OrangeCrate is pleased to announce an interview with Danny McPherson of Arbor Networks, the driving force behind the cyber attack Fingerprint Sharing Alliance initiative. This important initiative seeks to address the problems of ISPs sharing of information to mitigate the propagation of viruses, worms, DDoS attacks and other malware.
(Submitted by Chuck Talk Wed Apr 27, 2005 )
| ||Chuck Talk: I'd like to begin by asking you a little bit about your background and current role at Arbor Network, if I may Danny:
Danny McPherson: Prior to joining Arbor, I was at Qwest where I was in network operations. I am also active in several IETF working groups related to BGP and network security operations, as well as the NANOG and related, global operator groups.
Chuck Talk: What brought about the idea of the cyber attack Fingerprint Sharing Alliance?
Danny McPherson: If you think about it, it's rather intuitive, actually. Network operators routinely have to share information in order to accurately troubleshoot data and control plane problems in the Internet. Sharing attack information and data about compromised hosts automatically is the next natural step.
When there are denial of service (DoS) or Distributed DoS attacks, the immediate action traditionally taken was to simply mitigate the attack at the egress point of the network, as attack traffic was destined for the target end systems.
However, the number of hosts being recruited into botnets is growing rapidly, as are the magnitude of these attacks. As a result, these attacks are completely overwhelming the target, as well as inflicting severe "collateral damage" to the upstream(s) network infrastructure. For example, we've seen botnets with 150,000+ hosts. With the proliferation of broadband Internet connectivity across the globe, a botnet comprised of just 1000 home PCs could completely disrupt a gigabit Ethernet connected server farm (e.g., assume 1 Mbps per host, and your looking at 1 Gbps of "firepower").
This growing firepower has made it painfully obvious that these attacks need to be traced back to the network ingress, which can be hundreds or even thousands of interfaces. And the attack information needs to be shared with participating upstream networks in order to preserve interconnection bandwidth and general IP services. And, just as important, we need to identify, isolate and cleanup compromised systems.
I recall the first time I had to do this manually, circa 1995, working for a Tier-1 service provider, and it was an extremely tedious, error-prone and time consuming process. What we would have done then for tools that automate this process!
The idea behind the Fingerprint Sharing Alliance is a natural continuation of Arbor's product direction, namely facilitating the workflows present with service providers and operators already. The Fingerprint Sharing Alliance allows operators to distill and share the attack details, enabling peer operators to trace the attack back through networks.
Chuck Talk: How do you perceive this Alliance affecting the spread or speed of attacks on critical network infrastructure?
Danny McPherson: This information is primarily shared in a manual fashion today, often with less secure transport mechanisms and little to no event tracking. This ties the detection and traceback functions to the inter-provider information sharing, all in an automated function (at least as automated as each participant chooses), thereby reducing response times by orders of magnitude.
Chuck Talk: What goals do you hope to achieve in establishing the alliance? Will it help assist in the pinpointing of the source of initial attacks?
Danny McPherson: Yes. Ultimately, compromised hosts need to be identified and cleaned up or disconnected by the network provider. With projection of 30,000 new hosts recruited into botnets every day, an automated mechanism to facilitate the identification and scrubbing of these hosts is an absolute necessity.
There are two things here: Arbor Networks is the global market leader in the service provider security space, and we have enabled Fingerprint Sharing as a default function between network operators on our Peakflow SP platform. Because the majority of service providers, ISPs, MSOs have the ability to share these cyber attack fingerprints, we truly believe this will have an observable positive impact on the security and availability of the global Internet.
Arbor Networks' goal in forming the alliance was centered on helping our customers offer the best service possible to their customers. By giving them the means to detect security threats and remediate attacks across operational boundaries, we empower them to protect their customers from emerging threats more readily. The more effective providers are at keeping these problems from growing, the less effective these attacks will be.
Chuck Talk: What difficulties are presented by nations that lack the laws to prosecute the perpetrators of such activities as developing and delivering malware to the global community?
Danny McPherson: This is of course, a problem. Miscreants need to be identified and prosecuted in the public for their actions. A whole new economy is evolving around the use of compromised systems, not just extortion from the threat of a denial of service attack, but phishing, spam relay, open proxies, etc. The result is real crime on real businesses and individuals and it must be dealt with.
The community will deal with the non-compliant, just as they do in other industries. However, they need to be armed with the toolsets and data to identify these malicious activities and have the capabilities to remediate and enable prosecution as appropriate.
Chuck Talk: What difficulties do you see such things as SPAM, spyware and adware presenting to the Alliance and the global network infrastructure? Does the Alliance intend to address these concerns?
Danny McPherson: There's an ever-increasing correlation between compromised systems being used for distributed denial of service attacks and other malicious and illegal activities. We've observed hosts, which are members of multiple botnets, relay spam and serve as open proxies all at the same time. Many are even commanded by different miscreants. This just shows how important it is to identify and clean the compromised systems.
It all begins with appropriately securing the end systems. The problem is -- network operators typically don't have access or control at that level. As such, they do as much as a can - detect, isolate, and enable the appropriate remediation measures. The Fingerprint Sharing Alliance automates these functions. And the details shared in the Fingerprinting Sharing Alliance are flexible enough for operators to describe any network activity that has inter-provider utility.
Chuck Talk: How does Arbor intend to assist the attack Fingerprint Sharing Alliance in remediation and mitigation of threats? What solutions do you see arising from the alliance itself? Will you be addressing these attacks directly, and what will you do in regard to the threat of blended attacks from rootkits, spyware, adware, worms, proxies, Trojans, bots, viruses and other as yet unnamed malware?
Danny McPherson: Arbor provides our customers with tools that enable them to: detect anomalous activity; thoroughly analyze that activity and its impact on the network; share data and automatically execute the appropriate mitigation/ remediation functions; and provide detailed forensics, reporting and event tracking data. Simply put, Arbor provides systems that enable our customers to perform their jobs in a more efficient, secure and effective manner, and we'll continue to work with our customers to evolve our products to accommodate customer requests and solve real problems.
Arbor Networks' Fingerprint Sharing Alliance adds a common language to describe the nature of the attack, which resolves ambiguities that have sometimes plagued inter-provider communications in the past. This facilitates the traceback process and allows for faster event remediation, which benefits both the customer and the service provider.
The Fingerprint Sharing Alliance is flexible, in that it allows for the inter-provider cooperation in tracking a variety of threats, including bot networks, spam activity, viruses, and other network malware.
Chuck Talk: What future goals do you wish to see the Fingerprint Data-Sharing Alliance achieve? Is there a road-map for the future goals of the Alliance?
Danny McPherson: While the initial launch and participation has been a phenomenal success, getting all of our customers up and running with these new features is the current focus. We'll continue to evolve the information sharing model as our customers’ needs evolve and we fully intend to embrace more open information sharing models and systems in the near future.
Chuck Talk: How do you plan to address the circumvention services such as dynamic DNS, Peer-to-Peer, ICQ and IRC networks that allow for almost instantaneous transmission of files through the proverbial "backdoor" if you will?
Danny McPherson: Although these technologies are not inherently designed for ill use, they do provide a means by which persons of bad intent may quickly attack the global infrastructure. An example I would point out is the MyDoom series of worms, which are primarily designed to use peer-to-peer file sharing networks such as Kazaa to achieve maximum affect. Dynamic DNS enables malware authors to appear to be physically located somewhere other than their country of origin and IRC and ICQ networks are largely unmonitored transmission channels that allow for instantaneous transmission of files and the control of "zombie bot networks" on a massive scale.
Chuck Talk: How do Arbor and the cyber attack Fingerprint Sharing Alliance propose to address these types of attacks?
Danny McPherson: There are many methods by which these activities are identified and shared today, and inevitably, the end systems and network attributes of such activity will continue to evolve. The Fingerprint Sharing Alliance provides network operators with a flexible infrastructure on which they can share this information, whether the detection techniques are a decade old or being developed as we speak.
Chuck Talk: What makes Arbor Networks stand out in the security space? What differentiates your company from other vendors, and what is it that you believe will give you an edge in the future market?
Danny McPherson: Arbor Networks was formed by people with security and network operations experience and we bring a deep understanding of networks to our product development to solve the security problems facing network operators.
Arbor is the dominant network traffic analysis and security vendor in the service provider market today. We protect 80 percent of the global Internet backbone.
As we partner with our customers, we’re creating a globally distributed information sharing infrastructure that provides worm and attack fingerprint sharing securely and in real-time. We’re helping our customers secure their networks and the global Internet.
Chuck Talk: Finally, is there anything else that you would like to discuss, that I may have missed? Is there anything you would like to share with my audience? By the way: thanks for taking the time to answer my questions, I do appreciate it.
Danny McPherson: And thank you for your time. This has been an exciting time at Arbor. We’ve planned from the beginning, in 2001, to link up our global customers to help stop these damaging cyber attacks and we’re now just at the beginning.