:: NORMAN :: Antivirus | Firewall

Proactive IT security

Home

News

Support

Partner

Select country

Select product

Virus & security » Security Information » 2006 » To report or not to report when being a victim of a Denial of Service Attack

To report or not to report when being a victim of a Denial of Service Attack

Add to My Norman Bookmarks

Security Information Week 19, 2006

Security Information

Introduction - a brief overview of Norman's experience

Soon after the Easter holiday, one of Norman's computers was the target of a Distributed Denial of Service (DDoS) attack (1).

The targeted computer was Norman Sandbox Information Center - the web server where one can view statistics from malware sent to Norman for automatic Sandbox analysis, etc.

Seen from the attacker's point of view the attack was successful as Norman Sandbox Information Center had to be disabled for some time due to the heavy load caused by the attack.

Norman Sandbox Information Center was attacked by quite a lot of computers using a so-called SYN attack (2). Investigation showed that these computers were part of a BOTNET (3).

Norman contacted its Internet Service Provider (Ventelo Comnet) - link is to a Norwegian web site), which stopped access to the Sandbox Center at the perimeter. Norman also contacted the Norwegian national security authority (Nasjonal sikkerhetsmyndighet - link is to a Norwegian web site), and informally contacted several security persons around the world. All those were extremely positive and eager to stop the attack. Thus valuable information was collected from different sources.

Quite soon thereafter the offending botnet was taken down.

The incident was reported by Norman to the Norwegian police authorites as a crime, and it is being investigated. The outcome of this investigation - which almost for certain will involve other countries than Norway - is not known when this Security Information is written.

How to act in such a situation

When an organization is being targeted in a way that for some reason it cannot perform its usual services satisfactorily, there are some (conflicting?) issues arising:

The perceived need to keep the incident as low-profile as possible in order to avoid badwill from customers and media about lack of security.
This can for some time be accomplished (at least to some extent) by obscuring the reason why the targeted computer(s) are unavilable, with "Down for maintenance" messages etc.
The need to be able to find and prosecute the attackers
It is of course difficult to report a crime if one does not acknowledge the fact that a crime has taken place.
The need to state an example by NOT obfuscate the incident
Any corporation involved in security - even though more inclined to act on 1 above for obvious reasons - might want to set an example for others by NOT trying to downplay the incident.

Norman's response to the attack

Norman chose to disclose fully the fact that the company was the victim of a DDoS attack.

As soon as the nature of the attack was determined, information about this was published on Norman's main web site (when trying to access the Sandbox Center)

Sandbox center unavailable

This was a policy decision that Norman made. It was seen as important to be open about what happened, encouraging other organizations and persons to act likewise. Norman views this as a better way to stop those individuals and organizations that initiate and engage in these kinds of attacks against other.
After all some of the largest companies in the world have experienced the same, with similar outcome. If someone with malicious intent is willing to allocate enough time and resources to such an attack, it is a priori almost impossible to defend against.

What is of the most importance in such a case, however, is to try to get logs that can be used to determine the cause of the attack as well as the origination of the attack. This is crucial in being able to stop the attack temporarily, to be able to find and stop the real offending computers and as such stop the attack permanently, and eventually to take legal action against the persons or organizations responsible for the attack.

Why Norman Sandbox Information Center?

One can only speculate why Norman Sandbox Information Center was the target of such an attack.

However, it is a fact that the Sandbox Information Center is a tool that is used by security organizations and persons all over the world to analyze malicious programs and their behaviour automatically. It is tempting to suspect that this may have annoyed some who create such malware, resulting in the attack.

The same behaviour can be observed in crime that takes place in a non-virutal world, when the culprits attempt to disable the protection devices before the crime itself is set into motion.

Presumably security resources on the Internet are among those which are the targets of the most serious attacks. I.e. attacks from more serious entities than script-kiddes - like organizations that use Internet crime as a mean for earning huge sums of money by various illegal and semi-illegal activities.

As the malware situation is switching to be more sophisticated, and organized crime is the behind an increasing part, this tendency is expected to continue.

A brief explanation of some terms used in this Security Information

(1) Distributed Denial of Service (DDoS) attack
An attack where several - potentially millions - of computers are involved in a simultanous attack against another computer or network. The goal of the attack is to disable the targeted computer/network to conduct its normal services.
(2) SYN attack
A type of attack when a computer with a spoofed IP address sends a syncronization (SYN) request to another computer (server). The server in question responds by sending an acknowledgement (SYN-ACK) and waits for the corresponding ACK from the initilazing computer. However, this computer's IP ACK never comes (e.g. because the originating IP address is spoofed).
(3) BOTNET
Computers in a network controlled by one or more "bots" (robots). The computers in a botnet are usually unaware of the fact that they are part of a botnet, as they have been compromized in some way. Such a compromized computer may in principle be used to do anything, e.g sending spam and/or targeting other computers.
The person that controls the botnet often use Internet Relay Chat (IRC) servers to control its computers (aka zombies). It is not unusual that this IRC server is another compromized computer. Since there may be many different loops in the chain involved, it is usually not trivial to find the person or persons responsible for the botnet.

CURRENT VIRUS THREATS

Medium risk
15	Aug	08	AntiVirus 2008
24	Oct	07	Pidief.A
24	Jan	07	Tibs
25	Sep	06	Stration
18	Jan	06	Small.KI
12	Sep	05	Bagle.CS
17	Aug	05	Zotob.B
08	Jun	05	Mytob
17	Feb	05	MyDoom.AQ
26	Jul	04	MyDoom.L
25	Mar	04	Netsky.P
Low risk
05	Mar	07	Viking.GT
27	Jan	06	Feebs
16	Jan	05	MyDoom.AH
22	Apr	04	SDBot
30	Mar	04	Netsky.Q

Latest virus definition file published

>>	2008-09-05

Security Information

>>	The Internet Crime Complaint Center's report for 2007
>>	2007

Security News and Advisories

>>	Six critical updates for Microsoft systems in August 2008
>>	No critical updates for Microsoft systems in July 2008

Norman is one of the world’s leading companies within the field of data security. With products for antivirus (virus control), personal firewall, antispam, and encryption, the company plays an important role in the data industry.