Stopping Internet 'zombies' in their tracks

[InfoSec News <isn () C4I ORG>]

http://www.boston.com/dailyglobe2/071/business/Stopping_Internet_zombies_in_their_tracks+.shtml

By Hiawatha Bray
Globe Staff
3/12/2001

A couple of Boston-area companies think they've found a way to control
a common and devastating form of computer vandalism. Now the two firms
are racing to get their sophisticated hardware and software into
hundreds of key Internet chokepoints.

Arbor Networks Inc. of Waltham and Mazu Networks Inc. of Cambridge
have built hardware and software they consider to be the ultimate
weapons against the ''distributed denial of service'' attacks that
have shut down some of the Internet's biggest sites, including
Microsoft Corp. and the eBay auction site.

A distributed denial of service attack is the equivalent of constantly
ringing a telephone so that legitimate calls can't get through. But in
this case, the vandals use ''zombie'' programs they've hidden on
dozens of computers across the Internet.

These zombies, in turn, bombard a Web site with thousands of phony
requests for data. The site gets bogged down trying to field the
traffic. And because the attack packets are coming from so many
different points on the Internet, it's tough to filter them out
without disrupting legitimate traffic. ''Distributed denial of service
attacks are a distributed problem,'' Mazu CEO Phil London says. ''A
complete solution requires a distributed solution.''

For Mazu and Arbor, that means giving up on building a defensive wall
at the point of attack. Instead, these companies want to intercept the
attack packets long before they reach the target.

Mazu and Arbor make network probe devices that connect to the
Internet's ''peering points,'' the places at which Internet providers
connect with the big backbone networks that handle bulk Internet
traffic. There are a number of these peering points in places such as
California's Silicon Valley, Chicago, Washington, D.C., and New
Jersey.

The probes can sample the traffic streaming across the Internet
without interfering with its movement. As they sample, the probes use
complex statistical algorithms to take a ''fingerprint'' of normal
traffic patterns on the network. That way, they can immediately detect
unusual patterns, the kind generated by attacking zombies. ''In real
time,'' said Arbor chief scientist Farnam Jahanian, ''we come up with
a fingerprint for that anomaly.''

By distributing probes at multiple peering points, it's easier to
filter out the offending packets and eventually shut them down at the
source. For instance, the probes might be located at MAE West, a
peering point in California, MAE East in Washington, D.C., and
Ameritech's Network Access Point in Chicago. By comparing the output
of all three probes, an attack from a West Coast vandal could be
isolated, with no disruption of traffic from the other peering points.

The challenge is getting ISPs and backbone networks to install the
probes. Mazu is competing against Arbor, and against Seattle-based
Asta Networks Inc. Each of the three companies offer variations on the
same concept - a network of attack detectors located at vital peering
points.

It's no surprise that the products from all three companies are so
similar. Said Kevin Werbach, editor of the computer industry
newsletter Release 1.0, ''The basic architecture is the same,
basically because it's the only way to attack the problem.''

Arbor's equipment has been deployed by Merit Network, a major Internet
provider in Michigan. It was an easy sell - Arbor's underlying
technology was developed at the University of Michigan at Ann Arbor.

Meanwhile, Mazu's system is undergoing beta testing at Logictier Inc.,
a San Mateo, Calif., Internet provider that's preparing to host the
Web sites for the 2002 Winter Olympics. ''We do believe that this may
have some merit and we're seriously looking at it,'' said Leia Amidon,
Logictier's principal security technologist.

But even as the contenders strive for market share, a critical
question arises: Will their products work together? A system for
detecting network attacks would be far more effective if it could
share its information with all other such attack detectors. But for
now, the fingerprints produced by Asta, Arbor, and Mazu devices are
incompatible with each other.

Arbor chief strategist Ted Julian acknowledges that's a serious issue.
''Is interoperability or compatibility a big deal?'' he asked.
''Absolutely it is.'' Julian said Arbor is working with the Internet
Engineering Task Force to make its detection system compatible with
existing network routers and firewalls. This would allow Arbor devices
to send attack warnings directly to a firewall, which could then block
the unwanted data.

But for now, Julian said, there has been no attempt to make Arbor's
system compatible with Mazu's or Asta's. Mazu executives say they're
considering a similar step, but haven't made any moves so far.

It's just a matter of time, said Release 1.0's Werbach. ''Ultimately
there's going to have to be interoperability, because not all the ISPs
are going to sign up with a single supplier,'' he said. ''It's just so
early on, that they've all made the decision to try to sign up as many
customers as they can.''

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".