Hack Attacks Become Deadlier: Is There a Defense?

[InfoSec News <isn () c4i org>]

http://www.newsfactor.com/perl/story/14989.html

By Tim McDonald
NewsFactor Network 
November 28, 2001 

A targeted attack that shut down a network router would not bring the
entire Internet to a halt -- it would be more like a massive rush-hour
traffic jam.

The bad news is that denial-of-service (DoS) attacks are becoming more
numerous on the Internet. Not only are DoS attacks more frequent, they
are more potent with the potential to do much greater harm than
they've done to date. The good news? Right now, according to experts,
there isn't any.

DoS attacks overwhelm computers, Web sites and servers with floods of
bogus data, and hackers are increasingly aiming them at routers,
according to a recent report by the federally funded Computer
Emergency Response Team (CERT). Routers are the vital Internet
components, either special-purpose computers or software packages,
that connect two or more networks or parts of networks.

"Essentially routers have trust relationships with each other, and are
the means by which networks interconnect with each other," Kevin
Houle, one of the authors of a CERT white paper on the subject, told
NewsFactor Network.

"If I can take advantage of that trust relationship to inject bogus
routes in the routing tables, there's a potential for
denial-of-service between two or more networks. They can be separated
from each other."

Massive Traffic Jam

Routers do not have monitoring technology -- they spend their time
looking at the destination addresses of the data packets passing
through them and determining which route to send them on. Routers are
the keys to larger networks, and if they are isolated, considerable
disruption could occur on the Internet.

"Traditionally, you think of DoS as 'packet flooding,' sending enough
traffic down a pipe to fill up that pipe," Houle said. "In the case of
a router-based DoS attack, what we're talking about is the route
tables for a router being altered."

A targeted attack that shut down a network router would not bring the
entire Internet to a halt -- it would be more like a massive rush-hour
traffic jam on an interstate highway that once flowed smoothly.

'Autonomous Network Worms'

The CERT research also found that multiple-source attacks are
occurring more often and are increasingly aimed at multiple targets.

"Autonomous network worms" are becoming more popular among the more
sophisticated, malicious users, whereas once they simply inserted code
manually via a Trojan Horse into the targeted computer.

"In the case of the automatic model, the attack code is
self-contained," Houle said. "In previous worms like ramen, the attack
code was in an external site. The compromised computer had to go back
to the attacking host to retrieve a copy of the attack code, install
it and then execute it. The autonomous model is much more efficient.
It doesn't have to take as many steps to initiate another attack."

Also, users cannot employ the traditional packet filters to disable a
particular site to stop propagation.

DoS Will Always Be With Us

Another disturbing aspect of DoS attacks is that security technology
can only do so much to detect them and protect networks from them. And
the problem will never be completely eradicated.

"The problem of denial-of-service is fundamentally ingrained in the
way that the Internet is built," Houle said. "The Internet is
comprised of limited, consumable resources. Thus, it's possible to
consume those resources. That's not likely to change any time in the
near future."

The very nature of the Internet that makes it global in reach and so
wildly popular -- its very openness and interconnectedness -- is what
makes DoS attacks so dangerous.

"Security on the Internet is interdependent," Houle said. "In other
words, I can spend an enormous amount of resources defending my
systems on the Internet from intrusion, but my exposure to DoS is
based on the security posture of the rest of the global Internet. Any
number of systems on the rest of the Internet can be used to launch a
DoS attack against me and consume the limited resources that I have."

Quick To Exploit

The CERT team also found a significant decrease in the time window
from when a vulnerability is uncovered to the time when it is widely
exploited.

"What we're saying is DoS technology is advancing more in terms of
management and control deployment technologies," Houle said. "The full
DoS attack itself hasn't changed much -- it's just become more
potent."

There are more than 57,000 computer viruses today, according to
antivirus software developer McAfee, and more than a hundred new
viruses are created every day. CERT, a part of Carnegie Mellon
University, said the number of incidents reported to the center has
more than tripled since 1999.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.