"HTTP, on the other hand, is rarely blocked. Therefore, HTTP tunnelling has grown in popularity as a method for botnet communications. Even scarier still, the centralised botnet controller is giving way to the decentralised peer-to-peer model used by file transfer networks such as Gnutella and BitTorrent."

Protecting against these strategies requires a change of tactics on the part of network creators and operators, he suggested.

"Carrier networks must be built with intelligent, flow-based sensors within [their] core that will detect distributed DoS attacks in progress and automatically implement measures to reduce their effects."

He said corrective measures could include applying rate limiting access controls lists on area routers or even null-routing the traffic via border gateway protocol (BGP) route advertisements.

"More importantly, the flow data collected by these sensors can be aggregated to provide a comprehensive view of the distributed DoS attack, enabling the attacking bot to be discovered and reported to their respective internet providers."

Finally, Hagen says sensors should also be tightly integrated with network management systems so operations teams can be alerted as soon as a DDoS attack is detected.

He recognises that such an approach to network security and countering botnets may be criticised as being too defensive.

"While this defensive posture may seem like a set-back, it will force the security community to develop new offensive tactics by which the number of bots and botnets may be reduced," he said.


PC Advisor has compared the best broadband packages and polled thousands of readers to produce the 2007 UK ISP awards. See the new Broadband Advisor zone on our website to find out which ISP best suits your needs, and learn the hassle-free way to switch suppliers. The new site also includes the news, reviews and downloads that will help you get the most from your home internet connection.

CIO Canada