Recent ‘Cyber Attacks’
We have seen a flurry of news reports regarding a recent (weekend of July 4th, 2009 into the following week) cyber attack. It is reported that it appears that this was a large scale attack that targetted public Internet sites for the US and South Korea; there have been insinuations that North Korea or supporters of North Korea are behind these annoyance attacks. [Note I use the annoyance label since no financial or other significant loss has been reported to date.]
The public information (news reports in print, online and on the network newscasts) describe the attack as a Denial-of-Service (DOS) attack. With this type of operation the bad guys try to bring down a network resource by overwhelming it with requests (i.e. for the systems involved it’s like trying to use a phone when phone lines only provide busy signals during a major event like a hurricane.) They do this by creating a bot-net (an army of drone computers usually infected with viruses that allow the bad guys to control the computers) and then instructing their drone army to make connections either during a specified time/date or on-demand.
For this incident it was reported that some of the targeted sites were able to handle the problem while others were not. To deal with such an attack you need to be able to control network traffic to your resource – you simply deny the ‘bad traffic’ (by reviewing your total network traffic for anomalies.) If you cannot do this then you must rely on your ISP to control such bad traffic. How many web sites/businesses have this level of control or this level of relationship with their Web Site ISP? Very few…
So what can the rest of us do about these types of Cyber Attacks?
Here’s a short and simple list for your home or small business that may reduce any local bot-net-drone-group:
- keep your Anti-virus software up-to-date
- keep your PC OS up-to-date (i.e. Windows Update)
- run a firewall on your PC
- turn off your computer when you don’t need it
- turn off your Cable/DSL connection when you don’t need it (keeps any ‘bot’ from having network access – either finding your network from the outside or prevent any ‘bots’ already on your network from working…)
- avoid free program downloads, especially free games (major source of viruses/bots)
More advanced steps:
- monitor your Cable/DSL connection for attacks and report suspicious connections to your ISP (so what are all those attempted connections from Asia and Europe really about?) If your router supports it you can use a syslog tool to record activity.
- on your local network – block ‘bad’ IP ranges and domains using a local firewall or network routing filter
Any future, more serious dangers?
Absolutely! For any public network (i.e. the Internet allows connections to/from just about any country) as well as any private network (i.e. any phone system or dedicated private network line) there are SPOF/Es (single points of failure or entry.) Hopefully our service providers are continuing to enhance their ability to respond to both nuisance or more serious attacks – bottom line: always have a plan N+1 if you need a resource 24×7x365; otherwise plan for some down time.
More about Bot-Nets
A drone computer (bot-net computer) could be anywhere that there is a network connection. This increases the difficulty in isolating and identifying attacks from a bot-net (i.e. if all the bad connections are coming from one town then you could just block connections from that town.) When connections seem to be global then a more sophisticated analysis of network traffic is needed. The good news is that it should be possible to back-trace to the source; it’s just somewhat time-consuming and a very detailed process – the longer an attack lasts the more likely it can be tracked to the origination point(s.) The bad news is that we seem to lack adequate resources as well as adequate international law enforcement agreements to do this quickly. The end result is that traffic will be blocked until a better solution is found…
If a network connection is coming from IP address aaa.bbb.ccc.ddd then that is the ‘bad guy’, right? Not necessarily - it’s more likely that the bad guy is controlling a computer located on the network of aaa.bbb.ccc.ddd. And the bad guy could be managing his bot-net control by using yet-another-bot as his control center – he simply connects via his phone and web browser (a real PC or wired network connection is not needed once a bot-net is created…) A not too far fetched scenario: bad guy in country A connect to web site in country A which connects to web site in country B which connects to web site in country N+1 …, N + x, … which controls the bot-net…
A related topic – I previosly posted about WAFs – web application firewalls; at this time I am blocking over 2000 IP addresses and 17 IP ranges – all based on a review of network connection behaviours. I will compare my block list with my local network abuse list (which I am building by reviewing the syslog entries from my router) – it will interesting to see any similarities beyond IP abuse from Asia, Europe and South America (the most prominent IP spaces that I am seeing abusive network behaviours from – could just be an indication of where the larger bot-nets are…)
Related posts:
- Avoiding Cyber Attacks? I was quite surprised when my post about the July...
- Recent Google search enhancements In case you did not notice, there are some interesting...
- Google & The China-Hack! Hmm, imagine this – The C-HACK! of 2009 Update (2/7/2010)...
- Apache – mod_security – web application firewall ModSecurity is a web application firewall (WAF) for the Apache...
- Home network: battle with Hackers What are your shoe’s like? Comfortable? How do your feet...