Winning the DDoS Arms Race

By Miguel Ramos

In the two previous weeks, we’ve taken a look at what hacktivists are targeting with DDoS attacks and what companies can do to protect their online presence against these attacks.

Today I’ll address the fact that even by erecting “barricades” to help stem the tide that occurs when a DDoS attack happens, the reality is that it’s far cheaper to generate bogus traffic than it is to identify what’s legitimate. In other words, with most infrastructural fixes, the sheer volume of incoming requests that happen from a DDoS attack will rapidly exceed in-house capacity.

That’s why even when you establish an in-house policy to address to the problem, it’s important to consider third-party options on the market — and why they should be considered for every organization’s defense strategy.

Every organization’s Internet service provider should be considered a resource. But relying on your ISP is a quick fix, and not always the best one.

The problem with most ISPs is that their core business competency is focused on providing backup services and getting data packets from one location to another. Even if they offer DDoS mitigation services, you should be double checking their claims and ask: can they conduct deep-packet inspection? Do they have the specialized DDoS mitigation tools available? Can they mitigate 100-plus gigabit-per-second attacks?

The reason I ask that you double check this is because ISPs understandably have a duty to serve their entire customer base, not just any one customer. If it believes — and there are times when this will be the case — that the attack traffic coming through you affects the stability of the services they provide to their other customers, their only option is to shut you down. This is the “greater good” argument that every ISP will ask of itself, and it’s often valid.

Then there’s the content delivery network, or CDN, option. This is the strategy of having server farms deployed offsite, and it’s particularly popular with content-heavy companies, such as those in media and e-commerce. CDN providers cache static content on their own servers, so that visitors get content from them instead of you. However, just because they offer savings while enhancing core performance, it doesn’t mean they’re the best defense against DDoS attacks.

The problem with the CDN option is that many such attacks are dynamic in nature — they’re designed to identify and target weak points. More specifically, they’re crafted to isolate dynamic content sources, such as login pages and search boxes, which are squarely placed in the origin servers. This bypasses the strength of the CDN option and goes to the heart of the problem.

Finally, there’s the cloud-based DDoS mitigation provider. In a business environment, it offers the best defense against most DDoS attacks.

A dedicated, third-party DDoS mitigation service by nature comes with significant bandwidth capability — not infinite, perhaps, but certainly more than most other options. It should have the right staff, with experience and expertise in this evolving field. It should have sophisticated and diverse DDoS mitigation equipment, since no one piece of hardware can be deployed to handle all attacks. In fact, a good team will use a strategic approach when the attack comes, and deploy the solution that best fits the attack vector. Of course, it must also have deep-packet inspection capabilities.

Going one level deeper, the provider needs to have diversity in its bandwidth sources — that’s the only way to handle attacks that feature hundreds of gigabits of data. It needs to have connectivity from many providers in order to ensure resiliency. (This is why cloud computing is so invaluable in this regard.) And it needs to be fully aware of new attack modes, along with new technologies to deal with them.

That’s why I think the best way to look at DDoS attacks is to see them as a kind of arms race —the best resource is one that’s specifically dedicated to stockpiling weapons, and knowing how to use them judiciously. And in today’s threat environment, that’s vital.

Source: http://www.thetechherald.com/articles/DDoS-Attacks-%28Part-III%29-Winning-the-DDoS-Arms-Race/16479/

Wikileaks has been under DDoS attack for the last three days

By Emil Protalinski | May 16, 2012, 5:27pm PDT

Summary: The Pirate Bay is down. Wikileaks is down. Visa was down. Are all these Distributed Denial of Service (DDoS) attacks a coincidence? Right now it’s not clear, but something is definitely happening.

After covering The Pirate Bay Distributed Denial of Service (DDoS) attack and Anonymous’ denial of responsibility for it, I’ve been checking the torrent site’s Facebook Page every so often. The Pirate Bay said it thought it might know who was behind the attack, so I was curious if they would post it today. They haven’t yet, but they did just post this:

Wikileaks.org is also under attack.
This sure is the year of the storm…
As predicted here: https://thepiratebay.se/blog/204

I checked, and indeed Wikileaks is down for me. The site’s Twitter account sent this message out five hours ago: “WikiLeaks has been under sustained DDOS attacks over the last 72 hours. http://www.wikileaks.org is good, http://wikileaks.org is flooded.”

At the time of writing, Down for everyone or just me confirms it: “It’s not just you! http://wikileaks.org looks down from here.” As you can see in the screenshot above, Is it down right now agrees as well: “Wikileaks.org is DOWN for everyone. It is not just you. The server is not responding…”

While looking around for more information about the Wikileaks attack, I happened to stumble on this message from LulzPirate, which has 32,900 followers: “TANGO DOWN: http://Visa.com – Enjoy! #UG #WikiLeaks.” I saw it just a few minutes after it was posted.

I tried going to visa.com and indeed it failed. I couldn’t believe my eyes as I read the “Service Unavailable” message.

I checked Down for everyone or just me and was given this message: “It’s not just you! http://visa.com looks down from here.” A few refreshes later, I got: “It’s just you. http://visa.com is up.”

Phew, okay so two out of three. The Visa attack was clearly just a temporarily blip, and not another massive DDoS attack like Wikileaks and The Pirate Pay seem to be experiencing. What a day.

It seems to me that the fact both The Pirate Bay and Wikileaks are down due to a DDoS attack is no coincidence. We’re not talking about a few minutes here or even a few hours, we’re talking about days of outage.

It takes a considerable number of computers and connections, not to mention effort and skill, to conduct one such attack, let alone two. The two could be unrelated, but right now I’m finding that very hard to believe. Either way, the question remains: who could be behind these attacks?

Source: http://www.zdnet.com/blog/security/wikileaks-has-been-under-ddos-attack-for-the-last-three-days/12219

Hillary Clinton’s plan to topple dictators with an open Internet

The ouster of dictators in Egypt and Tunisia made it imperative for Hillary Clinton to lay out a US plan to keep the Internet open for people seeking freedom. But exactly how remains an open question.

Secretary of State Hillary Rodham Clinton said all the right things in a speech on Internet freedom today. She was modest in admitting that the US government didn’t have all the answers – or even know all the right questions to ask – in shaping an open Internet worldwide in the future.

She urged repressive regimes to consider the “dictator’s dilemma” – that when they restrict or harass Internet use it will only harm them and their country in the long run. She termed preserving a free and open Internet “one of the grand challenges of our time.”

The fall of autocratic regimes in Tunisia and Egypt – with the possibility of more to come – came about at least in part because of online social media, from Twitter to Facebook to YouTube. The debate over just how crucial these new media were to the uprisings is just beginning. One could reasonably argue that outstanding coverage by Al Jazeera, in the form of traditional old-style televised reporting, played just as significant a role. As is often pointed out, the Egyptian protest continued on to a successful conclusion even after the government pulled the plug on Internet access.

But what’s already clear is that Internet’s role was real and significant. And now the Obama administration has begun to move beyond words to actions in promoting a free Internet worldwide. Clinton said that it will spend $20 million this year and $25 million next year funding a variety of programs, acting as a kind of venture capitalist to underwrite a number of approaches.

In recent days the State Department has set up its own Twitter feeds in Arabic and Farsi, and Clinton said a similar effort in Chinese will soon follow. She also pledged that monitoring and responding to Internet threats is now part of the State Department’s core mission.

That’s a start. More is needed. One key effort will be finding ways to help people get around fire walls that governments place on their Internet users, freeing their citizens to find out what the rest of the world is saying and doing. Individuals need to know how to set up secure e-mail accounts and how to defend their websites against denial of service attacks.

No one should assume that the Internet will somehow automatically be a force for good. As former journalist and savvy Internet watcher Rebecca MacKinnon points out, while King George VI used the relatively new medium of radio to rally Britain during World War II, Joseph Goebbels in Germany used it to spread Nazi propaganda. Technology plays no favorites in a war of ideas.

Twitter and other online social media themselves don’t represent a “silver bullet” that will pull down dictators and solve the world’s problems. That’s still up to courageous individuals.

But the Internet does represent an important tool – in spreading that courage, in assembling crowds – that must be valued and protected. A race is on between those trying to restrict online access – or infiltrate it and turn it into a means of repression – and those that prize openness.

The administration has been right to listen, test, and experiment. But the move to bigger, bolder actions shouldn’t wait forever.

Source: http://www.csmonitor.com/Commentary/the-monitors-view/2011/0215/Hillary-Clinton-s-plan-to-topple-dictators-with-an-open-Internet

Data security systems must protect against ‘increasing hacktivism’

The evolution of cyber-crime from “mischievous virus-writing” to financially or politically motivated attacks is a trend likely to continue, a new report has revealed.

Data security firm Sophos’ Security Threat Report 2011 has analysed the threats and trends of 2009 and 2010 to predict what will happen in the year ahead.

The company suggested that the WikiLeaks scandal and the following Distributed Denial-of-Service (DDoS) attacks on organisations that had withdrawn their support illustrated a fundamental change in the motivation behind cyber crime.

A virus unleashed in 2010, called the Stuxnet worm, compounded this change by targeting the systems used in industrial applications and nuclear facilities globally, the report suggested.

“These exemplify the development of cybercrime from the initial stages of proof-of-concept and mischievous virus-writing, through financially motivated, organised criminal activity … and finally a third, political motivation,” the company said.

McAfee Labs has also warned organisations to improve data security as politically motivated attacks, commonly known as ‘hacktivism’, will increase throughout 2011 and beyond.

Kroll Ontrack is the world’s leader in data recovery and data management services, working to keep your data safe and always available.

Posted by Edward Clark

Source: http://www.ontrackdatarecovery.co.uk/data-recovery-news/articles/data-security-systems-must-protect-against-increasing-hacktivism355.aspx

Website attacks raise questions about African data security

An increase in hacking by online fraudsters targeting African governments and corporations is raising questions about the safety of the region’s Internet infrastructure.

An increase in hacking by online fraudsters targeting African governments and corporations is raising questions about the safety of the region’s Internet infrastructure.

The hacking is calling into question the security of data held by governments in the region as they adopt e-governance strategies aimed at decentralizing operations and enhancing efficiency. Over the past year, the region has seen more incursions from hackers attempting to gain access to databases for personal information. In addition, some hackers target government websites in order to show their abhorrence of oppressive regimes.

Last week, the Zimbabwean, Kenyan and Tunisian governments’ websites were hit by hackers who defaced the sites and prevented them from functioning efficiently.

Meanwhile, the Kenyan government is planning to build a data center to serve East and Central Africa in a bid to ease the region’s reliance on Europe and the U.S. for data backup. The Rwandan government has also built a database center for the country’s data storage that will provide data backup for other countries in the region.

After the attacks, Zimbabwean Minister of Information and Communication Technology (ICT) Nelson Chamisa said the country is now making efforts to tighten security on its government websites in order to prevent similar strikes. As in Kenya and Tunisia, the Zimbabwean government websites were hit by distributed denial-of-service (DDOS) attacks that rendered them unavailable.

At one point, a defaced Ministry of Finance website displayed a message posted by a group of hackers that identified itself as ‘Anonymous.’

While the Zimbabwean government is still probing the matter, Chamisa said at a media briefing last week that cybersecurity is “now on the front burner of the Zimbabwean government’s work program.”

The attacks have forced the Zimbabwe attorney general to form a commission to investigate the WikiLeaks diplomatic cable revelations and to bring treason charges against anyone found to be colluding with foreign governments. The hackings in Zimbabwe came after the country’s first lady sued a local newspaper for US$15 million for publishing a WikiLeaks cable that linked her to alleged trade in illicit diamonds.

The Anonymous hacker group said it had targeted President Robert Mugabe’s administration for actions taken by government officials to suppress information about the thousands of secrets WikiLeaks released.

In 2009, the Zimbabwean website went offline and was replaced by an advertisement from Microsoft.

Kostja Reim, CEO of Security Risk Solution, said more than 80 percent of the region’s websites are vulnerable to hackers. This is because the governments and institutions have not moved to upgrade information security systems to protect the sites from local and international hackers.

In 2008, the Kenyan government lost millions of dollars to Russian hackers when it attempted to send the money to Ukrainian arms dealers over an unsecured protocol.

Anonymous has announced they have started a recruitment exercise for hackers to take down government websites. As a result, Africa is expected to experience increased cyber-attacks this year unless governments move to upgrade information security systems to protect the sites. Botswana, Namibia and Uganda are some of the countries expected to be targeted by hackers for opposing WikiLeaks.

Source: http://news.idg.no/cw/art.cfm?id=80EFB60B-1A64-67EA-E49A820EB9391CF6

It’s time for a serious response

It has been clear for months that Australian Julian Assange – the founder of the WikiLeaks website – is guilty of crimes against the United States. His release of classified military and diplomatic documents has hurt this country severely. At the very least, he has placed the lives of thousands of American servicemen and women in jeopardy.

Yet President Barack Obama’s Justice Department, under Attorney General Eric Holder, has done nothing but claim it is investigating Assange.

Throughout the world, Assange is losing friends quickly. He is under indictment for sex crimes in Sweden, and under arrest in England. The Swiss government suspended a bank account he had hoped to use to safeguard his money. Several private companies, including PayPal, Mastercard and Visa, have stopped facilitating contributions to Assange.

In retaliation, a gang of computer hackers mounted denial-of-service attacks on some of the involved companies this week. They had limited success – in part because some cyber-heroes struck back, disabling several of the hackers’ servers.

Some of what the hackers are doing is criminal in nature. Clearly, Holder should order an investigation aimed at filing charges against them. Surely at least some of them can be tracked down and brought to justice, while Holder ponders whether to do anything about Assange.

Source: http://www.messengernews.net/page/content.detail/id/535346/It-s-time-for-a-serious-response.html?nav=5087

IPO.gov.uk – Less than an Hour Until Attack Begins

There doesn’t appear to be any shortage of targets in the seemingly unstoppable onslaught of DDoS (Distributed Denial of Service) attacks that began by Anonymous early last month. Targets have included the MPAA, RIAA, US Copyright Group, GM Legal, and the Copyright Alliance. The most successful attacks thus far have been against the Ministry of Sound (MoS) and ACS:Law. The MoS was forced offline for several days, while ACS:Law suffered one of the most devastating data breeches in UK history.

So now the target of Anonymous is the IPO.gov.uk website – or the Intellectual Property Office. This is the first time Anonymous has targeted a government website, indicating a level of fearlessness considering the possible ramifications. As its name suggests, the IPO governs and helps protect copyrights and intellectual property in the United Kingdom.

“We are the official government body responsible for granting Intellectual Property (IP) rights in the United Kingdom.”

While Anonymous doesn’t seem to have any inherent ill-will towards the organization, their motivation for attacking the IPO stems more from the IPO’s alleged support of the system that has moved decidedly against P2P and file-sharing. According to Anonymous, they picked the IPO for “Perpetuating the system that is allowing the exploitative usage of copyright and intellectual property.”

At the time of this writing, there is only 45 minutes until the attack commences. We’re not sure what kind of DDoS protection the IPO has, but we’re about to find out very soon. This attack represents the first coordinated attack since the GM Legal attack – the attack against GeneSimmons.com was conducted by an Anonymous splinter cell that had broken off from the main group. This further indicates that even if Anonymous is brought down, factions within the group are more than capable of continuing the effort.

Source: http://www.slyck.com/story2087_IPOgovuk_Less_than_an_Hour_Until_Attack_Begins

Five ways to defend against a DDoS attack

So you’re under attack. What now?

The economics of the Distributed Denial of Service (DDoS) attack tend to work in favour of the aggressor and not those attempting to protect online assets.

Most DDoS attacks, which most commonly involve a group of attackers flooding a web site with excessive amounts of requests in an effort to prevent it providing service, tend to be small-scale and short-lived. But in rare cases such attacks have brought server clusters – and sometimes entire companies – to their knees.

The question many Australian organisations have faced of late: is a DDoS attack worth defending against? And if you are unfortunate enough to be under attack, what should you do?

Assessing the risk in advance

Jose Nazario security researcher at Arbor Networks told iTNews businesses often wait until it is too late to prepare a strategy and only think mitigation once under attack.

“That’s not the right time try to figure who my service provider is, how do I contact them or to scream and beg them to help,” he said. “That’s the wrong time.”

Instead, organisations need to include DDoS mitigation as part of their contingency planning, he said.

Key questions customers should ask their service providers are: What protection is available? How does the customer request that protection? What does this protection cost? What is the expected response time? Who is the service provider’s main contact when an event occurs?

“These are pretty obvious questions, but they’re things that people forget,” Nazario said.

Today iTnews spoke to several IT security gurus to discuss mitigation strategies.

1. Beat it with bandwidth

The most basic response to a request or traffic flood is to have sufficient additional bandwidth to withstand an attack.

Larry Bloch, chief executive of Australian web host NetRegistry, believes the best protection is superior infrastructure.

The web host was recently caught in the crossfire of 4Chan users’ “Operation: Payback” DDoS against anti-piracy lobbyist Australian Federation Against Copyright Theft (AFACT).

The attackers directed 60,000 active HTTP connections and 100 Mbps of additional bandwidth at a cluster of servers that hosted AFACT’s website. But the attack had a wider impact since it targeted a load balancer that was servicing thousands of the host’s clients.

“The only real way to reliably protect yourself against this level of attack is to have bigger iron than the attackers – with more network bandwidth, more raw processing power,” Bloch told iTnews.

But competing with multiple distributed computing resources is expensive and difficult to manage, he concedes.

While bandwidth is viewed as an essential mitigation strategy, it can quickly become very expensive defence.

“Unless you’re monetising that bandwidth, you’re investment is a really expensive insurance policy,” said Nazario. “It’s an arms race that you’re always going to lose.”

Highlighting the problem, spokesperson for DDoS protection service Prolexic, Greg Burns, pointed out that the largest attack the company had responded was 103 Gbps in size.

“Transit of this traffic can be expensive – if not impossible – as most businesses [only] have bandwidth availability that is a small fraction of this,” Burns said.

Prolexic expects to see attacks of this size with greater frequency as attackers attempt to blow past today’s carrier-grade DDoS defenses built to cope with 10 Gbps attacks.

Similarly, Prolexic has noted that attackers are turning to more sophisticated methods, such as targeting applications with “low and slow” attacks on layer 7 applications, encrypting attack traffic and attempting to mimic real traffic behaviour.

In other words, having excess bandwidth may win today’s battles, but not tomorrow’s.

2. Geo-blocking

NetRegistry engineers had responded to the attack aimed at AFACT using a technique called “geo-blocking”.

The engineers identified that malicious traffic was predominantly coming from Chile and Columbia. With less than one percent of traffic coming from these counties on a given day, compared to say the US, NetRegistry opted to block all traffic from these countries.

“Network engineers simply have to make a series of decisions to minimise collateral damage,” Bloch said.

But Prolexic’s Burns believes that on this occasion, the web host got lucky.

“This tool may work for some businesses, but Prolexic believes that limiting any business from receiving requests from an entire region is unnecessary and is – in some way – admitting defeat,” he said.

Had the attack on AFACT been launched from the US, Europe or Asia, it is unlikely NetRegistry could have relied on blocking an entire nation’s incoming traffic.

Cases in point were two recent attacks on wholesale IP network provider Vocus Communications.

In March, an attack against web hosting firm Web24 took down part of Vocus’ network and was believed to have come from Asia, Russia and the United States.

In May, the firm suffered a second DDoS attack that was part of a wider attack on US servers.

By July, the company opted to outsource its DDoS protection to a third party, ending its reliance on network technicians to write scripts to manually detect and block malicious traffic.

3. Hide behind giants

The development of cloud computing platforms has introduced a variety of new options to provide resilience against a DDoS attack.

Some companies have migrated part of their infrastructure to distributed computing platforms such as content delivery networks Limelight or Akamai.

“Those are cheaper than buying more bandwidth, but it’s [still] not cheap,” said Nazario.

For those without deep pockets – such as small business and even government agencies – one strategy to beat DDoS has been to rely on the larger infrastructure sets of social network giants such as Google or Facebook.

These sites enable an organisation to continue to communicate with the world, at the cost of functionality and control.

“We have seen people do it on the cheap for themselves – such as a Georgian blogger that was moving stuff into Facebook and Google… basically piggy-backing on those providers’ massive infrastructure to absorb the hit,” said Nazario.

Desperate times called for a commensurate response by the Georgian Government, which turned to Google’s Blogger service to maintain outbound communications with Western nations while under a Russian cyber attack during their 2008 war.

But even the infrastructure of Google or Facebook – whilst larger and more sophisticated – isn’t immune to attack.

“It hasthe potential for collateral damage because now people are attacking large infrastructure and if there is a significant attack it will disrupt a lot of people around the world,” warns Nazario.

4. The reverse proxy

Australian web host Bulletproof Networks recently deployed a similar albeit more sophisticated cloud-based response by hiving off attack traffic to Amazon’s EC2 cloud.

Responding to a sustained DDoS attack aimed at broadband forum Whirlpool, Bulletproof had attempted to mitigate the attack by blocking individual IP addresses.

The web host had asked its upstream providers Internode and Pacific Internet to block incoming HTTP traffic from several IP addresses in the United States and Denmark, but within minutes the attack source shifted.

Nazario argues that the process of identifying individual sources is too labour-intensive.

“You need a highly trained human being to go over logs and packet traces to identify those malicious clients. It can take an hour or two or 24 hours, depending,” he said.

Within a few days, Bulletproof found a better solution. It deployed a “reverse proxy” server in Amazon’s EC2 cloud which it used to bear the load of malicious HTTP traffic.

Amazon’s EC2 served up cached elements of Whirlpool, while legitimate traffic was served non-cached pages from Bulletproof’s Australian-hosted web servers.

5. Choose your neighbours carefully

Given the recent attack on AFACT, businesses might wonder whether it is possible to avoid fallout by refusing to share hosting infrastructure with a likely target.

That is assuming, of course, that a host would even tell you what other organisations share the same platform.

Bloch said it would not make sense from the host’s perspective.

“It is impossible for a sales person or automatic web sign-up tool to do a risk assessment on every customer request,” he said.

“Your question could just as well be: Are you in a shared box with someone with a successful marketing campaign?

“Every now and then somebody sets up a mini-site on a $10 a month hosting account, spends a million on television advertising and expects to cope with the demand on a shared service hosted on a single box.”

Conclusion: Weighing up the cost

IBRS analyst James Turner said that often the right questions are not asked in advance because the risk of a DDoS attack appears low while the cost of mitigation is high.

“For some organisations, it just won’t be worth the cost of mitigating,” he said. “But for others, it would be a crippling incident.

“This is classic risk analysis. If you are offline for an hour, how much money are you not making, or losing?”

As revealed in a recent iTnews poll [see right] – four in five readers feel there is no excuse for data breaches during a DDoS attack. This assumes that organisations have adequate defences in place.

In percentage terms, it remains highly unlikely that a legitimate business will be attacked, with the bulk of attacks launched against home users and small sites after disputes in online games or forums.

But should an organisation find itself a target, “proportionally it’s much more expensive to defend against a botnet attack than it is to execute one,” Turner said. “It’s inexpensive to set up a botnet, and an attacker can wreak a lot of damage.

“For organisations that are at risk of a botnet attack – potentially any online service from government to e-commerce – they need to understand the impact on their organisation of their customers losing access to their website.”

Brett Winterford contributed to this story.

Source: http://www.itnews.com.au/News/234834,five-ways-to-defend-against-a-ddos-attack.aspx

Commission proposes new EU cybercrime law

The European Commission wants to harmonise the laws of EU member states dealing with cyber-attacks. It wants to create a new Directive on attacks on information systems, it said in a statement.

The European Commission adopted a ‘framework decision’ in 2005 that attempted to coordinate laws across Europe on hacking, viruses and denial of service attacks.

<a href=”http://ad.uk.doubleclick.net/jump/reg.public_sector.4159/government;tile=2;pos=top;dcove=d;sz=336×280;ord=TLNJYcCoAT8AAHn52oMAAARn?” target=”_blank”><img src=”http://ad.uk.doubleclick.net/ad/reg.public_sector.4159/government;tile=2;pos=top;dcove=d;sz=336×280;ord=TLNJYcCoAT8AAHn52oMAAARn?” alt=””></a>

It has now said that an increase in the sophistication of these attacks and a change in the legal structure of the EU following the passing of the Lisbon Treaty means that that framework decision should be replaced by a Directive.

“[The framework decision] currently in force was a first step towards addressing the issue of attacks against IT systems. Technological advances and new methods employed by perpetrators call for an improvement of EU rules,” said a Commission statement.

“In addition, the entry into force of the Lisbon Treaty on 1 December 2009 provides considerable advantages for new legislation to be adopted in the field of Justice and Home Affairs from now on,” it said. “Legislation will no longer need to be approved unanimously by the EU Council of Minsters (which represents national governments). Instead, it will be adopted by a majority of Member States at the Council together with the European Parliament. A single country will not be able to block a proposal.”

Cyber-attackers are increasingly using massed ranks of hijacked computers, called botnets, to conduct attacks. Groups opposed to anti-piracy legislation and enforcement, for example, are thought to be behind recent denial of service attacks on various legal and institutional websites that are likely to have used botnets.

The Commission said that it wanted to create a new Directive so that it could ensure that laws in all of the EU member states were adequate to deal with what it said were increasingly dangerous threats.

“Implementation at national level will … be improved,” it said. “The Commission will now be able to monitor how Member States apply EU legislation. If it finds that EU countries violate the rules, it will be in a position to refer the case to the European Court of Justice. These considerations add to the justification for the new proposed Directive.”

Like the framework decision, the planned Directive will outlaw gaining illegal access to systems; and interference with systems and data. In addition it will penalise the use of botnets and other ‘tools’ for those purposes; and make police forces respond faster to problems and collect more data on cyber offences.

The Directive would also increase the penalties for those found guilty of offences under it.

“The proposed Directive raises the level of criminal penalties to a maximum term of imprisonment of at least two years. Instigation, aiding, abetting and attempt of those offences will become penalised as well,” said the statement. “Once adopted, the Directive raises the level of criminal penalties of offences committed under aggravating circumstances to a maximum term of imprisonment of at least five years (instead of two years, as foreseen by [the framework decision]).

Those aggravating circumstances would be that the offences were committed by someone acting as part of a criminal organisation; by someone using a tool such as a botnet; or by someone concealing their own identity or using someone else’s.

The Commission said that the plan was a response to the increasing severity of attacks.

“The number of attacks against information systems has increased significantly in the last few years and a number of attacks of previously unknown large and dangerous scale have been observed, such as those in Estonia and Lithuania in 2007 and 2008 respectively. In March 2009, computer systems of government and private organisations of 103 countries (including a number of Member States, such as Cyprus, Germany, Latvia, Malta, Portugal and Romania) were attacked by malware installed to extract sensitive and classified documents,” it said.

<a href=”http://ad.uk.doubleclick.net/jump/reg.public_sector.4159/government;tile=2;pos=top;dcove=d;sz=336×280;ord=TLNJY8CoAT8AAHjj1j8AAAOw?” target=”_blank”><img src=”http://ad.uk.doubleclick.net/ad/reg.public_sector.4159/government;tile=2;pos=top;dcove=d;sz=336×280;ord=TLNJY8CoAT8AAHjj1j8AAAOw?” alt=””></a>

“More recently the world witnessed the spread of a botnet called ‘Conficker’ (also known as Downup, Downadup and Kido), which has propagated and acted in an unprecedented scale and scope since November 2008, affecting millions of computers worldwide. Inside the EU, damages from this botnet were reported in France, the UK and Germany. French fighter planes were unable to take off after military computers were infected by Conficker in January 2009,” it said.

Source: http://www.theregister.co.uk/2010/10/11/eu_new_cybercrime_law/