Sunday, February 6, 2011

 Smart servers spot and block botnet attacks

Distributed denial of service (DDoS) attacks are the weapon of choice for people intent on disrupting websites. They use massive streams of data - sent via a distributed network of computers, or botnet - to inundate web servers, so they are unable to function properly. Such attacks brought Estonia's financial market to its knees in 2007, and in December 2010 Mastercard was hit when it said it would no longer handle transactions involving WikiLeaks.
Combating a DDoS attack is tricky because it is hard to distinguish botnet activity from that of ordinary users. "The most challenging issue is how to detect an attack that involves a large number of attacking hosts," says Jaydip Sen of Tata Consultancy Services in Kolkata, India. So he has developed a set of tests that aim to do precisely that.
Sen devised algorithms that measure how much data the server is receiving, and from which computers. The figures are then compared with levels of traffic these computers send on an average day. Hosts with an unusual burst of activity are put through another level of complex statistical analysis to identify exactly which ones are launching the attacks.
Once a server running Sen's software has worked out where the attack is coming from, it can block traffic from the culpable IP addresses until the threat subsides. Announcing the work earlier this month at the First International Conference on Computer Science and Technology in Bangalore, India, Sen claimed the technique is so good that it has not made a mistake yet.
But this level of security demands an unfeasible amount of computing power. So Sen has simplified the tests to bring the server's workload right down. The simpler algorithms get it right in 91 per cent of cases, reporting false positives the rest of the time. "If a server is swamped by legitimate traffic, then it will block traffic from some of the legitimate sources," Sen says.
These measures are not infallible, though. "If you understand how [these detection systems] work, you can 'game' them," warns Richard Clayton of the University of Cambridge. The only way to prevent attack is to tackle the root cause, he says. "We need to go after the criminals running the botnets.

0 comments:

Post a Comment

Subscribe to RSS Feed Follow me on Twitter!