Security Strategies

Level 3, Cisco Team to Squash Major Botnet

Level 3 Communications is publicly discussing a collaborative effort with Cisco to block a major botnet/DDoS source, in hopes it can lead to more similar industry efforts. One goal is to encourage the industry, including major ISPs, to work harder to try to shut down, not just identify, major cyber threat sources.

The collaborative effort involved Level 3 Communications Inc. (NYSE: LVLT)'s Threat Research Labs and Cisco Systems Inc. (Nasdaq: CSCO)'s Talos Group and targeted an Internet-wide scanning and DDoS botnet that Cisco dubbed SSHPsychos. Cisco had noticed that the Talos honeypots -- the decoy systems it has set up to collect information on attackers or intruders -- were seeing more malicious traffic from this one attacker than from all others combined. Level 3's network data confirmed the size of the attack, which at times accounted for more than 35% of total Internet SSH traffic. SSH stands for Secure Shell and it's an encrypted network protocol for access to remote machines.

SSHPyschos was using identified Linux malware and rootkit for DDos attacks, and its brute force approach to gaining authentication. "It essentially scans the Internet looking for open SSH server and does brute force authentication attempts at guessing the root password, then when it gets in, downloads a binary that launches an attack against a target," explains Level 3's Dale Drew, chief security officer.

SSHPsycho Traffic Vs Rest of the Internet
A visual depiction of the SSHPyscho traffic versus the SSH traffic of the rest of the Internet, which is shown in green. (Source: Level 3)
A visual depiction of the SSHPyscho traffic versus the SSH traffic of the rest of the Internet, which is shown in green. (Source: Level 3)

The attacker was well known and its activity was being closely watched to enable quick reactions but nothing was being done proactively to stop it until Level 3 and Cisco took action. Using their combined intelligence, the pair tracked the servers from which the attacks were emanating and essentially cut off their Internet connections, preventing the traffic from going further. They now are both watching the attacker and calling on other ISP backbone operators to block its known IP addresses. You can read about their efforts in Level 3's blog here.

"These were some well-known threat actors and we have been observing their behavior for at least six months," says Craig Williams, security outreach manager for Cisco's Talos. "Plus, their activity was well documented on the Internet. What frustrated us was that despite these efforts and the fact everyone seemed to know about them, we still needed to find a good way to stop them. Cisco has a pretty far reach but we are not an Internet backbone provider."

Level 3 is willing to step up, in a situation like this, in part because of its own frustrations, Drew admits. By blocking the illegal traffic, the ISP makes it harder and more expensive for attackers like this to keep going and, in this case, it was an obvious call.

"Everyone has been touched by this botnet -- it's that extensive and expansive and it scans as much of the public Internet as it possibly can," he said. "It's a very blatant botnet and it doesn't move that much or hide, and it uses significant resources."

Want to know more about the security challenges facing the network industry and what's being done about them? Check out the Security track at Light Reading's Big Telecom Event on June 9-10 in Chicago. Get yourself registered today or get left behind!

Cisco's Williams calls this situation "unique" because of the size of the botnet and because the traffic being blocked came from servers that weren't engaged in any other "innocent" activity.

The harder part of trying to block traffic like this is dealing with the compromised systems that botnets exploit, many of which are operated by legitimate businesses that aren't aware their systems are compromised. This is where it gets tricky for an ISP, Drew admits.

"When we identify servers that have been compromised, we reach out to the victim and tell them, and if they don't act, we block them," he says. Because many businesses aren't aware their systems are being used in a botnet attack, they don't always act to resolve the issue quickly until they are blocked -- and then they blame the ISP.

"A lot of times they aren't on our network or our customer, but their traffic goes over our backbone," Drew says. "We'll give them the steps to fix it, but we give them a pretty short time frame to fix it. And we let them know we will block your traffic, which will hinder your business. In the vast majority of cases, it works flawlessly -- they fix the exposure and we unblock."

But in some cases, the affected business believes its site was working just fine until it was blocked, and much more extensive conversation and evidence presentation is required. Because losing Internet connectivity directly impacts a business's bottom line, there is the threat of liability -- which Drew believes is what keeps most large ISPs from cracking down on botnets and similar threats, even when they are identified.

"I'd say what Tier 1 providers do today is what they are supposed to do when they see botnet, they identify their managed security customers and they protect those customers, and if there is an attack, they are already prepared to stop it, that's the baseline," he says. "What we are asking Tier 1 Internet service providers to do is above and beyond that. We want them to identify the botnet operations and proactively block them on their backbone, essentially redirect them to a sinkhole and make them ineffective in their ability to attack. Most Tier 1 providers don't do that today because they are afraid of litigation."

Acting alone, Level 3 is basically "training the attackers not to use our network," which is why the industry needs greater collaboration and participation from more backbone providers, Drew adds. He would also like to see software companies held more accountable for making sure their software is secure upon release and not relying on business customers to "hire high-priced talent" to make it secure in deployment.

— Carol Wilson, Editor-at-Large, Light Reading

MikeP688 4/16/2015 | 5:19:30 PM
Re: Holding harmless As I was reading up and catching up here, I wondered about Sony though especially as Wikileaks just released docs on the hack:



mhhf1ve 4/13/2015 | 7:27:36 PM
It's amazing.. How many resources a botnet can use.. and the resulting damage it can cause.. But the black hats behind these attacks are almost never publicly outed in the mainstream media. I suppose if they were, it would only encourage more of the bad guys to try to do what they do for infamy. 
mhhf1ve 4/13/2015 | 7:24:56 PM
It takes a village... And hopefully, the person who coined that term won't run an unprotected server from her home in the future...


mhhf1ve 4/13/2015 | 7:20:19 PM
Re: Holding harmless I'm curious if there's a contract term that can't get SPs out of liability.. I could have sworn in any consumer internet service contract there's a clause that states they can shut down your service in the event of various technical reasons. Small to mid-sized enterprises probably don't have the leverage to demand similar contract terms to be eliminated... And I assume that's where most of these botnets reside?
Mitch Wagner 4/13/2015 | 11:51:52 AM
Holding harmless If carriers face liability for protecting agaist botnets, that sounds like an area where there should be legislation to protect them. 
Sign In