skip to main |
skip to sidebar
Webscreen, the UK based anti-DDoS technology development business has announced a major contract with Philippines based Bayview Technologies, the IT services division of one of South East Asia’s fastest growing gambling companies, AsianLogic Ltd. (ALL) The contract is to supply Bayview with Webscreen WS Series appliances that will be used to protect ALL’s online casino and online poker Web sites from any distributed denial of service (DDoS) attacks targeted at the company’s Web servers.
Webscreen is widely deployed by some of the world’s largest online gaming and betting companies to stop their Web sites from being taken off line by targeted attacks that are typically timed to coincide with major sporting events or other heavy betting periods. Using a unique algorithm Webscreen is able to block malicious DDoS traffic whilst keeping the Web site accessible for genuine customers.
The AsianLogic Group operates a number of online casinos tailored mostly to the Asian market offering over 100 interactive games. These include classic table and card games, integrated live videostream casino games and games designed specifically for the Asian market, such as Solo, Mahjong and Pachinko.All gaming takes place online via the Bayview servers located in the Philippines, which enables customers of the Group to play on a common platform and access the same games and common progressive jackpots. The Webscreen appliances are positioned in-line at the Bayview network gateway as part of its integrated security shield. All Internet traffic entering the network is monitored by Webscreen, with any suspicious traffic being dropped before it reaches the ALL Web servers, guaranteeing service for regular players.
ALL Director, Itamar Shamshins, said “We selected Webscreen because of the technology’s proven capability to automatically track and block attack traffic and the company’s excellent 24/7 hardware and software support services. We have been particularly impressed by the software’s reporting capability that enables us to detect smaller daily incidents, denying potential attackers perimeter defence intelligence that could be used to mount a full scale attack. This means that Webscreen acts as both an attack mitigation and prevention tool, giving us the confidence that our business has the maximum level of protection backed by a highly responsive partner at the other end of the telephone line should anything go wrong.”
The news that the EU's Cybercrime proposal, due for publication later in the year, is to include punitive measures against ISPs who do not cooperate promptly to block compromised machines is a welcome move in the fight against DDoS. However, whilst many European countries have signed up in principle to the Council of Europe's Cybercrime Convention there is still a number of mainly Eastern Europe states that have yet to agree. The fact that these Countries include Andorra, Azerbaijan, Georgia, Liechtenstein, Monaco, Russia, San Marino, and Turkey, many of the favoured locations of the bot-herders behind the hundreds of DDoS attacks hitting ecommerce businesses around the world, is not so good news. Unless these countries can be brought in line, this latest initiative is doomed to failure before it gets started. As they are outside the jurisdiction of the EU it is difficult to see what can be done to force compliance, hopefully the recent experience of the Lithuanians will help them to see that it is in everyone's interest to put their houses in order.
Last weekend's mass Web site defacement that affected hundreds of Lithuanian businesses is being interpreted in some quarters as a warning shot and a pre-cursor to an all out DDoS attack on the Country's Internet infrastructure. The defacement of the Web sites with pro-soviet messages is being strongly linked with the recent law introduced by the Lithuanian Government banning the use of Soviet symbols in the Country and has chilling echoes of what happened last year in Estonia.In this case the Lithuanian Government had been warned of the attack and were able to take appropriate action to harden their defences but many commercial sites were caught unawares. Fortunately in this particular case the damage was limited to some inconvenience for those who were victims but they may not get off so lightly if a DDoS attack is unleashed. Non-availability of critical Web services could have a devastating effect on any country's economy and if it is over a sustained period could seriously threaten individual companies who have built their businesses online. As it would seem unlikely that the law will be changed any time soon both Government departments and the business community needs to seriously re-examine their DDoS defences as quickly as possible.
On the Internet, a distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.
A hacker begins a DDoS attack by exploiting a vulnerability in one computer system and making it the DDoS "master." It is from the master system that the intruder identifies and communicates with other systems that can be compromised. The intruder loads cracking tools available on the Internet on multiple -- sometimes thousands of -- compromised systems. With a single command, the intruder instructs the controlled machines to launch one of many flood attacks against a specified target. The inundation of packets to the target causes a denial of service.
While the press tends to focus on the target of DDoS attacks as the victim, in reality there are many victims in a DDoS attack -- the final target and as well the systems controlled by the intruder
In early February 2008 distributed denial of service attacks (DDoS) wreaked havoc at a whole slew of online gaming sites with Full Tilt Poker, Titan Poker, Virgin Games and Party Poker being among the sites attacked by a web-based botnet, according to the Shadowserver Foundation, a watchdog group of security professionals that gathers, tracks, and reports on malware, botnet activity, and electronic fraud. Some e-commerce sites were also attacked.
The full impact of these attacks was not immediately clear but Full Tilt Poker's Web site was inaccessible for most of two days forcing Full Tilt to "pause" the final table of the FTOPS VII Main Event for a brief period, with just three players remaining when its client lost connectivity with the Full Tilt servers.
“Botnet DDoS attacks are the likely culprit for Full Tilt's client problem during the tournament” said Andre M. DiMino, director of the Shadowserver Foundation. "A botnet is a network of compromised computers that act as drones under the common control of a central server traditionally the way they're formed is through viruses that infect machines that are then recruited to join the botnet. The operator of the botnet, through the command server, then issues instructions to compromised machines that form the botnet." DiMino said.
“In the case of Full Tilt Poker each of the compromised machines was instructed to send simultaneous requests to the online game’s site, which was too much for the servers to bear." DiMino explained. "The requests overloaded the bandwidth and took the servers offline."
The fact that the DDoS attacks were web based made it more difficult to repel, DiMino said. Traditionally, DDoS attacks are controlled by Internet Relay Chat (IRC), which is fairly easy to block, DiMino added. But Web botnets are "more resilient and difficult" to stop.
The Shadow Foundation traced the initial attacks to a server hosted by Layered Technologies. That server has been shut down, but the botnet has moved to a new host and IP address. "DDoS attacks are always going to be out there," DiMino says. "In the past, they were used to show the might of the botnet. But the real purpose for botnets now is fraud and identity theft."
Webscreen - answer to Botnet DDoS prevention
One technology that would have been able to help prevent the Botnet from disrupting Full Tilt’s global poker game is the Webscreen WS Series network security appliance. Webscreen monitors all Web traffic hitting the network looking for signs on non-human behaviour. Botnets are triggered automatically which Webscreen can distinguish from the normal Web activity expected from a legitimate punter. A Webscreen appliance positioned at the network gateway in front of the gaming site’s servers would have blocked the botnet traffic whilst allowing the game to continue.
When a popular Web site is taken down by a DDoS attack the typical response by many companies is often to go into “denial” themselves or at least play hard to get should anyone want to the question them as to why their online services suddenly aren’t (online). The general view from the Web publisher’s side seems to be that by coming clean, and acknowledging the root cause, they are somehow opening the flood gates to copycat attacks. When many attacks can be stopped by agreeing to paying a substantial ransom it is perhaps understandable that companies decide to take the least worst option.
Whilst there may be some logic in taking this approach, perhaps if more companies in this position were more open about the problem it could ultimately be much better for the wider ecommerce community. One of the consequences of sweeping this under the carpet is that the perception is that DDoS is a less prevalent threat than it actually is, which in turn means that many companies down grade the risk factor and do not put in place adequate defence mechanisms. The reality is that DDoS attacks are an increasing weapon of choice with up to 5,000 recorded attacks per day in the US alone in the past 12 months.
The recent rumours circulating about the non-availability of Amazon’s Web site is a classic case in point and a missed opportunity to really bring the problem of DDoS into the open and maybe start to get a real industry debate going on how to solve the problem. It may be a naïve view but perhaps if more Web sites were protected the bot-herders might find that their efforts were not as lucrative in the future and decide to get a proper job.
However it is no less naïve than thinking that keeping the details private cannot hurt the company. Allowing customers and stakeholders to speculate fuels rumours and signals weakness and continuing vulnerability. Simply and honestly saying this is what happened and this is what we are doing about it ends the speculation and signals competence and strength, but if you wait too long it will sound like spin.
With technologies like Webscreen’s WS series available and proven effective in protecting some of the world’s busiest Web sites it makes little sense to sit and suffer in silence. For an investment of less than the average ransom figure demanded by the attackers it is possible to have a permanent solution and preserve the corporate reputation – and help the rest of the online business sector at the same time.
Posts
