When both Microsoft and CERT (Computer Emergency Response Team) are vulnerable to DoS (denial of service) attacks, it may be that the rest of us are sitting ducks. A recent study at the University of California at San Diego found that at least 4,000 DoS attacks happen each week, and the incidence of DoS attacks is expected to rise.
DoS attacks occur when an attacker overloads servers or networks with useless traffic so that legitimate requests cannot be processed and resources cannot be accessed. DDoS (distributed DoS) attacks occur when a large number of infected machines (zombies) are used to launch an attack against a target. The packets sent to the target will have randomly selected return addresses and often spoofed source addresses, so the target has difficulty finding the exact location of the attack.
Although DoS attacks do not compromise sensitive information such as passwords or credit card numbers, they can be devastating. For companies that rely on online transactions, any amount of time spent offline leads to lost revenue. Forrester Research estimates that even a medium-grade DoS attack, defined by the intensity and criticality of the disruption, can cost a company US$23,000 on average.
The first wave of DoS attacks in February 2000 against Yahoo, Amazon.com, CNN, and others targeted Web servers. Although Web servers are still attractive targets, the latest craze is to attack network routers, presenting an even graver threat. A successful attack on one of the Internet's backbone routers, or on a router for one of the transoceanic lines, could cause a large percentage of our communications, including voice, to be disrupted.
Types of DoS attacks
So what exactly are these billions of malicious packets doing when they attack a network? The most popular DoS attack is the UDP (User Datagram Protocol) flood. Here, an attacker sends a large number of UDP packets, usually to port 80, and floods the network. (Port 80 is often attacked because firewalls allow traffic to pass through them to the Web server.) With so many incoming UDP requests, the router cannot process them all, nor can it process legitimate traffic requests.
The TCP SYN flood is also common. In this attack, the targeted system is overloaded with SYN (requests to establish a session). In response, the system sends back a SYN ACK (acknowledging receipt of data) and queues the connection, waiting for the other system to respond with an ACK. Of course, an ACK from the spoofed IP address never arrives, so the targeted system uses all of its memory and resources responding to SYNs and waiting for ACKs. Granted, after a time-out period, the request will be dropped from the queue, but a steady stream of incoming SYN requests will keep the system bogged down for a long time.
DoS attacks are becoming more sophisticated. As filters are defined to weed out some attacks, new types of attacks are quickly developed.
What can be done to prevent DoS attacks? Many theories and solutions are surfacing, and it will be interesting to see which ones prove most effective. Most solutions deal with detecting, tracing, and blocking attacks. Few deal with actually finding ways to prevent attacks.
Arbor Networks' Peakflow solution is a managed service that monitors traffic for DoS attacks. If an attack is identified, the system tries to isolate the main Internet connection points of the attack and cut off data from that source.
Niksun's NetDetector which records every packet that crosses the network, is the Tivo of the network world. When a DoS attack is detected, Niksun data can be used to analyze the attack and determine the source so proper filters can be applied. The recorded data can also be used for a forensics analysis for prosecuting the attacker.
Asta Networks and Mazu Networks provide products that analyze network traffic, looking for telltale signs of the start of a DoS attack. These products then trace the source of the attack to help administrators apply the proper filters for safeguard.
But filtering solutions do not solve the problem; they merely provide some relief for a single attack. And unfortunately, these filters can also decrease functionality and throughput. Some of the packets or protocols being filtered may be necessary for complete network functionality, and the router's response time may be slow when it filters a large amount of traffic.
Cs3 has taken a different approach from the other DoS solution providers. Working at the protocol level to change the infrastructure of the Internet, Cs3's solution is an augmentation to the IP protocol that enables detection of forged source packets. It would give administrators the ability to define what action should be taken on intruder packets.
Analyzing outbound traffic is another potential solution. Systems used in DoS attacks, especially zombie systems, record a large increase in outbound traffic. If this traffic could be stopped before leaving the network, many DoS attacks could be thwarted. Implementing security measures to keep systems from being used as zombies also shows promise.
But blocking DoS attacks altogether may not be possible in the near future. Filters can be placed for specific attacks for a brief period of time, but to be effective overall they require communication and cooperation between your company and its ISP.
In the end, filters merely divert attackers to a new target. Solutions are under development to ease the defense process, but attackers are always working to develop new and more advanced attack techniques. Before any fool-proof solution is found, the cat and mouse game will continue.
Mandy Andress (firstname.lastname@example.org) is president of ArcSec TechnologiesWhere to turn for DoS protectionAsta Networks - www.astanetworks.com.
Asta Networks Vantage solution sits on the network and monitors traffic. The network coordinator, who has complete control over all components, uses Asta's network sensors to identify DoS attacks and the appropriate countermeasures.
Vantage will be available in July.
Arbor Networks - www.arbornetworks.com.
Arbor Networks' Peakflow solution is a managed service to help identify and react to DoS attacks.
Peakflow is currently available.
Cs3 - www.cs3-inc.com.
Cs3's MANAnet product family helps defeat DoS attacks by changing the Internet infrastructure. It identifies packets with forged source addresses.
Inspector will be available at the end of June, and Enforcer will be available late summer.
Mazu Networks - www.mazu.com.
Mazu Networks provides two products, Mazu TrafficMaster Inspector for DDoS and Mazu TrafficMaster Enforcer for DDoS that are installed on the network and are controlled by the customer. The products sit in line with the traffic and capture all packets that pass through the network.
Linux-based routers available July 1st. FreeBSD-based routers available in September.
Niksun - www.niksun.com.
Niksun's NetDetector records all network traffic, which can be used for analysis and identification of DoS attacks.
NetDetector is currently available.
THE BOTTOM LINE
Denial of service attacks
Executive Summary: DoS attacks are an annoyance that can cost thousands, if not millions, of dollars. Although nothing currently prevents these attacks, solutions can be used to identify and block them as they occur.
Test Center Perspective: A strong partnership and open communication with your ISP can help you counter a DoS attack. Solutions coming to market in the next few months will help automate the identification process. Implementing filters is the only real help available today.