The data center is the new castle, and the botnet hordes are coming for it

New Data Center Strategies Newsletter [1], By Andreas M. Antonopoulos [2], Network World [3], 2/6/07

One of the main findings from Nemertes’ security research in 2005 and 2006 was that the security perimeter is eroding.

With all the connections to partners, suppliers and customers and all the mobile workers, it was almost impossible to define a clear perimeter outside the data center. So the data center has become the retrenched position for most security defenses. The data center has become like the castle keep: a central hardened tower, the most defended area and the location of the most prized possessions.

Now there are hordes storming the castle - botnets have become a serious and increasing threat. Botnets are networks of remotely controlled compromised systems, or bots, often consumer PCs that have been infected and covertly infiltrated. With some botnets totaling more than 1 million hosts, their impact can be overwhelming.

Botnets are mostly recognized as the source of distributed denial-of-service (DDoS) attacks, as we have discussed [4]. By coordinating thousands of systems, attackers can generate enormous amounts of traffic against a target site, usually overwhelming all defenses.

More recently, botnets have been involved in a massive increase in spam e-mail. In late December and again in late January, two massive e-mail-borne virus attacks led to the compromise of thousands of systems.

According to an announcement by Postini, an e-mail security firm, the botnets then became the vector for a massive surge in spam, leading to a peak of more than 20 million messages in one day, sent on Jan. 20. And so the cycle repeats: e-mail viruses create botnet hordes, which launch a deluge of spam to overwhelm our mailboxes.

The botnet phenomenon should be viewed as much more than just a DDoS or spam menace. Botnets are an attack strategy: the marshaling of the distributed nature of the Internet to create loosely connected networks of compromised systems. Once these are in place they can feed the malware and bot marketplace, where botnets are sold and exchanged for stolen identities.

Already, these bot markets have become highly sophisticated, with high trading liquidity, with brokers and intermediaries who “add value” by aggregating, consolidating and upgrading botnets to the latest remote-control software.

Botnets are therefore an attack vector, a distributed attack methodology, the digital equivalent of an insurgency. They are invisible, appear and disappear quickly, converge in large numbers and coexist with legitimate hosts. As a vector they can be used to deliver any number of different attacks, DDoS one day, spam the next. A few years from now, while battling the botnet launched XML-purchase-order worm that is filling ERP systems, we may look back with nostalgia on today’s botnets.

Just like castle walls became obsolete, perimeter security has too become obsolete. On the one hand, perimeters are permeable - just as the castles depended on a network of farmers and peasants for food, you cannot cut off the outside world from the enterprise perimeter - the outside world is already inside. And just as Genghis Khan overwhelmed castle defenses by filling the moats with the bodies of innocents, enterprise perimeter defenses are no match for the gigabits of attack traffic generated by the botnet hordes.

Enterprise security architects must look to information-centric security, rather than perimeter-oriented security. Perimeters will still be necessary but not sufficient. Identity-based and information-centric solutions will have to complement the perimeter. Make haste, the sound you hear is the horde banging on the castle door.