In the early part of 2000 a lone 15 year old canadian hacker named Mafiaboy launched a series of DDoS attacks against some of the largest eCommerce sites; eBay, Yahoo, Aol, and others, causing significant denial of service conditions. At the time I was working at Network Associates in their PGP security division and during one of the press interviews we dubbed the malware used for DDoS attacks (such as Trinoo, Stacheldraht, and TFN) zombie agents or zombies. I thought the name was silly, but then I lack technicity.
Denial of service attacks and technologies to deal with them sprang up and eventually became a part of doing business in an increasingly digital world. However the majority of the attacks were the equivalent of cybervandilism. Somewhere between 2002 and the present finanically motivated cybercrime became more prevelant and we began to see botnets used for blackmail schemes, spam-relays, click through scams, identity and data theft – basically a single entity could, through an obfuscated chain, remotely control a set of contituents, which in turn would control another set of constituent computers and thus was born an extremely efficient means to carry out digital crime. For the most part dealing with botnets was done by defending against botnet attacks in the form of DDoS protection at the network or preventing infection of the hosts as part of the organizations anti-malware strategy. Organizations were not really going after “botnets” themselves and enterprises were not looking for anti-botnet technology.
Trend recently announced an anti-botnet service which utilizes DNS and BGP routing tables to identify infected hosts or bots. It will be sold as Intercloud Security Services and will be available Q406. If there is industry cooperation, especially at the ISP level, then this is positive for network security in general – similar to Arbors contribution with their fingerprint sharing alliance program.
Botnets are not new and as I mentioned earlier organizations are not really looking for anti-botnet technology, they are looking to prevent the results of botnets; DDoS attacks, spam, host infections, data theft, etc. The problem with an anti-botnet technology or service THAT COSTS MORE is that organizations would still need DDoS prevention, anti-spam, anti-malware, anti-data theft, anti-x technologies. So although I understand their proposed business model and applaud their contribution to fighting botnets I question whether organizations will pay for this as a technology or as a service.
Bottom line: Unlike surviving a real-world zombie attack through reactive measures; running fast, locking yourself in a mall, and carrying a really big chainsaw, botnets require a more strategic and proactive approach, best practices for network and host security, coupled with working with your upstream provider to deliver more security services is a good thing and are as applicable to botnets as they are to trojans, and worms, and viruses, and tomorrow’s nano-bacterial virii transferred from avain to computer through an infected capuchin monkey – basically for most enterprises botnets do not need a seperate classification, set of technologies, processes, and services to deal with. Certainly there are tactical reasons a company may look to anti-botnet technology, but strategically this is just one more feature set that should be added to our arsenal of tools without having to pay a premium for the service.