Mydoom lesson: Take proactive steps to prevent DDoS attacks

[InfoSec News <isn () c4i org>]

http://www.computerworld.com/securitytopics/security/story/0,10801,89932,00.html

By Jaikumar Vijayan 
FEBRUARY 06, 2004 
COMPUTERWORLD

Dealing with a distributed denial-of-service attack such as the one
that took down The SCO Group Inc.'s Web site this week continues to be
a major challenge for companies, security experts said.

But several options are available to at least help alleviate the pain
for those that become targets.

A DDoS attack typically involves thousands of compromised "zombie"  
systems sending torrents of useless data or requests for data to
targeted servers or networks.

The SCO attack, for instance, was launched using systems that had
previously been infected by the Mydoom virus (see story). The virus
contained code that instructed thousands of infected computers to
access SCO's Web site at the same time, rendering it inaccessible to
legitimate users.

Stopping the flood of traffic can be very difficult because it's
coming from so many sources, said Bruce Schneier, president of
Counterpane Internet Security Inc. in Mountain View, Calif.

"From a philosophical perspective, if the attacker's pipe is bigger
than the defender's pipe, the attacker can always knock out the
defender," said Schneier.

There are several approaches companies can take to prepare for attacks
such as this, said Paul Mockapetris, inventor of the Internet's core
Domain Name System and chairman of IP address management vendor
Nominum Inc. in Redwood City, Calif. One is to set aside extra network
bandwidth and server processing capacity to withstand sudden surges in
traffic, he said. Another is to "retreat from your domain name" and
essentially park your Web site at another address while the attack
plays out.

Geographically distributing Web servers is another approach worth
considering, Schneier said. That way, even if one server or network
segment is taken down by an attack, normal traffic can be redirected
to other servers.

But putting in place extra server processing capacity to handle DDoS
attacks can be expensive and is likely to make sense only for larger
companies, Mockapetris said. "There's a bit of a digital divide when
it comes to the ability of companies to defend themselves against
these attacks," he said.

"The long-term answer to DDoS protection has to be in the [service
provider] networks and backbones," said John Pescatore, an analyst at
Stamford, Conn.-based Gartner Inc. That's because upstream service
providers are in a better position to detect and choke off traffic
directed at a specific IP address, said Schneier.

As a result, it's a good idea to require service providers to offer
some sort of guarantee against DDoS attacks, said Schneier. Gartner
has in fact been advocating this for more than two years, urging users
to include DDoS protection language in their service-level agreements
with Internet service providers and data center hosting companies.

But less than 1% of companies overall are buying such services,
Pescatore said. "Most enterprises say, 'It isn't raining, so the roof
isn't leaking. Why fix it?' " he said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.