This article can also be found in the Premium Editorial Download "Information Security magazine: What are botnets and how can you prepare for them?."
Download it now to read this article plus other related content.
|Lifecycle: Preventing, Detecting & Removing Bots|
But, there's no effective defense for a botnet attack--your only hope is survival. (See "Preventing, Detecting and Removing Bots".)
Anticipating Bot Attacks
Before you connect to the Internet, there are some things you can do to mitigate the effects of botnet attacks. The following are some prudent steps all enterprises should consider:
Define service requirements with ISPs. You should define for your ISP what your expectations and response requirements are in the event of a DDoS attack. This includes network address agility (or switching your address block), which makes it harder to target your network and can reveal attacker reconnaissance; topological changes to compartmentalize your network, protect high-value assets and preserve connectivity to specific network segments; and traffic capture and analysis for tracing attacks and--perhaps--prosecuting attackers. Traffic filtering by your ISP or upstream traffic sources (sometimes called traffic blocking or null routing) can also help.
Manage out-of-band network. When your primary (or secondary) network interfaces are flooded, you may lose all ability to communicate with your network devices. If your provider can establish an out-of-band control mechanism--be it a network connection through a peering point or a DSL line to a terminal server within your network perimeter--you can regain remote access and reroute critical traffic, such as e-mail, even if your main network paths are unavailable.
Coordinate with peers. Cases of DDoS attacks that involve source-address forgery and traffic reflection off widely distributed servers (e.g., DNS reflection, SYN-ACK reflection off routers and firewalls) may require manual traceback to determine the source. Getting the cooperation of peers using the same upstream provider to block traffic and perform traceback may be very difficult; persuading your upstream provider to commit to working with you, even if the problem is difficult, is the first step.
While not fully effective against botnet DDoS attacks, several open-source and commercial products can provide some measure of response capabilities. Each has some value, but is only one soldier in the information assurance/availability army.
Most defenses are directed at either the host or network level, but rarely both. Host-level defenses, including personal firewalls, antivirus and host-based IDSes, are designed to protect computers, OSes and applications, and to detect and possibly contain intrusions.
Commercial applications from Arbor Networks, Captus Networks, Cisco Systems, Lancope, Mazu Networks and Top Layer identify anomaly traffic and irregular volume flows to detect DDoS attacks. These same applications have had some success in filtering floods by dropping traffic based on source IP address and protocol. But, their success is limited by the size and scope of a botnet flood. DDoS attacks, especially those launched via massive botnets, have a numerical advantage that may overwhelm these tools.
Security solutions that maintain the trusted state of machines, such as those from Tripwire, can monitor deviations in configurations. When a machine falls out of compliance, it can be rapidly detected and restored to a trusted state.
Network-level defenses focus on large sets of computers on a network or routing infrastructure. They may monitor individual or aggregate traffic flows between computers looking for anomalous activity, filter suspicious traffic, manage device configurations or patch systems to prevent exploitation.
Being a Good 'Netizen
Botnets are marauders waiting at the edge of every network for the one vulnerable machine that will become their key through enterprise fortifications. And, eradicating botnets after an invasion is nearly impossible because their numbers and growth are too great to effectively eradicate.
So, what can be done to shield your network from botnets? Formulate a good defensive strategy by safeguarding and protecting your network and mobile computers, and preventing attacks before they happen. For those enterprises already under attack, systematically rooting out compromised servers and PCs is essential.
Only through vigilance and best practices will enterprises stay ahead of, or at least keep pace with, the botnet threat.
This was first published in March 2005