I first wrote about malicious bots last November [Bots and Network Security]. I followed that up with a post in January about the increasing threat from Zombie computers and botnets [Zombie Computer Threat Increasing]. In May, the extent of the threat was hammered home in Estonia in what many called the first “cyber war,” when Russia was suspected of mounting the attack. I wrote a post about that shortly after the event [Virtual War in Estonia]. Ross Stapleton-Gray, writing in the C4ISR Journal, provides some insight into what the U.S. government is doing to defend itself against such attacks [“Botnet Defense,” July 2007]. Stapleton-Gray begins his article talking about the adversary botnet army being assembled.
“Each day, thousands of new recruits are enlisted into growing armies that could, at the push of a button, wreak havoc on U.S. financial, government and military computer systems. Known as ‘bots,’ these compromised computers fall prey to computer viruses, worms and other forms of ‘malware.’ HS-ARPA, the research arm of the Department of Homeland Security (DHS), regards the threat as a top priority and is directing millions of dollars of toward detection and deterrence. Botnets — collections of compromised computers, acquired and managed by ‘bot herders’ — are used to conduct attacks, deliver spam and perform other malicious activities. Botnets are of particular concern to information security experts for their potential to inflict distributed denial-of-service (DDS) attacks, where hundreds or thousands of bots each fire packets across the Internet to overwhelm a target server or network with unwanted traffic.”
Stapleton-Gray interviewed Bill Woodcock, research director of Packet Clearing House, a nonprofit research institute that supports Internet traffic exchange, routing economics, and global network development. Woodcock was in Estonia during the above mentioned attack.
“He said the attacking botnets were primarily composed of computer hosts based in the U.S., but numerous sources said that their direction was coming from Russian Internet addresses. At their peak, the botnets were hurling some 4 million packets per second against targets that included government and financial Web sites. Because the attacks had been anticipated, the defense against them was well-organized, and their ultimate effects relatively minor.”
The enormity of the attack was what struck most analysts. According Rick Wesson, CEO of Support Intelligence, another expert interviewed by Stapleton-Gray, only a few hundred bots are necessary to conduct a destructive distributed denial-of-service attack. Wesson points out that most bot attacks are associated with spam or phishing, not attacks aimed at the national economy or other national security targets. Stapleton-Gray notes, however, that such attacks could be used, even by the military.
“In the event of a major military conflict, botnets could be used to attempt to paralyze an adversary and its allies. ‘For state-sponsored attacks, 100,000 [attacking bots] is nothing,’ Wesson said. ‘I’d plan on just about every computer in the USA DDSing our own assets.’
Stapleton-Gray goes on to note some of the efforts HS-ARPA is funding.
“HS-ARPA has funded botnet defense research via its Rapid Technology Application Program effort, which awarded about $1.44 million to a team led by Professor Farnam Jahanian at the University of Michigan. Their work centered on a proposal, ‘Detection and Dismantling Botnet Command and Control Infrastructure Using Behavior Profilers and Bot Informant.’ HS-ARPA has also used the Small Business Innovation Research (SBIR) and Small Business Technology Transfer (STTR) programs, with six botnet-oriented awards made over the past year. Those programs provide modest funding to small business and small business/research and academic collaborations to investigate the feasibility of various solutions to identified problems. Those who demonstrate success in this first phase may be awarded follow-on funding; several of the botnet research awardees will be awarded Phase II awards to implement their technologies as prototype systems. … Doug Maughan, HS-ARPA program manager on cyber security-related R&D, including the botnet efforts, is a veteran of both DARPA, where he ran similar programs, and the National Security Agency, where he served as a senior computer scientist responsible for network security research. In April, Maughan testified before the House Committee on Homeland Security’s subcommittee on emerging threats, cybersecurity, and science and technology, in a hearing titled ‘Addressing the Nation’s Cybersecurity Challenges: Reducing Vulnerabilities Requires Strategic Investment and Immediate Action.’ Maughan has also funded the Cyber Defense Technology Experimental Research (DETER) test bed. Two primary DETER sites, at the University of California-Berkeley and the USC Viterbi School Information Sciences Institute, host several hundred servers linked by a high-speed network to allow for multisite distributed experiments. Developed jointly with the National Science Foundation in its initial phase, DHS is now the sole funding source for ongoing development and expansion. Plans are for the test bed to grow through federation with similar test beds, to allow for experiments that require in excess of 1,000 computer nodes, and distributed across additional sites. DETER’s primary focus is on cyber security experimentation, creating a closed environment where the worst of real and theoretical malware and attack and defense strategies — including botnets — can be modeled and tested. Subsequent HS-ARPA solicitations have also directed proposers to make use of DETER as a test bed for their own technologies, and DETER has been highlighted in non-DHS cyber security R&D efforts, such as the intelligence community’s recent National Intelligence Community Enterprise Cyber Assurance Program solicitation. HS-ARPA is in the process of releasing a new Cyber Security BAA, anticipated to cover its published high-priority needs. Its previous major cyber security solicitation was in 2004, and funded 17 research efforts from more than 400 submitted. The awards covered research aimed at vulnerability prevention, discovery and remediation; cyber security assessment; security and trustworthiness for critical infrastructure protection; wireless security; network attack forensics; and technologies to defend against identity theft.”
The sub-title to Stapleton-Gray’s article was, “How to reclaim computer networks from hacker armies.” On that score, the article failed to deliver. Apparently, the intent of the article was to underscore the fact that the threat is not being ignored. Botnet attacks remain a serious problem and it is good to know that they are receiving the priority attention they deserve. As I noted in earlier posts, botnets are an extremely difficult challenge to counter. Let’s just hope that all the R&D provides some effective tools.
