Tuesday, October 04, 2005
The Threat Within: Up to 12% of Attacks are Internally Launched
Research shows that up to 12% of malicious scans on an ISP’s network comes from internal subscribers
Basingstoke, UK; October 4, 2005 - Based on data gleaned from over 100 globally-dispersed deployments, Sandvine today announced that up to 12% of all scanning attacks found on a broadband service provider’s network are launched internally, from its own subscribers.
This finding dispels the commonly held idea that all attacks come from external, off-net attackers, and that broadband security only consists of policing the borders between external and internal networks. In actual fact, internal subscribers are attacking external targets and other internal subscribers, consuming network resources and spreading worms and spam Trojans. Subscribers need to be protected from each other as well as external malicious hosts.
Significantly, these internal attackers are most likely unsuspecting victims themselves; "zombie" PCs - whose owners are completely unaware that their computers are infected and searching for other vulnerable hosts - conduct most scanning attacks. These subscribers play the unwitting host to malicious agents, scanning IP addresses, sending requests to useable port numbers, and transferring the worm or Trojan code when a vulnerable host is found. An infected subscriber often reports performance degradations and other problems to the help desk, oblivious to the real reason why their computer seems sluggish or is behaving anomalously.
"If the enemy is already loose within the gates, it doesn’t matter how high the walls are," said Dave Caputo, president and CEO of Sandvine Incorporated, pointing out that strong network-edge defenses are only part of the solution to protecting the network and subscribers. "Broadband service providers must not only prevent malicious agents from entering their network from the ‘outside,’, but also cleanse the unsuspecting attackers on the ‘inside’. The most successful service providers are protecting their subscribers from malicious traffic no matter where it comes from."
With the increase in more evasive, destructive attacks, broadband providers need greater visibility into their networks in order to shut down attacks before they affect subscribers and cause costly network outages. It’s not sufficient to simply employ signature-based detection to mitigate attacks. Using a combined approach that also includes behavioral detection and network telescoping is critical to stopping zero-day attacks and cleansing the network both from incoming and outgoing attacks. With this per-subscriber visibility into the network, a captive portal can be employed to unfailingly warn infected subscribers that a malicious agent has compromised their computer and that its performance is suffering as a result. Links to removal tools can also be provided, so that the infected subscriber can cleanse their system within minutes of the service provider noticing the infection.
"Malicious traffic is everyone’s problem, whether it’s dealing with off-net attackers or your own subscribers. Broadband service providers need traditional tools as well as real-time visibility into network traffic to stop zero-day attacks," said Lindsay Schroth, broadband access technologies, Yankee Group. "Sandvine’s unique approach combines signature and behavioral detection with a professional services element to effectively shut down attacks before they affect the network and the subscribers."
For this study, Sandvine gathered data across a select sample of broadband service provider networks representing over 20 million subscribers worldwide.
Sandvine intelligent broadband network solutions gives service providers tools to identify threats and emerging applications, reduce network congestion, protect subscribers, their applications, and enhance subscriber quality of experience (QoE).
BEHAVIORAL AND SIGNATURE-BASED DETECTION
Sandvine’s behavioral or anomaly-based engines look at network usage behavior in real-time and historically to identify attack threats. This allows for malicious traffic identification and mitigation before a pattern signature can be applied and long before the attack is even known within the wider security community. This technique counters new and emerging 'zero-day' attacks pro-actively and before a pattern signature needs to be reactively developed. The Sandvine solution also applies signature-based detection to counter the latest known attacks by identifying the specific malicious packet instances and flows as they appear on the network.
Sandvine Security Operations Services team provides ongoing analysis to guarantee optimal network health for service providers and early warning in the event of an attack. Sandvine’s visibility into a wide, global deployment of service provider networks acts as a 'network telescope' collecting and uncovering malicious traffic threats at the earliest opportunity and before they spread across the world. The Sandvine Security Operations Services protects the capability of the network to deliver services, protects subscribers from attack and ensures their quality of experience - all backed by an industry-first service level guarantee.
ABOUT SANDVINE INCORPORATED
Sandvine’s award-winning intelligent broadband network equipment helps broadband service providers characterize what really happens on their networks, enabling policies that improve customer satisfaction, reduce operational costs and increase profitability. Sandvine’s application and subscriber-aware solutions empower service providers to take control of P2P traffic, stop the proliferation of destructive worm, DoS and spam Trojan traffic and ensure subscriber quality of experience (QoE). With over 100 deployments globally, Sandvine is protecting the Internet experience for millions of broadband subscribers worldwide. www.sandvine.com