Interpol of the Internet™As all IT security professionals know, it's war out there on the Internet. Enterprises and internet users are under continually increasing attack from the phishers, spammers and numerous other criminals. Over the last decade the defenses deployed against attacks have grown enormously but in turn the attacks themselves have become ever more sophisticated. It's been an arms race, and one which the attackers seem to be winning. They are winning for the same reasons that governments struggle against terrorists and "insurgents". Hitherto the main response by those attacked has been to spend more money deploying more boxes (firewalls, IDSes, load balancers, deep packet inspection devices etc.), all of which defend against the last war not the next one!
But, just as governments find that beefing up security merely inconveniences the 99.9% of good citizens without seriously impacting the terrorists, so too do IT staff find that adding hardware merely delays the inevitable overload and fails to stop the next 0-day exploit. The main reason for this is the asymmetric nature of the battle and how the current arms race has developed.
Exponential Increase in Attack Resources
In the beginning we had firewalls to keep the bad guys out, and all was good. When we set up IDS to see who the bad guys were, they started using compromised systems to mask their identity. This led to the creation of armies of “bots” that could overpower the defenders, and these days attackers have enough compromised computers under their control that they effectively have a massive distributed supercomputer. Further complicating things, the attackers started using more sophisticated attacks on ports and services that were open, requiring deep inspection and content filtering firewalls, which take more processing power, and need to be replicated just like the firewalls. At the same time, the IDS alerts have become so frequent, that they are no longer useful. And worst of all, even when the IDS does detect something suspicious by the time that particular IP address has been blocked at the firewall the attacker has moved it to attack someone else and is using a different one to attack you.
The Bot Problem
The fact that attackers use armies of bots to do their dirty work hurts the defenders in various ways. Firstly it vastly increases the numbers of attackers at any one time - DDoS attacks are the poster child for this effect but there are other related threats too. More subtly the ability to detect and block the (numerous) attackers at the earliest stage possible is made harder by their numbers. And since the bots can communicate to their controllers attacks can be performed where one bot runs the port scan, a second probes the open port for a vulnerability and a third exploits the vulnerability. Finally of course there is the fact that the owners of the infected computers are going to detect and remove the infections while at the same time other computers will become infected, thus even if it were possible to build a blocklist that was complete it would become outdated in a day or two.
The graph above shows how long IP addresses remain on threat lists. nearly a quarter are removed within 24 hours, over a third are removed in less than a week and only 40% remain for more than a month. This dynamic nature of the attacking machines - as well as the dynamic nature of the vulnerabilities that attackers attempt to exploit - means that the ability to use the most efficient means to stop malicious traffic, a block at the firewall of the first TCP SYN or equivalent, becomes almost impossible to achieve for the majority of malicious traffic and to the extent that it is possible it typically absorbs the energies (and salary) of a full time security professional who would undoubtedly prefer to do something rather less tedious.
ThreatSTOP - Distributed dynamic defense
ThreatSTOP is the answer. ThreatSTOP permits firewalls to automatically block 90% or more of all malicious traffic with just the addition of two simple rules (one for inbound traffic and one for outbound - stopping compromised machines on your network from calling "home"). By dropping the very first packet, ThreatSTOP dramatically reduces load on your web / email infrastructure and may even reduce total IP traffic thereby potentially reducing bandwidth charges.
ThreatSTOP works by using the same distributed techniques that the attackers use.
- Data is gathered from a number of sites on the internet, and from traffic logs from our customers.
- This data is analyzed in near real time to produce a list of the currently bad IP addresses
- ThreatSTOP customers pull down, using totally standard DNS techniques, the most up to date block lists automatically.
Because ThreatSTOP customers share attack data we benefit from economies of scale just as the attackers do and once a new attack fron a new bot is identified at one ThreatSTOP protected location that data is automatically passed to all the others in a matter of hours.
Now you are protected against new botnets and many zero day attacks.
Find out how ThreatSTOP works >>>