Slashdot Mirror

itwbennett writes: Researchers from Arbor Networks have discovered a new remote access Trojan, dubbed Trochilus, whose detection rate was very low among antivirus products. The malware was discovered while the researchers were investigating attacks in Myanmar that were launched from compromised government websites. While the Myanmar attacks provided initial insights into the group's operations, additional research revealed that the hackers' activities extend beyond that country.

An anonymous reader writes "Brian Krebs has a followup to this week's 400 Gbps DDoS attack using NTP amplification. Krebs, as a computer security writer, has often been the target of DDoS attacks. He was also hit by a 200Gbps attack this week (apparently, from a 15-year-old in Illinois). That kind of volume would have been record-breaking only a couple of years ago, but now it's just normal. Arbor Networks says we've entered the 'hockey stick' era of DDoS attacks, as a graph of attack volume spikes sharply over the past year. CloudFlare's CEO wrote, 'Monday's DDoS proved these attacks aren't just theoretical. To generate approximately 400Gbps of traffic, the attacker used 4,529 NTP servers running on 1,298 different networks. On average, each of these servers sent 87Mbps of traffic to the intended victim on CloudFlare's network. Remarkably, it is possible that the attacker used only a single server running on a network that allowed source IP address spoofing to initiate the requests. An attacker with a 1 Gbps connection can theoretically generate more than 200Gbps of DDoS traffic.' In a statement to Krebs, he added, 'We have an attack of over 100 Gbps almost every hour of every day.'"

hal9000(jr) writes "While IPv6 day was a successful marketing campaign, is anyone really moving to IPv6? On World Launch Day, Arbor Networks noted a peak of only .2% of IPv6 network traffic. It appears that IPv4 addresses are still valuable and are driving hosting acquisitions. Windows 8 will actually prefer IPv6 over IPv4. If you want IPv6, here's what to do about it."

sturgeon writes "Yesterday, we discussed what most of the world's major media outlets were reporting on China's April 2010 hijack of '15% of Internet traffic,' including sensitive US government and defense sites. The alarm came following a US Government report (see page 244) on China / US economic and security relations released on Tuesday. Unfortunately, few bothered with fact checking or actually reading the report. The actual study never makes any estimate of Internet traffic diverted during the hijack — it only cites a blog post to suggest large volumes of traffic were involved. And curiously, the cited blog at the heart of the report never mentions traffic at all — only routes. You have to go to an interview with a third-party security researcher in a minor trade magazine to first come up with the 15% number (and this article never explains where the number came from). In a review of real data and actual facts, Arbor Nework's Craig Labovitz has a blog post looking at the traffic volumes involved in the incident (only a couple of Gigabits per second, or a 'statistically insignificant' percentage of Internet traffic)."

An anonymous reader writes "Last week, the US government in a highly publicized copyright protection frenzy took the extraordinary step of seizing domain names from foreign movie sites like NinjaVideo.net and TVshack.net. While the seizure raises confusing Internet legal / jurisdiction questions (the US and perhaps the state of Kentucky can seize domain names for foreign companies?), this study shows the legal issues may be moot — the raids mostly failed. Within hours of domain name seizure, tvshack.cc was back up and running (but this time using a Chinese registrar and a Cocos Islands ccTLD)."

carusoj writes 'The way traffic moves over the Internet has changed radically in the last five years. Arbor Networks next week will present the results of a two-year study, drawing on more than 256 exabytes of Internet traffic data, which found that the bulk of international Internet traffic no longer moves across Tier-1 transit providers. Instead, the traffic is handled directly by large content providers, content delivery networks, and consumer networks, and is handed off from one of these to another. You can probably guess what some of these companies are: Google, Microsoft, Facebook. Arbor says there are about 30 of these 'hyper giant' companies that generate and consume about 30% of all Internet traffic.' Here is the Arbor Networks press release on the report.

An anonymous reader writes "A new report based on data from 100 US and European ISPs claims P2P traffic has dropped to around 20% of all Internet traffic. This is down from the 40% two years ago (also reported by the same company which sells subscriber traffic management equipment to ISPs). The report goes on to say the drop is likely due to continued, widespread ISP P2P shaping: 'In fact, the P2P daily trend is pretty much completely inverted from daily traffic. In other words, P2P reaches its low at 4pm when web and overall Internet traffic approaches its peak ... trend is highly suggestive of either persistent congestion or, more likely, evidence of widespread provider manipulation of P2P traffic rates.'"

Al writes "Rob Lemos reports that Iran's national ISPs seem to have recently gained the ability to filter large quantities of web traffic more effectively. Arbor Networks used data gathered from distributed network sensors to monitor the data going to Iran from the global internet. The firm found that all of the country's providers showed an enormous drop in traffic following the contested June 12 election, then nearly normal traffic patterns until June 26. After that, five of six national ISPs showed an 80 percent drop in traffic for approximately three weeks. The one internal ISP that continues to see significant traffic during those three weeks counts many government ministries among its clientèle. The picture painted by the data is of an ISP that is becoming increasingly skilled in filtering, says Craig Labovitz, chief scientist for Arbor Networks."

Al writes "Rob Lemos reports that Iran's national ISPs seem to have recently gained the ability to filter large quantities of web traffic more effectively. Arbor Networks used data gathered from distributed network sensors to monitor the data going to Iran from the global internet. The firm found that all of the country's providers showed an enormous drop in traffic following the contested June 12 election, then nearly normal traffic patterns until June 26. After that, five of six national ISPs showed an 80 percent drop in traffic for approximately three weeks. The one internal ISP that continues to see significant traffic during those three weeks counts many government ministries among its clientèle. The picture painted by the data is of an ISP that is becoming increasingly skilled in filtering, says Craig Labovitz, chief scientist for Arbor Networks."

I Don't Believe in Imaginary Property writes "With all the turmoil and internet censorship in Iran making it difficult to get an accurate picture of what's going, security researchers have found a way to locate gaps in Iran's filtering by analyzing traffic exiting Iran. The short version is that SSH, torrents and Flash are high priorities for blocking, while game protocols like WoW and Xbox traffic are being ignored, even though they also allow communication. Hopefully, this data will help people think of new ways to bypass filtering and speak freely, even though average Iranians have worse things to worry about than internet censorship, now that the reformists have been declared anti-Islamic by the Supreme Leader. Given the circumstances, that declaration has been called 'basically a death sentence' for those who continue protesting." Reader CaroKann sends in a related story at the Washington Post about an analysis of the vote totals in the Iranian election (similar to, but different from the one we discussed earlier) in which the authors say the election results have a one in two-hundred chance of being legitimate.

sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.

sturgeon and other readers let us know that Arbor Networks has released their annual survey of tier-1 / tier-2 ISP security engineers. This year they got responses from 70 lead engineers. While DDoS attacks are reaching new heights of backbone-crushing traffic — 40 Gbps was seen this past year — the insiders are also worried about emerging threats to DNS and BGP. The summary notes that "Most believe that the DNS cache poisoning flaw disclosed earlier this year was poorly handled and increased the danger of the threat," but doesn't spell out what a better way of handling it might have been. All in all, the ISPs sound a bit pessimistic — one says "fewer resources, less management support, and increased workload." You can request the full PDF report here, but it will cost you contact information. In related news, an anonymous reader passes along a survey by Secure Computing of 199 international security experts and other "industry insiders" from utilities, oil and gas, financial services, government, telecommunications, transportation and other critical infrastructure industries. They are worried too.

An anonymous reader writes "The impending IPv4 address allocation shortage has led to a lot of speculation on the future of IPv6 (including here). A new study says that Internet IPv6 migration is not just going slowly — it has basically not even begun. After spending a year measuring IPv6 traffic across 87 ISPs around the world, the study concludes 'less than one hundredth of 1% of Internet traffic is IPv6... equivalent to the allowed parts of contaminants in drinking water.'"

An anonymous reader writes "Many US and Canadian ISPs thought they were under a massive denial of service attack yesterday — traffic spiked by hundreds of gigabits across North America. Turns out that the traffic was due to live streaming of the U.S. Open and Tiger Woods nail-biting victory."

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

toadlife writes "A group of prominent Internet providers are teaming up with a security vendor Arbor Networks to form the Fingerprint Sharing Alliance. Through the use of Arbor Networks Peakflow SP internet appliance (which is an OpenBSD box with some secret sauce mixed in), members of the alliance can share internet threat information with each other in real time. It sounds a bit like Razor, doesn't it?"

Bistromat writes "The Boston Globe is reporting today that Arbor Networks is marketing a solution to the DDoS attacks that are in vogue with script kiddies today. Their solution is to place filters ("probes") at "peering points" (the points where major ISP's interconnect) to sample and fingerprint traffic so a major DDoS is readily detected and filtered out before the volume becomes unmanageable. " Its interesting to me that the anti-authority script kiddies are going to eventually be the reason and the justification for the authorities monitoring everything we do online. 31337 d00d!