Security Lessons from Nature – Prairie Dogs
- At September 01, 2009
- By Josh More
- In Natural History
0
It must have been quite the surprise as American settlers moved Westward and encountered their first prairie dog town. As they traveled, they would have seen first one strange little rodent, then another, then a few more, then maybe thousands. They would have observed that they live in a large subterranean community and work together to protect the colony. Lewis and Clark themselves observed that they could pour five barrels of water into a hole without filling it.
While this may seem somewhat cruel by modern standards, one has to note that it’s not like prairie dog colonies never encounter rain. In fact, that’s the point of today’s post. Prairie dogs work together to build a massive underground complex. They will raise their children below ground and forage for food above ground. Over the millions of years that they have been honing this system, they have learned to maximize their security infrastructure.
In the prairie dog’s world, there are many threats. For a subterranean colony, the threat of rain is pretty significant. If insufficiently reinforced, the tunnels could collapse and crush the little critters. If improperly designed, water could flow into the nursery areas and drown the pups. Simply being underground protects the prairie dogs against predators like hawks and coyotes. However, other predators like snakes and weasels have managed to adapt. To defend against incursions from predators such as these, the colonies have a very complex array of tunnels that only the prairie dogs know how to navigate. (Though this has proven less effective against some.) Prairie dogs supplement their security with a complex warning system of alarm calls where the sentries will stand on a high outlook and issue a shrill “eep” when danger approaches.
So, while all of this is useful if you happen to be one of many communal rodents, what does it mean for those of us who happen to work in the business world instead? The first thing to remember is that infrastructure planning is important. Consider building in excess capacity. Your network may be able to handle ordinary traffic, but could it handle the torrential downpour of traffic that would result from sudden Internet popularity? That said, it’s important to realize that not even prairie dogs built infinite capacity. They withstood the attempted denial of service attack by Lewis and Clark, but they wouldn’t have survived a distributed attack by thousands of Lewises and Clarkses (sorry). So, while capacity planning is important, it’s not everything… your infrastructure also has to be adaptable.
Instead, it would be wise to build a slight excess of capacity to handle the peaks of usage and then invest in some sentries. Just as prairie dogs monitor for specific dangers and issue alarms for birds of prey, snakes and canines (and, at the zoo, monorails), you could monitor your network for malware, DDOS attacks and internal intrusions.
I would, however, recommend that the alarms not involve standing atop your building and “eep”ing. Email or SNMP might make better sense.
Small Business Defense – Detect, Avoid, Leverage Business Relationships
- At March 26, 2009
- By Josh More
- In Business Security
- 0
If you’re dealing with a DDOS attack, I’m afraid that I haven’t much good news for you. Once it’s started, it may be a bit late to try to deal with it. Odds are, you’re best off just waiting it out. Failing that, you can try to change IP addresses on your external systems, however, that technique is less effective than it was and requires the assistance of your ISP.
No, the right way to handle this sort of attack is long before it starts.
These sorts of attacks tend to start a bit slowly, and can be recognized by a ramping up of traffic. However, in order to detect it, you have to first know what legitimate traffic looks like. Thus, for months before the attack, you have to be watching what’s coming in. You should know what “normal” looks like, so you can detect “abnormal”. Not only will this help you differentiate an attack from simply outgrowing your resources, but it will also help you identify how you are using your resources so you don’t waste your money.
Bear in mind that most Internet connections can only carry so much, and if your employees are using it watching YouTube videos, that leaves less for legitimate customers. The first rule is to know what you have and how it’s being used. To reference Tuesday’s post, you need to know how many rats are normal, so you know when you’re about to have too many of them.
Then, you can move on to attack avoidance. There are systems out there that are specifically designed to handle DDOS attacks, but let’s assume that you don’t want to pay for that. One quick solution is to use a set of proxies. These can be servers or network devices in a proxy configuration. The way these work is to simply receive connections and then balance them to the back-end server. Here, you can set up rules to drop illegitimate traffic to reduce what goes through to your server to a manageable amount. There are many technical ways to do this, and none of them are perfect… however, you don’t need perfect. You just need to drop enough traffic to get things working again. (In other words, you don’t need to stop all the rats, you just need to make sure that there’s enough grain for you and your family to eat.)
However, this solution only works assuming that the attack is somewhat small in scope. If the amount of traffic is overwhelming and your connection itself can’t handle it, having a set of proxies won’t help you much. You’ll need to call your ISP. This is why it’s good to have a good business relationship with your ISP. You should know the names and numbers of who you need to call, and you’ll need them to be technically competent. Ideally, you should be able to call them up, and say “I think I’m having a DDOS attack, can you block all traffic from Asia” (assuming that you don’t do business in Asia, of course :). This is like asking for international help in the face of a massive influx of rats.
The huge ISPs tend to have the technical skill, but lack the personal relationship. The really small ISPs will bend over backwards to help you, but may not know how. I suggest going for the middle of the road approach. Interview prospective ISPs and ask how they would handle this sort of situation. Ask if they can give you an emergency number that would always have a live person answering, 24×7. The good ones will, though they might charge you when you call after hours. This is well worth it.
In the end, you will have built an infrastructure that is resistant enough and built a business relationship that is flexible enough. The only way to be 100% protected against this sort of attack is to have more resources than the rest of the Internet combined, and that’s just not going to happen. This sort of preparation is fairly cheap, and worth a lot if you need to leverage it.
In the end, it’s cheap insurance.
Small Business Attack – Denial of Service
- At March 25, 2009
- By Josh More
- In Business Security
- 2
You get the call from your front-line people. Your web site is down and customers are complaining. You call your web folks and they can’t even get to the server. Then, your front-line people call you again and report that the entire Internet connection is down. You call your ISP, and they tell you that your line is up, but you’re getting a lot of traffic.
Their solution? Buy more bandwidth.
In fact, if you buy right now, you might even have it in a few weeks.
What has happened is a distributed denial of service attack. In this attack, the attackers leverage hundreds of thousands of machines and send traffic to a target. In this case, to your server. As it starts, people start to have problems with the web server. Pages will load erratically, customers will experience slowness and the server may start to reboot itself or lock up entirely. However, it doesn’t stop there. The attackers often don’t know when they’re successful, and the traffic just keeps coming. Soon, your Internet connection will fill up and stop responding. If you’re hosting offsite, the line usage may spike and drive you into over-utilization charges. Thus, in addition to losing potential sales for every minute you’re down, you may also be charged for the experience.
So, it sucks to be you, but what does the attacker gain? In the old days (you know, when the hills only went up), this was done out of spite. Someone had taken offense at something you or your company had done, and their solution was to make your life miserable. These days, it’s different.
These days, the attacker may be a competitor or someone hired by a competitor. They may be starting a campaign and want you out of the picture during the process. They may be trying to take one of your biggest clients and want to show that you’re unreliable. It may be a criminal organization using such an attack to hide a second, more subtle attack. It may be an employee that simply wants a day off.
In any of these cases, what are you going to do about it?
Security Lessons from Nature – Rats, Bamboo and Surprises
- At March 24, 2009
- By Josh More
- In Natural History
- 0
There are some plants that bloom several times a year, some that bloom every year and some that bloom every few years. However, there are also a few types of plants that bloom every few decades. This is generally viewed as a fairly big deal, and botanists get all excited and talk to bored people at parties* for hours on end about how special and wonderful it was, and how happy they are to have finally seen such a thing. Unless you’re a botanist, you probably wouldn’t care much.
* At least, at the sorts of parties that over-excitable botanists get invited to.
That is, unless you happened to live in Asia and the plant happened to be bamboo. Unlike the American century plant, of which individual members bloom every few decades and then die, bamboo has learned to do synchronized blooming. Now, as scary as it is when a bunch of people start synchronizing their swimming, it’s far worse when bamboo does it.
Granted, it’s not the bamboo so much as the rats.
When the bamboo blooms, it pollinates and then produces fruits and seeds. Suddenly, there’s a lot of food around and rats appear to devour all the bamboo fruits. In the process they, of course, tend to make more rats. So, for the course of a year or two, there are more and more bamboo fruits which result in more and more rats. This is all well and good until the bamboo suddenly all wise up and think “Wait a minute, what are we doing here? Rats are eating us!” and promptly go back to being placid grasses.
This leaves hundreds of rats, thousands of rats, millions and billions and trillions of rats… and no lovely little bamboo fruits to eat. Being more intelligent than the bamboo (and lacking the “hey, let’s all be grass again” gene), the rats promptly turn around and start eating everything else that they can.
In Mizoram, a state of India, this means eating the people’s crops. It means that the farmers who, for a generation or more have been easily able to feed their families and export enough to make a reasonable living are suddenly transformed into fighters that must defend their livelihood against a rampaging horde of rats. And really, there’s not a lot they can do about it. A farmer may take on a rat and win, but one farmer versus one thousand rats is much less of a sure thing.
Similarly, you may be able to defend your business against an attacker or two, but when those few attackers suddenly become a coordinated attack from thousands to millions of computers, you’re pretty much not going to win.
Distributed Denial Of Service (DDOS) attacks mostly target larger companies, but as bot nets become more affordable, the likelihood of an attack targeting you goes up. We’ll look at this in more detail tomorrow.
For now, just consider the problem facing the farmers Mizoram, and think that we don’t even know what diseases these rats might be carrying.
