The Pathogenesis of Dark Traffic Attacks
by Soeren Bech - Wednesday, 29 March 2006.
By its nature, dark traffic cannot be prevented at an Internet-wide level. For its part, anti-spam legislation only acts as a limited deterrent to those intent on dark traffic attacks. The very fact that dark traffic takes on the appearance of legitimate email means that it is not visible to many of the information security measures currently operated by Internet service providers and companies.

The only way to determine whether an email message is legitimate or dark traffic is to compare the addressee with entries in a company’s directory. If the addressee is listed, the email could still be spam, but the vast majority of illegitimate emails, including most of the traffic used for both denial of service and directory harvest attacks, would remain undelivered.

Businesses, however, will be understandably reluctant to hand over their directory details to third parties, even where doing so will improve their information security defences. But businesses can deploy solutions at the edge of their networks that will filter out malformed SMTP packets, denial of service attacks (based on the messages originating from one or a small number of IP addresses) and directory harvest attempts.

Such technology does not replace anti-spam systems based on content filtering, but works alongside them. Conventional spam filtering remains necessary to protect employees’ mailboxes from spam launched against pre-harvested addresses or those bought from a list, as well as for other purposes such as blocking messages with inappropriate content.

Building a layered approach to spam is both efficient and more effective. Two sets of filtering systems greatly cuts the chances of spam messages slipping through the net, but it should also reduce the number of “false rejects” by allowing finer tuning of content-based filters.

But the main argument for deploying scanners at the edge to pick up and block dark traffic is efficiency.

Given that only around 10 per cent of email is legitimate traffic, but that 83 per cent of all messages are believed to be denial of service attacks, directory harvest attacks or have invalid recipients, blocking this mail at an early a stage as possible vastly reduces the load on conventional, content-based filtering systems.

Edge-based systems work by examining the sender’s IP address and the “envelope” headers of an email message, in order to detect dark traffic. If the message is rejected, the content simply never reaches the content filtering systems, let alone the corporate email servers.

As an edge system only looks at envelop data, it will typically be five to six times as quick as a content filter with a similar configuration. In fact, combining a single content filter system with an edge-based filter should be as effective as six standalone content filters.

By blocking more illegitimate email, the combined filters will also save on storage and processing needs, further bolstering the return on investment. Moreover, only edge-based systems can pick up and block denial of service attacks. By the time the messages reach the content filters, it is already too late to stop a denial of service attack.

Filtering out dark traffic at the network edge is cost effective, removes bottlenecks and ultimately, improves corporate information security in a way that other anti-spam measures cannot achieve on their own.


Harnessing artificial intelligence to build an army of virtual analysts

PatternEx, a startup that gathered a team of AI researcher from MIT CSAIL as well as security and distributed systems experts, is poised to shake up things in the user and entity behavior analytics market.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Mon, Feb 8th