Five Lessons for Your Website from U.S., South Korean Web Attacks

CIO — On July 4, a botnet estimated to contain between 30,000 and 60,000 compromised computers received new marching orders: Attack five U.S. government Web sites.

By Tuesday, the attack had widened, hitting at least 26 government, financial and news Web sites in the United States and South Korea. The attack escaped the notice of many network monitoring firms, who labeled it a "modest" packet flood, but severely impacted some of the targeted sites. Many sites, such as the White House's online hub, stoically weathered the attack, while others, such as the Federal Trade Commission's site, became inaccessible for long hours or days.

Companies should look at the attacks as a reminder to test their preparedness, says Amit Yoran, CEO of security firm NetWitness and the former head of the National Cyber Security Division at the U.S. Department of Homeland Security.

"If this can happen to mature organizations that really understand what the threat environment looks like—and are still falling victim to this stuff—it sends an ominous signal to other companies, who might not be as ready as they would like," says Yoran.

[ For timely data center news and expert advice on data center strategy, see CIO.com's Data Center Drilldown section. ]

Yoran and other experts suggested that data-center and hosting operators, as well as enterprises, use the attacks to check their defenses.

1. Size doesn't always matter

While the U.S. government is not discussing details of the attack, security firm Arbor Networks protected one of the industry sites targeted by the packet flood, which the firm measured at about 23 to 25 megabits per second. That's more of a trickle to security companies used to defending sites from denial-of-service attacks weighing in at hundreds-of-megabits to gigabits per second. Attacks leveled against the Church of Scientology in January 2008, for example, were 10 times larger than the current attacks.

"We are seeing these attacks are pretty modest—it depends on your level of readiness," says Jose Nazario, manager of security research for Arbor. "I can see why some sites are like, 'What attacks?' while others are like, 'Oh my God!'"

Rather than being a measure of the sophistication of the attacker, the average attacks are highlighting those companies and government agencies that have not adequately prepared for a flood of network packets.

"If you are running a large data center, make sure you got the tools, capabilities and staffing so that if a flood is coming in that you can respond to it, or that you have relationships with the upstream provider to quickly get them involved," says Nazario.

2. Attacker intent required, skills optional

Security experts also stress that the current crop of attacks do not require much skill on the part of the attacker. The would-be attacker might be a protester that sympathizes with some cause, a patriotic hacker who attacks sites that criticize a nation, or a group sponsored by a nation-state.

The tools to conduct such attacks are readily available on the Internet. The attacks against U.S. and South Korean sites, for example, appear to use software cobbled together from a variety of sources, including the source code for the MyDoom worm, which first started spreading in 2004.

"Anyone can launch a distributed denial-of-service attack," says Joe Stewart, director of malicious threat research at SecureWorks. "There is plenty of code out there to launch attacks. They just have to have a reason to do it."

3. Know your upstream provider

One of the best things a company can do to prepare for attacks is to know who to talk to when things go wrong.

All companies should have authorized decision makers who have met the incident response groups at the firm's upstream provider, says Arbor's Nazario.

"Having that relationship and being able to diagnose the issue rapidly will go a long way to helping you stay on the Net," he says. "These (types of) attacks have not gone away, they are getting bigger and worse, and these latest attacks underscore that—not that they are any worse, but that they are another data point in what's happening."

4. Don't try to keep it a secret

Following attacks over the weekend, the U.S. government released very little information about what was happening.

The U.S. Department of Homeland Security reportedly released the software used in the attacks to some victims and security companies so that they could better defend themselves, but overall, the response was to lock down any information about what was happening, says NetWitness's Yoran.

"This is a good sampling of a large scale attack that has a lot of people's attention and a lot of people concerned," he says. "And it has been going for several days now, and there has been a coordinated restriction of information from the government. And that causes all sorts of issues: People are misinformed and they are jumping to the wrong conclusions."

Companies and government agencies need to better communicate threats so that others on the network can better defend themselves, he says.

5. Defend against the unknown

Finally, while the current incident involves well-known denial-of-service attacks, the next online threat may not be so run-of-the-mill.

Companies should make sure that they have some defenses that do not rely on prior knowledge of the attack techniques, Yoran says.

"You need technology that can deal with threats on day zero and not rely on signature-based defenses," he says.

Do you Tweet? Follow everything from CIO.com on Twitter @CIOonline.