Monthly Archives: November 2006

IntruGuard go to Europe

Planeetta_logo
After reviewing their current signature based
Intrusion Prevention System (IPS) and evaluating several other IPS
solutions available on the market, Planeetta selected the IG200 to
protect its customer maintained servers and network operation center
(NOC) from a growing threat of DDoS attacks, protocol anomaly based
hacking, scans and other zero-day exploits. Such network floods were
occurring on a monthly basis and with only a narrow based DDoS attack
on just one customer; connectivity to other accounts was hampered. The
existing IPS device was overtaken with flood traffic and failed. Prior
to the IntruGuard deployment, Planeetta took a painstaking effort with
their Internet Service Provider to determine all sources of attack and
instituted ACLs to block the assault. This method took many hours to
bring the attack under control.

Lauri Pitkanen, Chief Security Officer and Co-founder at Planeetta
explained, ”Compared to other solutions available on the market, the
IG200 was the clear choice because of its split-second automated
response, full duplex Fast Ethernet throughput, software upgrade
capability to gigabit throughput, and ease of administration and
monitoring. The ability to create virtual protection zones using the
Virtual Identifier (VID) feature in the IG200 was extremely powerful
and allowed us to separate our operations center from customer servers.
We use the IG200 to block denial of service network floods targeting an
individual customer where such an attack affects all customers. Since
its installation, the IG200 has successfully thwarted several attacks
and helped us trace the source of each.”

Ashok Jain, CEO of IntruGuard Devices, Inc. commented, ”Web Hosting
has to go on un-interrupted. Companies like Planeetta, that understand
the value of their customers’ trust, are quickly realizing the IG
product family can help them keep their wide-ranging services on-line
at all times and maintain mandatory service level agreements.”

Planeetta Internet Oy is a provider of web hosting services in Europe,
serving over 5000 customers with an excess of 50 servers in its data
center. Thorough security services include protection against worms,
viruses, spyware, and other malicious attacks to protect their
operations. Services include web site and email support. The company is
located in Helsinki, Finland.

IntruGuard’s mission is to secure high-value Internet services and
network infrastructure by delivering built-for-purpose systems for
Intrusion and Day Zero DoS and DDoS Attack Prevention. The company
serves e-commerce, web hosting/ISP, financial institutions, and managed
service providers that are under pressure to deliver guaranteed network
and application performance under all conditions. IntruGuard’s IG200,
IG2000, and IG2200 DDoS Firewall security appliances will defeat any
intruder attempting to mount a rate-based attack on servers, subnets or
networks. These appliances deliver maximum performance, intelligence,
and ease of deployment. The company is headquartered in Sunnyvale, CA.

To learn more about IntruGuard, please visit: www.intruguarddevices.com.

For more information about Planeetta Internet Oy, please visit: www.planeetta.net/.

Amazon.com DDoS’ed by Customers Vote Winner

Amazonlogo
In case you were hoping to take advantage of the Amazon Customers Vote deal for a $100 Xbox 360 on Thanksgiving, Amazon.com was reportedly not reachable from least 2-2:15pm EST (11am-11:15am PST). Presumably, the traffic caused by the $100 Xbox seekers was simply too much.

Some people are complaining that they couldn’t even load the Amazon homepage…

Update: There are over 500 comments in a thread on the Amazon Customers Vote Forum with disgruntled customers chiming in, in addition to other blogs which have noted the outage. Plenty of people are not happy and some are filing Better Business Bureau complaints.

Looks like a great case of a traffic flood that caused DDoS like behavior.

Websites struggling for legal recourse for DoS attacks

Pcprologo
Websites blocked by ISPs when under a distributed denial of service attack (DDoS) face millions of pounds in lost business because ISPs refuse to take responsibility for hosting infected computers on their networks.

Typically, a distributed denial of service attack relies on an attacker remotely controlling numerous and widely distributed computers infected by viruses and Trojans. The attacker uses these ‘botnets’ to send a flood of requests to a website, which is often unable to cope and its servers fail, taking the website offline.

It’s a relatively simple and cheap operation for the attacker. Keith Laslop, President of DDOS mitigation outfit Prolexic told us: ‘I’ve seen them on forums where you can hire bots for next to nothing. Four cents a bot. So you could take down a site very cheaply. You could get enough together for, say, a 50Mbits DDOS attack. You could take someone out with that.’

DOS attacks are also becoming increasingly common. During the first six months of 2006, Symantec observed an average of 6,110 DoS attacks per day.

More…

PROLEXIC PROTESTS INNOCENCE

Prolexic_logo
Anti-DDoS firm not involved in criminal activity says spokesman

One of the indicted companies in the major Giordano Internet sports betting bust, Prolexic Technologies was quick to protest its innocence following the public announcement of the New York case this week.

Prolexic is a well respected company in the forensic and DDOS field, and it took immediate steps to point out that it was simply an anti-DDOS contractor to the Playwithal site.

In statement that claims it is wrongly accused of criminal activity, the company commented: "Earlier today, New York authorities issued a 33-count indictment regarding an illegal online gambling operation.

"Prolexic Technologies, which provides Distributed Denial of Service (DDoS) solutions, was named in the indictment as the Web host provider to an Internet sportsbook. Prolexic Technologies provides a service that, amongst other things, masks a client’s IP address in order to mitigate DDoS attacks. When a trace route is performed, it appears that Prolexic Technologies is the host server, when in fact that is not the case.

"Our job is to prevent DDoS attacks, which are one of the most costly cybercrimes on the Internet," said Keith Laslop, president of Prolexic Technologies. "Prolexic Technologies in the past has worked closely with U.S. and U.K. law enforcement agencies in regard to tracking DDoS attackers, and was instrumental in the arrest of a high-profile Russian mafia figure that used DDoS to take Web sites hostage until paid a ransom. We have a history of cooperating with law enforcement authorities, and our name will be cleared of any wrong doing. Meanwhile, we are continuing to operate, as the leader in DDoS defense services."

DDoS makes a phishing e-mail look real

Attack_of_the_bots
Just as Internet users learn that clicking on a link in an e-mail purporting to come from their bank is a bad idea, phishers seem to be developing a new tactic — launch a DDoS attack on the Web site of the company whose customers they are targeting and then send e-mails "explaining" the outage and offering an "alternative" URL.

Imagine this scenario: You try to log onto your online bank but find the site isn’t working. So you figure, oh well, I will pay the bills later. Let me check my e-mail.

As you wade through the spam in your inbox trying to find some genuine messages, you notice a new e-mail that seems to have been sent by your bank. Normally, you delete these without even reading them because they are obviously from phishers.

However, in this case, the subject line is: "YourBank: Un-planned online banking outage".

The body of the e-mail, which contains logos from the bank and is not littered with spelling errors and grammatical mistakes, goes something like this:

The online banking system is currently experiencing problems and will be unavailable for at least a few days.
Until we can restore our systems, we request that you connect to our alternate Web site which will act as a backup.
Bookmarks and direct access will not work to our main site and we apologise for any inconvenience caused.
Click here to access the temporary site.

Would you be tempted? Do you know anyone that may be fooled?

I sure do.

But is this threat real?

UK bans denial of service attacks

OldbaileyA law was passed yesterday that makes it an offence to launch a denial of service attack in the UK, punishable by up to ten years in prison.

There had been concern that Britain’s Computer Misuse Act, written in the days before the World Wide Web, allowed denial of service attacks to fall through a loophole. These are attacks in which a web or email server is deliberately flooded with information to the point of collapse.

The 1990 legislation described an offence of doing anything with criminal intent "which causes an unauthorised modification of the contents of any computer"; the question was whether that covered denial of service attacks. When a court cleared teenager David Lennon in November 2005 on charges of sending five million emails to his former employer – because the judge decided that no offence had been committed under the Act – the need for amendment seemed obvious.

Lennon’s lawyer had successfully argued that the purpose of the company’s server was to receive emails, and therefore the company had consented to the receipt of emails and their consequent modifications in data. District Judge Kenneth Grant concluded that sending emails is an authorised act and that Lennon had no case to answer, so no trial took place. That ruling was overturned and Lennon was sentenced to two months’ curfew with an electronic tag. But by that time, amendments to the 1990 legislation were already included in the Police and Justice bill.

It was passed yesterday, becoming the Police And Justice Act 2006. The Act also increased the penalty for unauthorised access to computer material from a maximum of six months’ imprisonment to two years.

The 2006 Act expands the 1990 Act’s provisions on unauthorised modification of computer material to criminalise someone who does an unauthorised act in relation to a computer with "the requisite intent" and "the requisite knowledge."

The requisite intent is an intent to do the act in question and by so doing:

    * to impair the operation of any computer,
    * to prevent or hinder access to any program or data held in any computer, or
    * to impair the operation of any program or data held in any computer.

The intent need not be directed at any particular computer or any particular program or data.

The wording is wide enough that paying someone else to launch an attack will still be a crime, with a maximum penalty of 10 years in prison. Supplying the software tools to launch an attack or offering access to a botnet could be punished with up to two years in prison.

Layered Technologies Partners with netZentry to Offer Hosting Customers Complete DDoS Protection

Netzentry
netZentry, a leading developer of advanced network security and Distributed Denial of Service (DDoS) attack detection and mitigation solutions, is partnering with Layered Technologies (http://www.layeredtech.com), a premier provider of dedicated servers, to offer hosting customers this extra protection from external network attacks.

"Customers electing to add netZentry received more control and extra security on a targeted individual server basis from denial of service attacks," said Todd Abrams, President of Layered Technologies (LT). "Layered Technologies decided to provide netZentry’s DDos offering after viewing the additional protection power customers could utilize. We urge LT customers to exploit this valuable extra defense."

netZentry’s DDoS protection software, CleanTraffic, is the cornerstone of Netzentry’s Partner Program. CleanTraffic carefully tracks each DDoS attack at every stage of the attack and an automated email report is immediately sent to the customer being affected. Email notifications consist of a visual report that documents:

• Attack detection
• Attack mitigation
• Specific mitigation actions taken

CleanTraffic allows service providers and enterprises to defend tens of thousands of their clients and servers against threats in a customized manner, at a low total cost of ownership.

"Targeted attacks are becoming increasingly common," said Rangaswamy Vasudevan, CEO of netZentry. "netZentry’s CleanTraffic is the only solution that offers fine-grain protection to
maintain accessibility of individual services even when under attack. We are pleased to partner with Layered Technologies to extend this value-add service to their customers."

U.K. company brings anti-DDoS appliances to the U.S.

Picture_2_1
Webscreen Technology is relaunching its denial-of-service mitigation appliances in the United States after 18 months of concentrating its efforts abroad.                                                 
The company was founded in the United States in 2001 and was bought by a group of U.K. investors in 2005. With its return to the United States it is announcing Webscreen 3.0, an upgrade to its flagship product that adds bandwidth optimization tools.

Webscreen appliances sit outside corporate firewalls and protect Web sites from distributed DoS attacks by evaluating what traffic can be trusted and what traffic can’t. It constantly ranks traffic from trusted to untrusted so the most suspect traffic is dropped first during attacks.

The devices are typically installed in learning mode for a week to determine normal traffic patterns before they are switched on in defense mode. Inspection is performed based on an algorithm, and the device uses no pattern matching to determine suspicious traffic.

The device begins to block traffic only when attacks are severe enough to degrade performance of a Web server, the company says.

Version 3.0 enables reserving bandwidth for key applications and users even in the midst of an attack. This can reserve capacity for essential business tasks and reduce the need for adding bandwidth to Internet links to overcome the volume of unnecessary traffic.

The software maps where attacks are coming from and distributes this data among all the Webscreen devices protecting the various Internet access points in a network. This helps ward off attacks if they shift from one site to another.      

Webscreen Partners with Crossbeam

Picture_1_7
Webscreen Technology Ltd
, the UK
based network integrity solutions vendor has today announced a strategic
technology partnership with Crossbeam Systems®, Inc ., the leader in
unified threat management (UTM) for the world’s largest networks ,
strengthening Webscreen’s claim to be the world leader in DDoS defence
system technology.

Webscreen’s technology has been developed to provide maximum
protection against the full gamut of threats designed to bring down
Internet connected servers and disrupt critical services, particularly a
problem for Web-based enterprises and public service organisations who
need to maintain 24/7 access for their users. Using an anomaly based,
heuristic, algorithm Webscreen’s WS Series of network appliances monitor
all incoming traffic for signs of malicious attempts to flood the
system’s resources, blocking any suspicious activity at the network
perimeter and permitting legitimate traffic to pass through.

Customers choosing to run Webscreen’s intelligent screening
technology can now take advantage of Crossbeam’s highly-flexible UTM
platforms offering best-of-breed security applications, including
firewall, VPN, intrusion prevention and content filtering from the
world’s leading vendors. Crossbeam’s unique UTM platform enables
companies of all sizes to consolidate their security infrastructures
without compromising security policies, while also generating
significant cost benefits for the organization.

Established in the US in 2001 Webscreen Technologies was acquired by
a privately funded, UK team of security professionals in October 2005
and is now providing protection for some of the most high profile
ebusiness websites in the world including ISPs, ASPs and system
integrators where service availability is a key requirement. The ISP
community in particular is growing rapidly, and Webscreen is proving its
worth not only to protect the Data Centre infrastructure, but also to
differentiate the ISP service proposition. Today, Webscreen protects
over 5 million websites worldwide and across many vertical market
sectors.

Robin Hill, Webscreen’s VP of Sales commented "This agreement is
highly important to our overall growth plans for Webscreen and
represents both an excellent endorsement for the technology itself and
also a major opportunity for us to extend our global reach through
Crossbeam’s worldwide network of partners. Crossbeam is a highly
respected company whose innovative approach is recognised by all leading
industry watchers as the way forward for corporate security deployments.
We are delighted to be included in the company’s portfolio of leading
security technologies."

Crossbeam Systems is the leader in unified threat management (UTM)
for the world’s largest networks, and has redefined UTM by offering
traditional and cutting-edge applications that meet the specific needs
of any enterprise or service provider.

"The market demand for UTM is clearly evident as more and more
companies are looking for simplified security architecture to protect
the integrity of their public networks. The addition of Webscreen to the
Crossbeam platform further enhances our UTM offering and enables
companies to rapidly deploy the right defence in depth solution for any
part of the network," said Joel Silberman, vice president of ISV
partnerships and business development at Crossbeam Systems. "In
addition to traditional UTM applications such as anti-virus and
intrusion detection/prevention systems, we can now offer end-users the
assurance of uninterrupted access to their critical resources under the
most severe external DDoS attack."

Up to One Million Zombies

Picture_2
Messagelabs are reporting that cyber criminals are assembling a million zombies into one of the largest bot-nets ever. This article speculates that the purpose will be to launch phishing attacks against consumers who are ready to shop this holiday season. Other possibilities are spreading malware or launching massive DDoS (Distributed Denial of Service) attacks. One million bots is overkill for DDoS so the phishing attacks are more likely.

Or maybe in the spirit of fall harvest (here in the Northern Hemisphere) a group of pharmers are gathering in their herds ready to distribute them to the highest bidder in chunks of 20,000 or so. Either way, prepare for more attacks, more profits for cyber criminals, and more innovation as this year’s crop cyber attacks matures.