BATTLING BOTNETS
BATTLING BOTNETS
Whether the U.S. Military Should Establish Its Own Botnet Capability
is Debatable, But Defending Against Them is a Necessity.
by Peter A. Buxbaum, MIT Correspondent
In May of last year, a distributed denial of service (DDOS) attack was launched against government and commercial computer networks in the Baltic nation of Estonia. Rumors abounded at the time that the Russian government was behind the attack, miffed by a perceived slight by the Estonian government.
A DDOS attack involves launching huge volumes of e-mail or other messages, more than the target system can handle, from multiple locations, thus disabling the target. Perpetrators often muster the capacity to direct massive messaging activity by surreptitiously taking over tens of thousands of computers by embedding them with software components known as malware and transforming them into robots, or “bots,” and arraying these in a decentralized network, or “botnet.”
Botnet components are then orchestrated to attack the intended target. Botnets are also used to send large volumes of spam, and to launch micro-targeted low and slow attacks designed to discreetly penetrate systems to gather information.
The key piece of evidence connecting Russia to the Estonia attack was that some of the e-mail traffic directed toward Estonian computers was traced back to a Russian government computer. But that did not prove Russian government involvement, because that system could have been recruited to an offending botnet, or the perpetrators could have otherwise spoofed the origin of the traffic. Indeed, most experts have concluded that the attack was organized by ethnic Russians within Estonia, without Russian government complicity.
Experts are unanimous that today’s primary use of botnets is by criminal elements out for monetary gain. But the Estonia attack, even if it was not initiated by the Russian government, underscored the need to protect systems from a militarystyle attack, perhaps also to develop the capability to counterattack.
“The primary threat from botnets comes from criminal groups, which try to get personal information to steal someone’s bank account,” said Pat Peterson, chief technology officer of Ironport, a division of Cisco Systems. “But Chinese, Russian, Iranian or other foreign powers could also use botnets to scan hard drives, copy keystrokes, steal passwords and study network topologies on U.S. military systems.”
GOING ON THE OFFENSE
Perhaps in reaction to the Estonia incident, some in the U.S. military have begun considering the possibility of developing its own offensive and defensive botnet capabilities. In a recent article in Armed Forces Journal, Air Force Colonel Charles Williamson advocated the deployment of a distributed computing capability by the Air Force that could take out offending systems by launching their own DDOS attacks against them.
Williamson argued that the U.S. military could use excess and obsolete computer capacity to generate this capability. As such, this capability would not be a true botnet since it would not involve the exploitation of third-party computers. (Williamson, a lawyer, was trying to obviate violations of the international law of warfare, which prohibits combatants from disguising their origins.)
The Air Force Research Laboratory posted a broad agency announcement (BAA) this spring that cryptically indicated a desire to develop a “proactive botnet defense technology.” Elsewhere in the BAA, the AFRL announced it was seeking the capability to infiltrate offending systems, to exfiltrate information undetected, and, if necessary, to destroy the system.
“Of interest,” the announcement said, “are any and all techniques to enable user and/or root level access to both fixed and mobile computing platforms and methodologies to enable access to any and all operating systems, patch levels, applications and hardware.”
“Attacks on national security systems happen all the time, but they are less likely to be denial-of-service attacks and more likely to be attempts at intrusion,” said Jim Lippard, director for information security at Global Crossing, a telecom solutions provider The AFRL BAA appears to be answering the latter type of threat.
The U.S. military has been aware of these types of threats for at least a decade. In February 1998, network monitors noticed an increase in attack activity directed toward Department of Defense computer systems that appeared to originate in the Middle East. This activity raised alarms because it appeared to be responding to U.S. air attacks on Iraq, which were routinely undertaken in the aftermath of the first Gulf War in response to Iraqi violations of U.S.-imposed no-fly zones.
As it turned out, the attack was perpetrated by small group of teenagers. Most were in California, while another was indeed located in the Middle East, but in Israel rather than Iraq. The attackers succeeded in obscuring the origins of the attack, at least initially.
The incident highlighted the fact the U.S. military networks connected to the same public, international network as the rest of the world were subject to the same vulnerabilities to hackers. It was also the precipitating event that led to the establish ment of the Joint Task Force Computer Network Operations (JTF-CNO).
“Military networks are connected to the global Internet not too differently than commercial networks, through discrete gateways,” noted Marcus Sachs, director of the SANS Institute Internet Storm Center, who is a retired Army officer and former staff member of the JTF-CNO. “Because DoD computers are connected to the Internet, it is already targeted due to random scanning by botnets. There are also those who want to target DoD.”
The Estonia attack, which primarily targeted commercial financial networks, was able to bring the Estonian banking system to its knees for several days. But the effects of the attack were mitigated by the efforts of the Estonian computer emergency response team (CERT), according to Gadi Evron, an Israeli botnet expert.
The CERT, “in cooperation with local providers and volunteer networks of IT professionals in industry and government, coordinated the emergency defense program,” Evron related. “The team was immediately involved in analyzing the severity of the incident, sending abuse reports to service providers abroad, and facilitating information exchange between the affected organizations and service providers.”
The team organized an online chat room, where network defenders could exchange information. The same forum also provided the Estonian authorities with real-time information on attack targets and types.
BOTNETS VS. BOTNETS
DoD networks and systems have a number of tools and techniques available to them to fight off botnet activity. “It is often more convenient to block the destination rather than trying to trace the source of an attack,” said Lippard.
But Lippard is skeptical about the use of botnets to counter botnets. “Our best defensive measures will not be to attack with a botnet, but to maintain a layered network security mechanism, including monitoring and intrusion detection and prevention,” he said. “Data replication is necessary to keep systems running when a machine is infected. Those are the right defenses.” Identifying attack traffic can be accomplished with automated tools. “Our tools can identify malicious traffic and classify the nature of an attack,” said Danny McPherson, chief security officer at Arbor Networks.
These attacks most often will affect multiple Internet service providers (ISPs), McPherson noted. “If a system is identified as being the target of an attack, we can notify ISPs and they can drop all traffic to that site. We are also able to trace back attacks to their sources and to provide an array of mitigation options, including scrubbing the bad traffic out of the network flows.”
For Peterson, the most important element involved in countering the potential of botnet penetration is to secure e-mail inboxes and user access to the Web. “Virtually all large attacks now involve sending e-mails with a link to a Web page,” he said. Sometimes these are legitimate Web pages that have been infected with malware and are downloaded to user machines.”
Peterson identifies three aspects to ensuring that e-mail inboxes and Web browsers are safe and secure: scanning incoming e-mail for safety, inspecting requested Web pages to make sure they are not uploading malware to browsers, and training personnel to detect system penetration schemes.
“Many attacks today involve social engineering. E-mail recipients are convinced to click on a link, which will then ask them to supply sensitive information or download malware,” said Peterson. “The weakest link in the security chain is the gray matter between the ears of users.”
NETWORK PROTECTIONS
A holistic anti-botnet approach comes from a firm called FireEye. “Our approach dynamically analyzes network flows to detect malicious activity,” said Ashar Aziz, FireEye’s chief executive officer. “We are also able to identify the location of a botnet’s command and control mechanism and share that with others to create a global alliance against the botnet infrastructure.”
FireEye’s system takes a two-step approach to prevent malicious traffic from reaching user systems. The system is designed to yield a low rate of missed attacks and an almost zero rate of false alerts, Aziz explained. The front-end of the system flags and captures suspicious network flows by casting a wide net to minimize missed attacks. The second part of the analysis is designed to pinpoint which flows contain malicious code.
The second phase feeds flagged network flows into FireEye’s virtual machines, which are configured like user desktops. If the suspicious code damages the virtual machine, the flow is identified as malicious and is blocked. This applies to incoming e-mail and messages as well as to Web data being downloaded by browsers. This process may result in a delay of a few seconds before cleared Web pages are loaded to the browser.
Aziz likens the second phase of the analysis to a king feeding suspicious food to a servant. If the servant dies, the food was poisoned.
“In the old days, the king didn’t test the food against a list of known poisons,” Aziz explained. “The reason why that system worked was because the king and the servant shared the same vulnerability to poison. Similarly, the virtual machine has same vulnerability as a machine on the network.”
DoD could also protect its networks by restricting access to e-mail and Web pages. Some organizations have developed backlists of suspicious Web pages and sources of e-mail in order to protect their systems from malware, noted Alper Caglayan, a principal investigator at Milcord, a software solutions company.
A step further would be to restrict access to the system from all sources except those appearing on an approved list. “This would not allow anything on the computer unless it is registered with your organization and certified to be free of malware,” he said. “This eliminates the effort of trying to figure out whether something belongs on the blacklist or not.”
Such an approach may be untenable for commercial enterprises, noted Peterson, which must communicate with large numbers of customers and partners, and which may have to assume a higher level of risk. “But military organizations can dial up security and barriers to untrusted traffic,” he said. “The military can establish its own trusted networks and classify the unknown to be harmful. Military organizations can restrict their communications, at least on some of their networks, to known, trusted partners.”
DoD networks are already better protected than the rest of their federal government counterparts, according to Sachs. “DoD is way ahead of the civilian agencies on computer and network management,” he said. “DoD networks are more centrally managed and they have a very active and effective program of alerting when they see something bad. DoD also has strong personnel policies on who can be a system administrator.”
DISTRIBUTED COMPUTING
Defending against botnets is one thing. Using botnets or botnet-like arrays of computers for offensive activities is subject to debate.
It is already well established that cyberspace is being treated as a true battleground and that the U.S. military is developing a full range of cyber-warfare capabilities, including offensive capabilities. “Our warfighting approach to cyber-operations recognizes that cyber is now a contested domain that must be proactively defended, and not just secured,” explained Air Force Lieutenant General Robert Elder, commander of the 8th Air Force. “We look at offensive actions from the standpoint of warfighting, which means denying an adversary situational awareness, reducing their confidence in decision support systems, and degrading command and control connectivity.”
“It would be foolish for a military to disregard the strategic or tactical possibility of launching an offensive cyber-attack against an enemy during wartime,” argued cyber-security expert Bruce Schneier. But Schneier assumes that most such activity will involve espionage-like activity, and not open warfare.
“A military only wants to shut an enemy’s network down if they aren’t getting useful information from it,” said Schneier. “The best thing to do is to infiltrate the enemy’s computers and networks, spy on them, and surreptitiously disrupt select pieces of their communications when appropriate. The next best thing is to passively eavesdrop. After that, the next best is to perform traffic analysis, analyze who is talking to whom and the characteristics of that communication. Only if a military can’t do any of that do they consider shutting the thing down.”
That possibility leads Alan Paller, director of research at the SANS Institute, to conclude that research should proceed on all fronts, including the development of offensive botnet capabilities.
“We need to do the research now, so that the next time we get into a war, we will have those kinds of weapons if we need them,” he said. “We don’t want to get caught short, as we did in 1937 and 1938, before the outbreak of World War II. We can’t get into a war and then realize we don’t have the weapons.”
He added that another country, presumably China, has 10,000 people assigned to developing cyber-warfare capabilities. “Having the ability to attack enemy systems is desirable,” said Peterson. “Research into botnet-like activities has relevance for programs of trying to infiltrate enemy computer environments and trying to implant code on hostile systems in order to monitor and understand them.
“Botnets are great for anonymizing what you’re doing,” he added, “but we need to find a way to do that without poisoning others’ PCs. And we can do that with a small number of assets. We don’t need millions of computers to accomplish that task.”
When it comes to standing up an actual offensive Air Force botnet capability, Peterson said, “Hell no! Botnets are useful for criminal activity, but they are unreliable, uncontrollable, unethical and harmful.” Williamson’s proposal to use old military computing equipment eliminates one of the key advantages to the use of botnets, which is anonymity, Lippard said. “You’re also not getting the advantage of distributing your computing power across other peoples’ hardware and bandwidth. You’re using your own equipment and your own bandwidth.”
Lippard also noted that telecommunications providers have been batting botnet attacks for years without launching a counterattack in kind. Launching a DDOS attack, Lippard concluded, “would have to be considered a nuclear option.”
On the other hand, it may make sense to experiment with botnet-type of capabilities for other purposes, according to Sachs. “It is smart to study how attackers attack. I like the idea for war gaming.”
The ultimate value of such experimentation, for Sachs, would be to explore ways the military could use distributed computing capabilities. “The use of botnets may make no sense,” he said, “but the idea of using a distributed computing capability in some form may make sense for DoD at some point in the future.” ♦
