Scared of 'Zombies'? You Should Be

[InfoSec News <isn () c4i org>]

http://www.securityfocus.com/templates/article.html?id=210

By Alex Salkever 
Business Week
May 30, 2001

It was akin to the fire station burning down. On May 21, Web surfers
trying to access the site of the Computer Emergency Response Team
(CERT) Coordination Center at Carnegie Mellon University encountered
an error message. The reason? CERT had been effectively wiped from the
Internet by malicious hackers who barraged it with bogus queries for
information, a technique known as a denial-of-service (DOS) attack.

Like callers trying to reach a popular radio-station request line and
getting the busy signal instead, those who attempted to view CERT's
Web site were rewarded with nothing but error messages. For two days,
CERT's staff struggled to find the source of the attack and contain
the problem.

Unwitting Accomplices

The attack on CERT is far from an anomaly. The Defense Dept., the
White House, Yahoo!, Microsoft, and other big-name entities have
watched helplessly as their sites went down under DOS attacks.
According to a study released last week by scientists at the
University of California-San Diego's supercomputing facility, more
than 4,000 DOS attacks happen each week. The most sophisticated and
serious last for days as dozens, hundreds, even thousands, of hijacked
"zombie" computers pour forth an unceasing barrage of Web-page
requests, all unbeknownst to the machines' owners.

But the situation with CERT underscores how vulnerable to DOS attacks
computer networks really are. The federally funded center is one of
the key organizations sending out warnings to tech companies about
computer-related security hazards. Each day, thousands of systems
administrators check CERT's site to see what new security flaws have
cropped up. And CERT staffers perform and coordinate analysis of a
wide array of pending and public Internet system vulnerabilities.

What's more, CERT's staff comprises some of the most security-savvy
people in the country. Yet they were virtually helpless in the face of
an attack that could have been launched from virtually anywhere on the
globe.

As more and more critical functions, from international phone traffic
to early-warning systems, go onto the Internet or networked systems,
the potential damage from a DOS attack rises -- from lost business at
Yahoo! to communications blackouts between government entities, even
between countries.

How could this happen? Although the attack on CERT keyed on the unique
Internet address -- also called the Internet protocol address -- of
that organization's Web server, all devices that are nodes on the
Internet have such a number.

Unrecognized Hazards

That means the backbone routers used to direct massive amounts of data
traffic through phone companies and Internet service providers (ISPs)
each have an individual IP address, which makes them potential
casualties for DOS attacks. Something similar happened on May 24, when
routers for the Weather Channel's Weather.com were hit with a DOS
attack that slowed traffic and impeded access for almost eight hours.
Those routers were hosted by Exodus Communications, one of the largest
hosting companies in the business.

Microsoft, too, was hit by a router DOS attack earlier this year, an
assault launched after hackers figured out the IP address of one of
the main Microsoft routers and then bombed it with data packets.
Because a number of Microsoft sites, including MSN.com, Hotmail, and
Expedia, relied on that router for access, the entire Microsoft
Network of sites was affected for days.

These scenarios are relatively mild compared to what could happen if
sophisticated hackers ever figure out the IP address of a backbone
router for AT&T's transoceanic traffic. That would affect not only
data but voice traffic as well. "A lot of people don't realize it, but
they are routing a lot of their voice traffic over those lines,"
explains Ted Julian, the chief strategist for Arbor Networks, which
makes equipment to fend off DOS attacks. According to Julian, special
equipment and software can filter and foil most nuisance hacks.

Identifying the Threat

For more sophisticated attacks -- the ones where hackers take control
of larger clusters of machines and generate random IP addresses with
no discernible pattern -- Arbor can only try to isolate which of the
main Internet connection points feeding into a network is carrying
most of the DOS traffic, then cut off the data. The downside? "We
would end up screening out some legitimate traffic," admits Julian.

Over time, as systems such as Arbor's become more widely deployed,
controlling DOS attacks should become easier. Ideally, the key
operators of Internet infrastructure and the backbone data pipes will
share information about what's happening on their networks through a
woven mesh of DOS-prevention systems. That information could allow
them to spot attacks more quickly.

Increased cooperation is far more promising than the current approach,
where network engineers for a single company, or a host, pore over
reams of logged events to determine how the DOS happened and where it
originated. A widespread approach would also allow network operators
to more easily spot the origin of big bursts of traffic that mark a
DOS attack. This capability would help alleviate the problem of
sophisticated hackers generating random IP addresses that elude
filters.

Behaviour Modification

Equally important is getting computer users -- especially those
individuals and institutions with broadband connections -- to lock
down their computers. Left insecure, the machines can be turned into
zombies. "A large number of vulnerable systems can easily be marshaled
by an attacker to create large networks. Anyone who owns a computer
needs to understand that," stresses Dave Dittrich, a network engineer
and security expert at the University of Washington who maintains a
Web site on DOS techniques. For now, Dittrich warns companies to
maintain redundant connection points and prepare their contingency
plans. (He recommends the CERT Distributed Intruder Toll Workshop
final report.)

The upshot of all this? Just as Visa is making it mandatory for any
merchant processing credit cards online to encrypt their databases and
use firewalls, ISPs and telcos should insist that those who buy data
connectivity become part of the DOS detection-and-prevention network.
This could create some thorny privacy issues: Any device watching
packets of data traveling over a network comes perilously close to an
electronic wiretap.

Considering that the Internet is rapidly becoming the most essential
communications tool in the world, securing it against DOS attacks
through cooperation will benefit anyone who's connected -- and quite
possibly save billions of dollars in economic damages. It may even
save lives one day.






ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.