Bots and Network Security

Stephen DeAngelis

November 2, 2006

As many Typepad bloggers are aware, last May the Typepad site underwent a new and serious kind of attack. The details of the attack have recently been published in Wired magazine [“Attack of the Bots,” by Scott Berinato, Issue 14-11 November 2006]. Berinato’s article begins like a Michael Crichton novel:

At first, it looked like typical network congestion. So the system administrators weren’t too concerned when TypePad blogs and LiveJournal social networks flickered like a light bulb in a faulty socket. But 15 minutes later, at 4 pm on May 2, 2006, the sites went dark, and so did the mood at Six Apart, the company that owns them. In the blink of an eye, 10 million blogs and online communities disappeared.

This certainly wasn’t the first denial-of-service attack mounted against a corporate site and Six Apart technicians thought they were prepared for that contingency. But this attack didn’t look or behave like anything they had seen before.

Flash floods of data thundered into one network port, stopped inexplicably, then reappeared to overwhelm another. The engineers pored over logs, desperately looking for a cause. After an agonizing hunt, they found it: a distributed denial-of-service attack, or DDoS. Six Apart’s servers had been inundated with so many requests that the machines couldn’t possibly process them all. It was the digital equivalent of filling a fish tank with a fire hose. The Six Apart team sealed off nearly all access to its network. The sites came back online. Ten minutes later, they crashed again. The attacker had found an unprotected entry point and aimed a volley squarely at it. With the data fusillade focused on a single port, the engineers could study it, even if they couldn’t stop it.

The attack, it appears, was aimed at a company in Israel, but the brunt of the assault was being felt at Six Apart and they weren’t sure why. The technicians thought that by isolating the site from whence the attack was coming they could control it — they were wrong.

The dodge didn’t help. Within minutes, the attacker turned his attention to Six Apart itself. The company’s servers were slammed by a reflective DDoS attack, a technique that boosts the volume of malicious traffic by running it through a sort of Internet echo chamber. At 8 pm, the sites suddenly went dark again, almost as if someone had flipped a switch. Six Apart was dead. The bots had won.

The bots were what was unique about this attack. They follow simple rules, they never tire, and they never stop trying to accomplish what they were sent out to do. The attack was not mounted by a single bot but by a network of bots or a botnet.

Six Apart had fallen prey to a botnet – a network made up of independent programs, or bots, acting in concert. Over the years, corporate IT managers have learned to firewall their networks to block unauthorized intrusion and patch their system software to keep out viruses, worms, and Trojan horses. Likewise, PC owners have installed tens of millions of personal firewalls and antivirus programs. But bots are infiltrating even protected computers, and they have quickly become a bigger threat than virulent malware like the famously destructive Melissa, I Love You, and Slammer.

This is a growing threat to resiliency and one with which the cyber security industry is still wrestling. Berinato offers a good explanation of what individuals and organizations are up against.

Like viruses, bots spread by installing themselves on Net-connected computers. The difference is that, while viruses act individually according to an inflexible program, bots respond to external commands and then execute coordinated attacks. The operational software, known as command and control, or C&C, resides on a remote server. Think of a botnet as a terrorist sleeper cell: Its members lurk silently within ordinary desktop computers, inert and undetected, until C&C issues orders to strike.

Berinato notes that not all bots are bad, but increasingly most of them are. He writes that the term malicious bot is becoming redundant.

Networks of bots distribute as much as 90 percent of all junk email, says David Dagon, a doctoral student at Georgia Tech who wrote his thesis on the topic. Earlier this year, a notorious spammer from Michigan pled guilty to using botnets to send millions of email come-ons. Coordinated swarms of independent software agents are also the perfect vector for online fraud. They automate the processes of clicking on ads that generate per-click revenue and installing pop-up advertising engines that generate per-install revenue. Bot-driven fraud has become such a big business that Google was recently sued by class-action plaintiffs who claimed that bots, not people, had clicked on their ads. The ads were priced based on how many clicks they received; apparently competitors had hired bots to jack up the rate with an avalanche of extra clicks. Charged with negligence for failing to guard against such abuses, Google settled for $90 million. Bots can also monitor keystrokes to collect passwords and other sensitive data for identity theft and credit card fraud. In one 2005 case, bots spread spam purporting to contain pornographic attachments. When a recipient opened the file, it installed a keystroke logger that captured, among other things, LexisNexis credentials. Using that information, the hackers compromised 300,000 accounts.

Berinato goes on to explain that bots look for vulnerable computers and once they are in control of them also have access to their networks (meaning more bandwidth and more capability to cause mischief). Eventually, Six Apart and its ISPs were able to fashion a defense they called a “force field” that held against new waves of attacks through the night. Resilient enterprises are going to require “force fields” of their own that automatically repel attacks and track their source. Such a defense will have to be automated because the size of the attacks are astronomically large. Berinato, warns, however, that “different approaches address various aspects of the problem, but a comprehensive solution has proven elusive. … Researchers, vendors, and officials must come together to build a broad defense, a combination of technical, legal, regulatory, and social fortifications capable of turning back the bot tide.” The rest of his article provides an interesting peek into the criminal underground that deals in bots and reading the entire article is well worth the effort.