Infrastructure threats: Botnets show DoS who's boss

Malware-infected botnet PCs have overtaken denial-of-service attacks as the top security issue facing ISPs and other Web hosting companies

Malware-infected botnet PCs have overtaken DoS attacks as the top security issue facing Internet service providers and other Web infrastructure hosting players, according to a new survey of the organizations.

Arbor Networks published the results of its third-annual Infrastructure Security Report on Monday -- a survey of 75 large ISPs, hosting companies, and other providers -- which found for the first time that botnets currently outrank DoS threats as the most serious concern for the firms.

Tens of millions of PCs are likely infected with botnet programs worldwide, according to survey results, and Arbor researchers said the ISPs they questioned admitted to spending more time and resources battling botnets than ever before.

Infrastructure providers are finding botnets hard to pin down, as the people responsible for controlling the zombie machines are increasingly employing more advanced detection evasion techniques, said Craig Labovitz, chief scientist at Arbor. As they can't accurately gauge the size of the problem, he said, infrastructure providers are afraid they're only scraping the tip of the iceberg in taking on the botnet phenomenon.

"ISPs are spending a lot of time trying to measure, and there's a lot of subjective data, but there are such widely different qualities to the various bots that it's a real challenge to get any strong metrics," Labovitz said. "We are seeing a widening separation between the pros and the amateurs, but as easy as it is to infiltrate and measure the less sophisticated botnets, the pro grade stuff is far more problematic and harder to trace."

By using the same peer-to-peer botnet propagation strategy that has made the so-called Storm worm a recurring problem in terms of generating subsequent infections, the sophisticated sect of the botnet community is moving forward at a rapid pace, according to Arbor.

In eliminating the need for traditional botnet command and control centers using P2P techniques to distribute the threats, the attackers have also removed the most efficient place to attempt to take down the attacks, the researcher said.

At the same time, DoS attacks -- which have long-ranked as the primary concern of ISPs and their brethren -- have not disappeared, but rather become more targeted and efficient in the application of their resources, making them even more damaging to their individual targets, according to the report.

Labowitz said that while a traditional distributed DoS threats have measured at under 10GB, newer DoS attacks are reaching as high as 24GB -- enough to completely shut down a smaller ISP or Web server farm.

As the attacks are getting more powerful, they are also being concentrated on smaller groups of individual targets, or groups of sites, versus being unleashed to the Internet at large. In one such situation just last week, Labowitz said, an unnamed gambling site was taken offline for a number of hours.

"For the most part, if you read the press you don't hear about DoS as much, so people jump to the conclusion that it's not happening. But it's still out there," said the researcher. "The attacks may only be targeted at a small group of sites, but that can also help to increase the significance of the impact to the provider involved based on the more narrow focus."

Despite the lingering threat of DoS, ISPs have become better equipped at warding off the attacks and protecting their customers, and often times have begun charging for premium services to address the issue, according to Arbor.

As opposed to five years ago, when infrastructure players often had to scramble to respond to DoS campaigns as they emerged, Labowitz said most sizable companies now have appropriate procedures and equipment to at least partially deflect the assaults.

"Even though 90 percent of the attacks are a soft threat at this point, some of those remaining attacks are bigger than anyone can handle easily -- even some of the big guys," said Labowitz.

Arbor predicts attacks on Internet telephony services will represent one of the next immediate pain points for infrastructure players. Only 20 percent of the companies surveyed for the report said they had any gear in place to detect VoIP threats. Only 11 percent reported that they had any plans or tools in place to mitigate VoIP-based attacks.

"We haven't seen many of these threats yet, but we know the proof-of-concepts are out there," said Labowitz. "With the amount of VoIP infrastructure that is being deployed, the ISPs and telephony providers will need to ensure that they have something in place to protect those networks from attack."

Copyright © 2007 IDG Communications, Inc.

How to choose a low-code development platform