Information Security News mailing list archives
Stopping Internet 'zombies' in their tracks
From: InfoSec News <isn () C4I ORG>
Date: Tue, 13 Mar 2001 22:44:43 -0600
http://www.boston.com/dailyglobe2/071/business/Stopping_Internet_zombies_in_their_tracks+.shtml By Hiawatha Bray Globe Staff 3/12/2001 A couple of Boston-area companies think they've found a way to control a common and devastating form of computer vandalism. Now the two firms are racing to get their sophisticated hardware and software into hundreds of key Internet chokepoints. Arbor Networks Inc. of Waltham and Mazu Networks Inc. of Cambridge have built hardware and software they consider to be the ultimate weapons against the ''distributed denial of service'' attacks that have shut down some of the Internet's biggest sites, including Microsoft Corp. and the eBay auction site. A distributed denial of service attack is the equivalent of constantly ringing a telephone so that legitimate calls can't get through. But in this case, the vandals use ''zombie'' programs they've hidden on dozens of computers across the Internet. These zombies, in turn, bombard a Web site with thousands of phony requests for data. The site gets bogged down trying to field the traffic. And because the attack packets are coming from so many different points on the Internet, it's tough to filter them out without disrupting legitimate traffic. ''Distributed denial of service attacks are a distributed problem,'' Mazu CEO Phil London says. ''A complete solution requires a distributed solution.'' For Mazu and Arbor, that means giving up on building a defensive wall at the point of attack. Instead, these companies want to intercept the attack packets long before they reach the target. Mazu and Arbor make network probe devices that connect to the Internet's ''peering points,'' the places at which Internet providers connect with the big backbone networks that handle bulk Internet traffic. There are a number of these peering points in places such as California's Silicon Valley, Chicago, Washington, D.C., and New Jersey. The probes can sample the traffic streaming across the Internet without interfering with its movement. As they sample, the probes use complex statistical algorithms to take a ''fingerprint'' of normal traffic patterns on the network. That way, they can immediately detect unusual patterns, the kind generated by attacking zombies. ''In real time,'' said Arbor chief scientist Farnam Jahanian, ''we come up with a fingerprint for that anomaly.'' By distributing probes at multiple peering points, it's easier to filter out the offending packets and eventually shut them down at the source. For instance, the probes might be located at MAE West, a peering point in California, MAE East in Washington, D.C., and Ameritech's Network Access Point in Chicago. By comparing the output of all three probes, an attack from a West Coast vandal could be isolated, with no disruption of traffic from the other peering points. The challenge is getting ISPs and backbone networks to install the probes. Mazu is competing against Arbor, and against Seattle-based Asta Networks Inc. Each of the three companies offer variations on the same concept - a network of attack detectors located at vital peering points. It's no surprise that the products from all three companies are so similar. Said Kevin Werbach, editor of the computer industry newsletter Release 1.0, ''The basic architecture is the same, basically because it's the only way to attack the problem.'' Arbor's equipment has been deployed by Merit Network, a major Internet provider in Michigan. It was an easy sell - Arbor's underlying technology was developed at the University of Michigan at Ann Arbor. Meanwhile, Mazu's system is undergoing beta testing at Logictier Inc., a San Mateo, Calif., Internet provider that's preparing to host the Web sites for the 2002 Winter Olympics. ''We do believe that this may have some merit and we're seriously looking at it,'' said Leia Amidon, Logictier's principal security technologist. But even as the contenders strive for market share, a critical question arises: Will their products work together? A system for detecting network attacks would be far more effective if it could share its information with all other such attack detectors. But for now, the fingerprints produced by Asta, Arbor, and Mazu devices are incompatible with each other. Arbor chief strategist Ted Julian acknowledges that's a serious issue. ''Is interoperability or compatibility a big deal?'' he asked. ''Absolutely it is.'' Julian said Arbor is working with the Internet Engineering Task Force to make its detection system compatible with existing network routers and firewalls. This would allow Arbor devices to send attack warnings directly to a firewall, which could then block the unwanted data. But for now, Julian said, there has been no attempt to make Arbor's system compatible with Mazu's or Asta's. Mazu executives say they're considering a similar step, but haven't made any moves so far. It's just a matter of time, said Release 1.0's Werbach. ''Ultimately there's going to have to be interoperability, because not all the ISPs are going to sign up with a single supplier,'' he said. ''It's just so early on, that they've all made the decision to try to sign up as many customers as they can.'' ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- Stopping Internet 'zombies' in their tracks InfoSec News (Mar 13)