Security monitoring essential to attack anticipation, even if the nature of the attack is unclear

Security analysts reported yesterday a noticeable spike in network traffic associated with the Pushdo botnet, whose computers somewhat curiously are sending large numbers of fake SSL connections to lots of high-profile websites, including those of the CIA, FBI, PayPal, Yahoo, Mozilla, Google, SANS, and Twitter. The traffic is noteworthy both for its volume and for the lack of any obvious reason why it is occurring; one security expert suggested the botnet might be sending this sort of traffic absent a real attack to make its future traffic seem less anomalous, essentially to help hide the location of the botnet’s command and control center. While the observed traffic volume was high enough to be noticeable, it stops far short of the level necessary to effect a denial-of-service attack, so observers are left wondering just what the point of the activity is, and what might be coming next. The concept of “attack anticipation” has long been a goal of some types of intrusion detection systems and, more recently, of security information and event management (SIEM) tools. The idea here is that by looking at events observed and correlated over time, a potential attack victim can try to predict if something really significant is on the way. In this case, it’s pretty unusual for a botnet to draw a lot of attention for itself, so while the good news seems to be that those monitoring the network activity are aware of it, there little speculation, nevermind consensus, on what these initial observations mean.