesses that use the web. Its an epidemic in China, says Laslop. A few years ago, about 25% of hackers were Chinese. Now its about half. But they only go after foreign targets. If a Chinese national hacks into a Chinese bank, he might face the death penalty. But if he attacks an international bank, he might only get a warning. For a second or third offence, he might get a small fine or a suspension of his Internet privileges for six months. In a poor country like that, a smart young computer whiz can assemble a botnet and rent it out for a thousand dollars a day, so you can see why its becoming such a problem.
When clients come to Prolexic in an emergency, the company can usually get them back up and running in a few hours. The price varies according to the size of the firmand typically runs several thousand dollars per month for a small company. Prolexic uses enormous servers that scrub all Internet traffic before sending it on to the client. Some of these new DDoS attacks are very powerful, Laslop says. Im talking more than 10 gigs per second, really awesome. We can handle anything they throw at us, but we have to constantly evolve and stay ahead of them. Its an arms race, and these guys really know what theyre doing.
About Prolexic:
Prolexic Technologies provides cutting edge solutions that protect Internet operations from the debilitating service disruptions caused by DDoS attacks. Prolexic's patent-pending Clean Pipe Virtual Transport(R) network offers solutions that keep its clients' Internet-facing infrastructures free of DDoS traffic. Without making major adjustments or multimillion-dollar investments in their existing hardware infrastructures, Prolexic's customers rest assured that their network borders are secure and can thus focus on what is really important: their businesses. More information about Prolexic is available at www.prolexic.com
| |
