Aaargh! Zombies!

Patrick Gray interviews Arbor's Nick Race to learn about the company's approach to targeting botnets.

In the good old days, Distributed Denial of Service (DDoS) attacks were regarded as more of a nuisance than a menace. They were considered, among recreational hackers, as the lamest form of attack, so not much thought seemed to go into how to prevent them.

Those recreational hackers, who later formed the Information Security industry, were more focused on preventing data loss, not boosting availability. Now the Internet is more that a cool place to host brochureware, the humble old DDOS attack is enough to scare the absolute willies out of many sensible CIOs. Think of companies like Jetstar, Virgin Blue, eBay and online banking applications and so on -- it's bad news if there is any down time there.

Patrick Gray asked Arbor Networks' Nick Race what it is doing to stamp them out.

Arbor Provides technology to the telcos so they can filter their services and provide clean, DDoS proof pipes. The bad news is that leaves the humble enterprise up the proverbial creek without a paddle if their being attacked, unless they happen to purchase those clean DDoS proof pipes from a telco that offers managed services.

Patrick Gray started by asking Race how Arbor's technology detects botnets.

Nick Race: The way that typical botnets are controlled is through an IRC channel. So detection mechanisms revolve around understanding which IRC channels botnets are instigated from. Using that information you can then actually protect against those botnets. Arbor technologies use something that we call fingerprints which is similar to antivirus signatures but rather than being a static payload where you are looking for a known pattern, a fingerprint describes something in a behavioural sense.

So we are looking for the known IRC command and control channel in the instance of botnets. That is how we detect them, using fingerprints. We have technologies as I said before, both for service providers and for enterprises and they use these fingerprints to do detection either in telcos' network or in the enterprise network. Typically under DDoS conditions we would see a large volume of traffic destined for a target location. It's the nature of botnet attacks that they can come from anywhere on the internet and we are looking in the instance of that is we are looking at the sheer volume of attack traffic.

In the case of enterprise network, we actually use net flow information, at layer four within the enterprises switching and routing infrastructure, and when conversations or traffic occurs to the known botnet sites, then that is how it is detected and then we can use mitigation techniques to stop it.

PG: So I guess you are talking about preventing computers within the enterprise joining botnets aren't you?

NR: Absolutely right. Botnets can be used for a number of things. One of them is if you've got a particular zombie within an organisation then it has the ability to spread worms and viruses to other pieces of infrastructure within that enterprise. Or alternatively it can be used as a source of a larger DDoS attack on an outbound centre of that enterprise.

PG: Is most of what Arbor focuses on centered around preventing zombies at the source? What can you do if you are being targeted by a botnet in a distributed denial of service attack? What does Arbor say you need to do in that case?

NR: Currently we have about seventy percent of the tier one telcos globally using our technology and we have something called a fingerprint sharing alliance. So if you have a DDoS attack instigated overseas on an Australian organisation then having the Australian telco be detected and mitigate that attack within their network, they can also share the fingerprints upstream to the other countries where the telcos there are using similar technologies. What we can do is we can actually stop the botnet at source in other countries.

PG: Now we are talking about actually stepping on the botnets in the cloud. Just say that I am an Australian enterprise security manager and I am a little bit concerned that I am about to get hammered with a distributed denial of service attack. What can people do once the attack has begun? Kit really isn't the solution is there? Because often you are just dealing with your pipe or your processing capacity being hammered.

NR: Yeah. There are a couple of things you can do. Firstly you can detect that within your own enterprise and then what you can do is apply filters and ACLs at the edge of your network to stop it entering your network.

But secondarily, you are right, trying to solve a DDoS problem at the enterprise level doesn't solve the problem because the last mile it will be overloaded. So what you need to do is work with service providers who offer managed DDoS protection services. So in that instant that is there, telcos will offer effectively a clean pipe internet solution whereby the DDoS attack is detected within their cloud and then it is actually cleaned within their cloud and only good traffic is delivered to the enterprise destination. That way alleviating the bottle neck of that last mile.

PG: This is your selling proposition isn't it? This is a solution that you take to your tier one telcos and say hey, now you can start offering DDOS proof services to your clients? Is that really what Arbor is all about?

NR: For our service provider customers we not only provide protection for their network but also revenue generating opportunities for them to offer managed security services.

PG: Why would the enterprise market invest in stuff that you guys make? What is the value to enterprise security in buying Arbor kit?

NR: The Arbor enterprise equipment provides insider threat protection. Because we use net flow information from the existing switching and routing infrastructure within an enterprise, we actually will get to see every transaction on their network. Then what we can do is anomaly detection on that traffic. So anomalies could be security anomalies such as botnets and phishing sites. So again if an individual within an enterprise is foolish enough to click on an email that says click here to update your banking details and then shoots off to a phishing site, we will detect that inside the customer's enterprise network as well.

PG: Just out of curiosity here, how much of your revenue comes from the telco stuff versus the enterprise stuff.

NR: Our heritage is in the service provider's space so the majority of our revenue comes from that side of the market. However we've been in the enterprise market for five years so that is certainly a growing area for us.

PG: So you are doing a Juniper!

NR: (Laughs) It is not unusual for infrastructure providers to start in the service provider and move into the enterprise.

PG: Do you foresee a time in the future when really there will be some intelligent hardcore, crazy boxes spread throughout tier-one telcos all over the world that will render DDoS attacks as we know them now obsolete?

NR: I like to think that we are part of the way down that path already. Certainly we provide DDOS mitigation technology that runs at line rate within the telco's network such that we can deliver clean pipes to the telco's customers that wish to pay for that. Absolutely.

This Q&A is a transcript of an interview that appeared in the Risky Business security podcast. Click here to listen. Transcript by Danie Smallwood.

Read more on Security policy and user awareness