A year later, DDoS attacks still a major Web threat

[InfoSec News <isn () C4I ORG>]

http://news.cnet.com/news/0-1003-201-4735597-0.html?tag=mn_hd

By Robert Lemos
Special to CNET News.com
February 7, 2001, 12:00 a.m. PT

Even the Internet has a sense of fate.

At 9:15 a.m. on Feb. 7, 2000, AT&T researcher Steve Bellovin walked up
to the podium at the North American Network Operators' Group and
started a talk. His topic: How a relatively unknown type of Internet
attack couldn't be stopped by current technology.

Less than an hour later, Yahoo--the No. 2 Web property on the
Internet--seemingly dropped off the Internet, as the company's servers
were targeted with the very attack that Bellovin had warned about.

A year later, the network security researcher said major e-commerce
and information sites worldwide remain vulnerable because "there are
(still) no strong defenses deployed."

The so-called distributed denial-of-service (DDoS) attack that knocked
out Yahoo used a host of hacked servers--dubbed "slaves" or
"zombies"--to inundate a Web site or Internet-connected server with
data, effectively stopping the server's ability to respond to Web page
requests or other access attempts. The attack could not be easily
pinpointed, as data seemingly came from 50 or more points across the
Internet. Simple denial of service (DoS) attacks only come from one
source, though attackers can make data appear to come from multiple
sources.

Two days later, eBay, Amazon, Buy.com, ZDNet, CNN.com, Etrade and MSN
joined Yahoo, dropping off the Web for hours at a time. The attacks
affected other sites as well. Overall, Internet traffic slowed by as
much to 26 percent, according to Net performance watcher Keynote
Systems.

Internet still vulnerable

While repeated attacks have increased awareness of the problem, and
technologies for dealing with a DoS attack are seemingly on their way,
last year's messes are only the tip of the iceberg, said Tom Anderson,
co-founder and chief technology officer of Asta Networks, one of three
companies that have popped up in the last year to offer remedies for
DoS attacks and other Internet threats.

"The attacks have become more sophisticated. We have seen a little bit
more of the iceberg, but there is a lot more to come," he said.

Two weeks ago, Microsoft became the latest proof when it suffered a
router glitch and two DoS attacks that left access to the company's
Web properties spotty at best.

The outage followed attacks on worldwide Internet Relay Chat, or IRC,
servers that collapsed parts of the service for hours at a time.

And the problem is not going away. At least one tester of anti-DoS
technology--a major Internet provider--has estimated that anywhere
from 5 to 10 percent of the traffic on its networks is, in reality,
data sent by vandals intent on a DoS attack.

"The attacks have gone from just Web servers to enterprises and
infrastructure," said Anderson. "We cannot become more complacent."

Solutions on their way?

Several groups are attempting to work together to fight against
denial-DoS attacks.

The Internet Engineering Task Force has started working on a
technology to trace back the origin of a piece of data to its source.
So-called ICMP Traceback Messages, or itrace, could turn DoS attackers
from anonymous vandals into easily tracked criminals.

Other groups are forming to share information about attacks, to be
better prepared to defend against them.

The Information Technology Association of America, with 19 other major
technology companies, has formed the Information Technology
Information Sharing and Analysis Center, or IT-ISAC. The center hopes
that by sharing attack data, members will be better prepared for
future DoS attacks--among other Internet threats--and able to track
attacks to the source.

Such tracking is very difficult today, because the tools used by the
vandals who start such attacks can be modified to appear to come from
a completely different source than the real one. Called "IP spoofing,"
such a technique requires every company whose server routes data to
cooperate to pinpoint the attacker.

Without such cooperation, an attacker may be difficult to find, but
stopping the attack is possible, said Phil London, CEO of Mazu
Networks, another start-up that believes it can prevent DoS attacks.

"The Holy Grail is to have an ubiquitous deployment all throughout the
Internet," he said. "But we don't believe that is completely necessary
to provide (DoS prevention) services to our customers."

London and his competitors--Asta Networks and the newly announced
Arbor Networks--believe their customers are more interested in keeping
their connection to the Internet up and working rather than
prosecuting an attacker.

Ted Julian, chief technology officer of Arbor Networks, agrees.
"Customers' first priority is to make these things go away. They just
want to keep on doing business."

Everyone must work together

While that's true, others believe the problem won't be solved without
Internet-wide cooperation.

"I think the only solution is to trace things back and turn them off,
and that requires a lot of cooperation," said the manager of research
and development for network security firm @Stake, who would only use
his old-school hacker handle "Weld Pond."

"Any technology like these has to be widely deployed," he added. "It
has got to be a community effort."

DoS attacks seem to--and in some cases, actually do--come from dozens
or hundreds of locations at the same time. Without Internet service
providers cooperating, tracking back the attacks is impossible.

Cooperation become critical because the Internet is still rapidly
growing, and more, rather than fewer, mistakes are being made, said
Weld Pond.

"There are more and more machines out there," he said. "And to me,
that means more and more vulnerable machines. The attacks on Microsoft
have shown that these people are more than willing and more than
able."

Until companies act together to make the Internet more reliable, that
makes business on the Net a waiting game.

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".