"There are enormous bot networks out there that can do a lot of damage," said Akamai chief scientist Tom Leighton. "It's a tremendous problem, and presents a threat to the Internet." Akamai said it was able to quickly identify the attacking botnet, which was shut down by the originating network. The outages were limited to approximately 4 percent of Akamai's 1,100 customers, with 1 percent - about a dozen sites - experiencing a significant impact.
The attack was "more sophisticated than we've seen before," said Leighton. "The volume was problematic, and how it was done was problematic. For this nature of attack, it was an unusual volume." While not offering details on the technique involved, he said it was "a step ahead" of known DDoS techniques. The attack targeted the DNS addresses of four large Akamai customers. "It's possible these sites were targeted, and just happened to all be our customers," said Leighton. "But we assume it was an attempt to attack Akamai."
Akamai has taken steps to defend its network against a similar attack, and its staff will share information with the Internet security community using appropriate channels, Leighton said. In the meantime, cleaning up networks of compromised computers in botnets remains "an uphill battle," he said.
Bot networks aggregate computers that have been compromised with trojans, allowing them to be remotely controlled by hackers. Their use in DDoS attacks dates to 1999 in Europe, followed by one on the University of Washington later that year and a series of high-profile attacks on Yahoo, eBay and other major web sites in February 2000. In the past year, the proliferation of e-mail borne viruses and auto-downloading trojans has dramatically increased the number and size of botnets, which now have economic value as Spam engines and tools in DDoS blackmail schemes. Numerous estimates suggest MyDoom compromised in excess of 500,000 machines worldwide, installing backdoors and trojans that "phoned home" in all of them.
Some networks are taking ad hoc steps to crack down on machines they think may be compromised . Last week Comcast said it was halting email originating from port 25 on suspect customer machines. Comcast and other cable modem networks are problematic because their customers are typically home users with fast connections, modest security skills and static IP addresses. The combination presents an attractive target for hackers and malware, and the enhanced processing power of today's desktops make home computers useful in botnets.
But many network operators find policing their networks for zombie machines an econmoc drain. In many cases the issue for sysadmins is finding the time and staff resources to address the problem. A business consideration is that subscribers are often unaware their machine has been compromised, and are happily paying monthly fees for broadband Internet access. While lax enforcement exacts a cost on someone else's network, strong network policing has its costs on one's own network.