Infrastructure threats: Botnets show DoS who's boss

Malware-infected botnet PCs have overtaken DoS attacks as the top security issue facing Internet service providers and other Web infrastructure hosting players, according to a new survey of the organizations.

Arbor Networks published the results of its third-annual Infrastructure Security Report on Monday -- a survey of 75 large ISPs, hosting companies, and other providers -- which found for the first time that botnets currently outrank DoS threats as the most serious concern for the firms.

Tens of millions of PCs are likely infected with botnet programs worldwide, according to survey results, and Arbor researchers said the ISPs they questioned admitted to spending more time and resources battling botnets than ever before.

Infrastructure providers are finding botnets hard to pin down, as the people responsible for controlling the zombie machines are increasingly employing more advanced detection evasion techniques, said Craig Labovitz, chief scientist at Arbor. As they can't accurately gauge the size of the problem, he said, infrastructure providers are afraid they're only scraping the tip of the iceberg in taking on the botnet phenomenon.

"ISPs are spending a lot of time trying to measure, and there's a lot of subjective data, but there are such widely different qualities to the various bots that it's a real challenge to get any strong metrics," Labovitz said. "We are seeing a widening separation between the pros and the amateurs, but as easy as it is to infiltrate and measure the less sophisticated botnets, the pro grade stuff is far more problematic and harder to trace."

By using the same peer-to-peer botnet propagation strategy that has made the so-called Storm worm a recurring problem in terms of generating subsequent infections, the sophisticated sect of the botnet community is moving forward at a rapid pace, according to Arbor.

In eliminating the need for traditional botnet command and control centers using P2P techniques to distribute the threats, the attackers have also removed the most efficient place to attempt to take down the attacks, the researcher said.

At the same time, DoS attacks -- which have long-ranked as the primary concern of ISPs and their brethren -- have not disappeared, but rather become more targeted and efficient in the application of their resources, making them even more damaging to their individual targets, according to the report.

Labowitz said that while a traditional distributed DoS threats have measured at under 10GB, newer DoS attacks are reaching as high as 24GB -- enough to completely shut down a smaller ISP or Web server farm.

As the attacks are getting more powerful, they are also being concentrated on smaller groups of individual targets, or groups of sites, versus being unleashed to the Internet at large. In one such situation just last week, Labowitz said, an unnamed gambling site was taken offline for a number of hours.