Level 3 Communications is publicly discussing a collaborative effort with Cisco to block a major botnet/DDoS source, in hopes it can lead to more similar industry efforts. One goal is to encourage the industry, including major ISPs, to work harder to try to shut down, not just identify, major cyber threat sources.
The collaborative effort involved Level 3 Communications Inc. (NYSE: LVLT)'s Threat Research Labs and Cisco Systems Inc. (Nasdaq: CSCO)'s Talos Group and targeted an Internet-wide scanning and DDoS botnet that Cisco dubbed SSHPsychos. Cisco had noticed that the Talos honeypots -- the decoy systems it has set up to collect information on attackers or intruders -- were seeing more malicious traffic from this one attacker than from all others combined. Level 3's network data confirmed the size of the attack, which at times accounted for more than 35% of total Internet SSH traffic. SSH stands for Secure Shell and it's an encrypted network protocol for access to remote machines.
SSHPyschos was using identified Linux malware and rootkit for DDos attacks, and its brute force approach to gaining authentication. "It essentially scans the Internet looking for open SSH server and does brute force authentication attempts at guessing the root password, then when it gets in, downloads a binary that launches an attack against a target," explains Level 3's Dale Drew, chief security officer.
The attacker was well known and its activity was being closely watched to enable quick reactions but nothing was being done proactively to stop it until Level 3 and Cisco took action. Using their combined intelligence, the pair tracked the servers from which the attacks were emanating and essentially cut off their Internet connections, preventing the traffic from going further. They now are both watching the attacker and calling on other ISP backbone operators to block its known IP addresses. You can read about their efforts in Level 3's blog here.
"These were some well-known threat actors and we have been observing their behavior for at least six months," says Craig Williams, security outreach manager for Cisco's Talos. "Plus, their activity was well documented on the Internet. What frustrated us was that despite these efforts and the fact everyone seemed to know about them, we still needed to find a good way to stop them. Cisco has a pretty far reach but we are not an Internet backbone provider."
Level 3 is willing to step up, in a situation like this, in part because of its own frustrations, Drew admits. By blocking the illegal traffic, the ISP makes it harder and more expensive for attackers like this to keep going and, in this case, it was an obvious call.
"Everyone has been touched by this botnet -- it's that extensive and expansive and it scans as much of the public Internet as it possibly can," he said. "It's a very blatant botnet and it doesn't move that much or hide, and it uses significant resources."
Cisco's Williams calls this situation "unique" because of the size of the botnet and because the traffic being blocked came from servers that weren't engaged in any other "innocent" activity.
The harder part of trying to block traffic like this is dealing with the compromised systems that botnets exploit, many of which are operated by legitimate businesses that aren't aware their systems are compromised. This is where it gets tricky for an ISP, Drew admits.
"When we identify servers that have been compromised, we reach out to the victim and tell them, and if they don't act, we block them," he says. Because many businesses aren't aware their systems are being used in a botnet attack, they don't always act to resolve the issue quickly until they are blocked -- and then they blame the ISP.
"A lot of times they aren't on our network or our customer, but their traffic goes over our backbone," Drew says. "We'll give them the steps to fix it, but we give them a pretty short time frame to fix it. And we let them know we will block your traffic, which will hinder your business. In the vast majority of cases, it works flawlessly -- they fix the exposure and we unblock."
But in some cases, the affected business believes its site was working just fine until it was blocked, and much more extensive conversation and evidence presentation is required. Because losing Internet connectivity directly impacts a business's bottom line, there is the threat of liability -- which Drew believes is what keeps most large ISPs from cracking down on botnets and similar threats, even when they are identified.
"I'd say what Tier 1 providers do today is what they are supposed to do when they see botnet, they identify their managed security customers and they protect those customers, and if there is an attack, they are already prepared to stop it, that's the baseline," he says. "What we are asking Tier 1 Internet service providers to do is above and beyond that. We want them to identify the botnet operations and proactively block them on their backbone, essentially redirect them to a sinkhole and make them ineffective in their ability to attack. Most Tier 1 providers don't do that today because they are afraid of litigation."
Acting alone, Level 3 is basically "training the attackers not to use our network," which is why the industry needs greater collaboration and participation from more backbone providers, Drew adds. He would also like to see software companies held more accountable for making sure their software is secure upon release and not relying on business customers to "hire high-priced talent" to make it secure in deployment.
— Carol Wilson, Editor-at-Large, Light Reading