By Dr. Edward G. Amoroso
Several months ago, a 23-year-old Slovenian man was arrested for writing the code that infected twelve million PCs with one of the largest known botnets: Mariposa. Three aspects of this are sobering. First, that conducting surveillance of known cyber-criminals is not a surefire cure, since new ones crop up all the time. Second, that when it comes to cyber-crime, we are our own worst enemy. Why? The botnet grew by tapping into social network connections, inviting “friends” to, for example, click on a link to a recently posted video.
Third is how big and malevolent these botnets can grow to be. With the largest online social network now tying together over 400 million users, a truly devious botnet could actually someday be ten, twenty, or thirty times the size of Mariposa. Here’s where the numbers get truly dizzying. If the PCs infected by Mariposa had just an average of 1 Megabit per second of uplink bandwidth, that would be twelve Terabits per second of total Distributed Denial of Service (DDoS) attack potential. With broadband access network builds proceeding globally, and rates going up, the average uplink may soon be 10 Megabits per second, leading to over 100 Terabits per second of attack bandwidth.
The problem is that even large corporations have nowhere near that much bandwidth. Many businesses run with 50 Megabits per second Metro Ethernet connection, a roughly 150 Megabit per second OC-3, or perhaps an OC-12, with 622 Megabits per second. Consequently, a botnet attack can generate, not just one thousand, but one million times the available bandwidth. Enterprises, and even many large cloud service providers, just don’t have the capability to even monitor such an attack, much less carry the raw traffic or distinguish good packets from bad ones.
The way these DDoS attacks work is by crowding out useful traffic, such as business emails or customers visiting websites to place an order, with false traffic. It would be like trying to run a corner grocery store effectively, except that for every customer that is trying to come in to buy a gallon of milk, there are a million “zombies” crowding the entrance, with no intention to buy anything, but are just there to hassle the patrons.
Large global network providers, can and do provide defenses against DDoS attacks and similar floods of malevolent content such as spam and viruses. AT&T, for example, has dozens of core routers deployed, any one of which can handle—by itself—tens of terabits of traffic. AT&T builds on this raw capacity with anti-DDoS capabilities, packet scrubbers, and antivirus and anti-spam filters.
In fact, there are four main reasons to use these services: protection, productivity, performance, and price.
Services such as these can help enterprises protect their ability to continue to do business even in the event of such attacks.
Moreover, business productivity can be enhanced, because employees don’t have to wade through dozens of messages to determine the one or two that represent collaboration with colleagues or contracts from customers.
Process performance can be accelerated, as well. Rather than email being delayed, slowing down critical workflows, work orders, approvals, and other business-critical messages can speed to their recipient.
Finally, the service may essentially pay for itself: the price of the service may be less than the benefit from wasted bandwidth, and that’s before even factoring in productivity gains and enhanced business continuity.
Toronto-based Norbord, an international forest products manufacturer, recently purchased AT&T’s Message Security service. While the company did have anti-spam software in place before using AT&T’s services, each employee (of a staff of 700) was receiving around 20 spam messages a day. Furthermore, this old anti-spam system was at capacity. Norbord had the choice of either investing in new hardware and software, or outsourcing. By choosing to outsource AT&T’s services, Norbord has saved significant time and money – no installation of hardware was necessary, and internal time spent on managing external email and spam issues is now virtually nil. The productivity gains are compelling as well. With AT&T’s services in place, the IT technical department has gained one day a week to manage other important tasks, according to Bob Jackson, VP of IT, Norbord. He says that “with AT&T’s network-based security application, we have been able to relieve our IT team of the burdens of spam and other cyber attacks by not allowing access to our internal system.”
With the old software in place, Norbord reported 80 to 90 per cent of inbound email traffic as spam. But now that AT&T filters out spam and forwards valid email through Norbord’s gateway, there has been a substantial drop in network traffic, which has had a positive effect on employee performance. Jackson claims that “emails that used to take an hour to cross the server are now delivered instantly.”
Another benefit of the AT&T Message Security service is its reliability. If something happens to Norbord’s email system (e.g. a power outage in the data centre), AT&T queues inbound email and delivers it when the system comes back online. This service helps see that inbound email does not get lost. Other added features Norbord employees have benefitted from are the self-service capabilities of the system. Users can review their quarantined messages and have one delivered if they choose. They can also adjust their own filter settings. With all the added features of AT&T Message Security, Norbord has enjoyed a more controlled, reliable, fast, and secure system.
The classic axiom that the best defense is a good offense, perhaps needs to be updated. In today’s sinister world of cyber-warfare, the best defense may be a good network.