It's been a pretty interesting week
on the cybersecurity front with the DDOS attacks on South Korea and the United
States making the most headlines. I've been trying to keep up with all of
the regular media and blogs and quite frankly, it's a bit overwhelming.
There's a lot of intrigue to this story but I'm beginning to wonder now if it's
been over-blown a bit because a couple of things just don't seem to add up.
The first interesting thing that
jumped out at me was that, while the attacks apparently began on July 4, there
wasn't any mention in the media until July 9. This is interesting because
it appears that something getting so much attention by the affected
organizations wasn't even noticed publicly for at least four days. Doesn't
that sound amazing when the media is so quick to jump on anything that sounds
sexy like a "cyber attack"? From what I've been able to determine based
upon dozens and dozens of "unofficial" media reports and blogs, five U.S.
websites were initially assaulted by a DDOS on July 4 and that number grew to
more than 35 over the next few days that included both South Korea and U.S
government and private sector company websites. Wow!
What does that really mean?
Well, the estimates I've read put the botnet at around 60,000 bots. While
it appears that the attacks were actually targeted attacks and certainly not
trivial, 60,000 is also not a large botnet. So the second puzzle is that,
if the botherder was truly a professional wanting to do harm, why would they
distribute the attack from a relatively small botnet across over 35 websites?
That's lots of sizzle but no steak. I read one blog that said this attack
was "more like arming a troupe of girl-scouts with water-balloons and Nerf
guns." Seriously though, while there's no doubt that the attack caused
some outages, a professional cowboy botherder would have either mustered up a
bigger botherd or just attacked a small number of the most of significant
targets.
Here's the real perplexing question
to me though - why would someone wanting to cause any real damage use a variant
of the old Mydoom worm family? This thing has been around for five years
and every anti-virus vendor in the world has a signature available for it.
That doesn't pass the smell test for someone trying to do real harm...unless the
DDOS was simply a diversion for some other really bad stuff going on somewhere
else (but that's for those with more official intel.)
While I'm positive there is a lot
more information, probably classified or at least very sensitive, that I don't
have access to, on the surface this appears to be a somewhat amateurish hack
that took advantage of some organizations that may not have been as prepared as
they thought they were.
There are certainly some tools you
can and should deploy to mitigate and deflect a DDOS (IPS at the edge, router
ACL's) but the bottom line is that if you get enough traffic, from enough
distributed sources, in a short enough period of time, you are going to have
problem. Among the things (the top three in my opinion) you need to have
in place BEFORE a DDOS are:
1.
Know who your carrier is and have a relationship with
them so they can begin upstream filtering and be able to bump up your bandwidth
(your BCP should address this) if you are under attack
2.
Have staff that are trained and know how to read logs
and determine what IP's are causing the problem and need to be blocked.
If your staff is not technically prepared to understand what is going on, no
amount of planning will be enough.
3.
Most important and most often neglected - have up to
date contact information. Trying to track someone down, whether it's your
ISP, a vendor, or your own staff on a Saturday 4th of July holiday when your
site is down and you don't have a name and telephone number can be one of the
most frustrating events of your life.
Bonus #4 - If you
have externally hosted web sites, know where they are, who manages them, and
how to get in touch with them...on a holiday!
