Bots Hammer Estonia In Cyber Vendetta

With nearly all DDoS attacks and spam coming from bots, infections have become a growing concern for businesses as well.

Larry Greenemeier, Contributor

May 18, 2007

5 Min Read

To understand the threat that compromised computers known as "bots" pose to not only to individual companies but the Web as a whole, one has to look no further than the onslaught of crippling distributed denial-of-service, or DDoS, attacks Eastern Europe's Estonia has endured since the beginning of the month.

A number of the country's Web sites, including the one for its Ministry of Finance, have in the past two weeks been the victim of 128 different DDoS attacks, according to a security research site.

The attacks began in early May in protest to the Estonian government's removal of a Soviet-era memorial from the center of the country's capital, Tallinn. The country has been at odds with Russia since regaining its freedom from the former Soviet Union in 1991. Now Estonia has become the victim of a high-tech brand of vengeance, as botnets flood the country's networks with an overabundance of traffic in an effort to disrupt business and government functions.

The longest attacks themselves have been more than 10-and-a-half hours long sustained, "dealing a truly crushing blow to the endpoints," Arbor Networks senior security engineer Jose Nazario wrote Thursday in a blog entry. The Arbor Threat Level Analysis System, or Atlas, has been tracking Estonia's botnet troubles. "When you think about how many attacks have occurred for some of the targets, this translates into a very long-lived attack," he wrote.

Of the attacks Arbor has measured, 10 were at 90 Mbps and lasted more than 10 hours. "All in all, someone is very, very deliberate in putting the hurt on Estonia, and this kind of thing is only going to get more severe in the coming years," Nazario wrote. Increasingly, botnets are responsible for 99.9% of all DDoS attacks, which pose a threat even to the largest carrier networks, says Arbor Networks chief research officer Danny McPherson. "Every time I see an attack on the Internet, I think about what's motivating the attack, whether it's religious, political, monetary, or something else," he told InformationWeek. More interesting than the size and frequency of the Estonia attacks is the context of the attacks, which is primarily political. Adds McPherson, "We see this as an act of war on the state."

The word "bot" generally refers to a compromised computer infected with malware that allows the compromised computer to be remotely controlled. Along these lines, a "botnet" is a collection of bots under the same controlling entity. This entity can communicate with different bots individually; it doesn't have to necessarily send them all the same commands. Botnet attacks aren't limited to Eastern Bloc turf wars; they've also penetrated the likes of the U.S. Department of Defense, Argonne National Laboratory, and the Alabama Supercomputer Network, InformationWeek reported last October. Botnet infections have become a growing concern for businesses. Speaking at AT&T's Cyber Security Conference on Thursday, David Gross, the company's principal for technical security, noted that he and his team have found as many as 64 botnets active out on the Internet in one day, controlling a total of 168,000 compromised computers.

Once an infected computer is turned into a bot, sometimes called a "zombie," they can be used to more subtly attack other computers, installing keyloggers or information sniffers, for example, that allow them to upload or download information to and from computers. They can prevent a computer's antivirus software from receiving the latest signatures and can redirect an organization's domain name system server so that traffic attempting to reach a legitimate site is redirected to a phishing site. They can also be used to send spam. In fact, "at least 97% of all spam delivered today comes from bots," McPherson says.

The success of an organization's defense against its computers being turned into bots depends upon the level of sophistication of the malware being used to create those bots and the botnet herder's skill in avoiding detection. At the very least, companies must regularly patch their software and keep their antivirus software up to date. Companies must carefully monitor not only inbound network traffic for malware and suspicious behavior but also outbound traffic leaving the network, in the event this traffic contains malware from an infected computer that could be used to recruit additional bots.

What makes bots so hard to eliminate is the difficulty of tracing the origins of bot traffic. Bots within a botnet are given their marching orders from a bot posing as a command and control node, and the botnet herder can move this node from one compromised computer to another to avoid detection. "It's hard to find a command-and control-system when a bot herd has 70,000 bots," Gross said Thursday. "Bots can also exist in different countries, which have different laws governing them and their removal." Some botnets can be hosted by computers that exist in anywhere from five to 50 different countries, Arbor's McPherson says.

The most common approach today when an organization's network is being attacked by a botnet is to cut off all traffic to any servers that are being targeted. This, however, isn't a way to solve the problem so much as it is a way to address an organization's most immediate concerns. More effective, and more difficult, is to have cooperation among botnet victims, ISPs, and law enforcement worldwide. "You've got to clean up those compromised hosts and prosecute offenders," McPherson says.

Until this happens, international cyber attacks such as the one Estonia faces will be a threat to every business and every developed nation.

Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like

More Insights