Lessons for Your Website from US, S. Korean Attacks

On July 4, a botnet estimated to contain between 30,000 and 60,000 compromised computers received new marching orders: Attack five U.S. government Web sites.

By Tuesday, the attack had widened, hitting at least 26 government, financial and news Web sites in the United States and South Korea. The attack escaped the notice of many network monitoring firms, who labeled it a "modest" packet flood, but severely impacted some of the targeted sites. Many sites, such as the White House's online hub, stoically weathered the attack, while others, such as the Federal Trade Commission's site, became inaccessible for long hours or days.

[ Keep up on the day's tech news headlines with InfoWorld's Today's Headlines: Wrap Up newsletter and InfoWorld Daily podcast. ]

Companies should look at the attacks as a reminder to test their preparedness, says Amit Yoran, CEO of security firm NetWitness and the former head of the National Cyber Security Division at the U.S. Department of Homeland Security.

"If this can happen to mature organizations that really understand what the threat environment looks like-and are still falling victim to this stuff-it sends an ominous signal to other companies, who might not be as ready as they would like," says Yoran.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

Yoran and other experts suggested that data-center and hosting operators, as well as enterprises, use the attacks to check their defenses.

1. Size doesn't always matter While the U.S. government is not discussing details of the attack, security firm Arbor Networks protected one of the industry sites targeted by the packet flood, which the firm measured at about 23 to 25 megabits per second. That's more of a trickle to security companies used to defending sites from denial-of-service attacks weighing in at hundreds-of-megabits to gigabits per second. Attacks leveled against the Church of Scientology in January 2008, for example, were 10 times larger than the current attacks.

"We are seeing these attacks are pretty modest-it depends on your level of readiness," says Jose Nazario, manager of security research for Arbor. "I can see why some sites are like, 'What attacks?' while others are like, 'Oh my God!'"

Rather than being a measure of the sophistication of the attacker, the average attacks are highlighting those companies and government agencies that have not adequately prepared for a flood of network packets.

"If you are running a large data center, make sure you got the tools, capabilities and staffing so that if a flood is coming in that you can respond to it, or that you have relationships with the upstream provider to quickly get them involved," says Nazario.

2. Attacker intent required, skills optional Security experts also stress that the current crop of attacks do not require much skill on the part of the attacker. The would-be attacker might be a protester that sympathizes with some cause, a patriotic hacker who attacks sites that criticize a nation, or a group sponsored by a nation-state.

The tools to conduct such attacks are readily available on the Internet. The attacks against U.S. and South Korean sites, for example, appear to use software cobbled together from a variety of sources, including the source code for the MyDoom worm, which first started spreading in 2004.