expert studying the issue. DDoS attacks are unsophisticated and carry many of the same network traffic characteristics, enabling service providers or large enterprises to filter out the bad traffic. More ominous threats are application-layer DDoS attacks, which target the database server and cripple or corrupt the applications and underlying data needed to effectively run a business, said Craig Labovitz, chief scientist at Chelmsford, Mass.-based Arbor Networks Inc. The idea of an "Internet-wide cyberwar" is way overblown, Labovitz said. Arbor Networks was recently acquired by Plano, Texas-based Tektronix Communications Inc. Since the acquisition, Labovitz said the company has seen a growth in mobile security, helping carriers weed out attacks as well as more sophisticated application-layer attacks targeting users of cloud-based service providers. In a recent interview with SearchSecurity.com, Labovitz, a noted network researcher and engineer, discussed the ongoing WikiLeaks DDoS attacks, how DDoS can be used in more serious attacks and what the future threat landscape may look like.
I think that battle has been fought and lost. Any given enterprise probably has one or two compromised machines within their network.
chief scientistArbor Networks Inc.
What are some of the earlier attacks against WikiLeaks and now from WikiLeaks "hacktivists" telling us? Is this a serious threat to the Internet?
Craig Labovitz: I think what was interesting is that from a technical perspective, they weren't actually very big or very sophisticated attacks. There are hundreds of these kinds of attacks on a given day. It was interesting that the attacks were not more widespread. Often with very large attacks we see botnets that have very good geographic distribution. We didn't see that with the WikiLeaks attacks. So with the botnet, if it was a botnet or individual PCs, we maybe saw 100 PCs in some of the WikiLeaks attacks. That is notable for its small size and lack of geographic distribution. Knowing that a machine is sending a flood of traffic from Thailand isn't telling us much. What you really care about is who is controlling these machines, not that a random enterprise in Thailand has been compromised. There's a lot of these kinds of attacks. They are just part of the noise of the Internet. Most of these attacks are part of the cost of doing business on the Internet.
It's not easy to determine who is controlling the machines is it?
Labovitz: You really have to have a lot of coordination and you must have access to one of the compromised machines or otherwise break into the actual command-and-control and see where the commands are coming from. It generally takes a lot of effort and a lot of time. It is increasingly difficult as this crosses multiple carriers and multiple jurisdictions.
Generally, do future "hactivism" DDoS attacks pose a serious threat to enterprises?
Labovitz: From following the Twitter messages and some of the underground IRC channels, I will say that this doesn't appear to be a very sophisticated group of people. I think what's really happened over time is that there's this incredible amount of noise on the Internet with all this stuff going on all the time. Generally, I think it's more of an annoyance then it is a significant problem. With that said, there is a growing, small segment of what we think of as "the professionals." They're not motivated by ideals. They're not motivated by revenge or belief in free speech. They're motivated by money. This is how they make their living, through financial manipulation and other means. Those attacks are actually quite sophisticated and can be quite problematic to address. I don't want to give the impression that there's not a problem on the Internet today and there's not large vulnerabilities. But if I had to be concerned, I'd be far more concerned with the people who are doing this for money than the people doing this for ideals.
What are application-layer DDoS attacks and how often are you seeing them?
Labovitz: There's really two ways that attacks evolve over time in terms of infrastructure attacks and more specifically, DDoS. One type of attack is just the flooding. When you talk about a Web server there are generally two critical resources. One is just the bandwidth to the site and flooding attacks have been around since the early days of the Internet. They're trying to use up all the capacity so no other traffic can get in or out other than the attack traffic filling up all the links going into the datacenter or the website. Those attacks have been growing over time. We started out in 2000 when 400 Mbs was a really big attack. This year we have reports of 100 Gbps. That's getting pretty big. It's been the sheer number of botnets and the sheer number of compromised hosts that have fueled all of this. Back in the early 1990s we still had some belief that through better antivirus, through better procedures and through better education we could get a better handle on compromised machines. I think that battle has been fought and lost. Any given enterprise probably has one or two compromised machines within their network.
The other way attacks have been evolving is through the second key resource and that's disks, CPU, database and all the key resources as part of the Web farm or datacenter. It may not be about getting onto the homepage, but getting the mailing list of a company might require database access, it might require an email to marketing. Generally these are expensive operations that are doing more than just fetching data. We're seeing a growing number of attacks that are doing a lot of surveillance, they're trying to find the most expensive operation on the website and they'll also understand what the bottlenecks are. For example, if there's a bottleneck in the database they'll try to stuff the database and get it into a lock state. They try very hard to look like legitimate clients and blend into the crowd. And they're often targeting a flaw in your architecture that you didn't know existed before.
What are the biggest growth areas for your DDoS mitigation technology right now?
Labovitz: We see a lot of business growth in two areas: one area is mobile and the other area is -- as more and more data moves to the cloud -- the datacenter. This is both private enterprise datacenters as well as cloud-based datacenters. With the types of attacks we're seeing, some are just volumetric, they're so big that it has to be the carrier mitigating them. As you start to look at lower-volume, stealthier, application-level attacks, that's something you really want to take care of at the datacenter. Basically we've been able to link to these two areas. Carriers need to solve part of the problem and some need to be solved at the datacenter level. It's moving down the channel from the Tier 1 providers.