Data Centers

Get IT Done: Anomaly-detection tools provide new weapons in the war against DoS attacks

Use anomaly-detection tools to protect against denial of service attacks


Like intelligence officials discussing the ever-present terrorist threat, security experts say it’s not a question of whether another major denial of service (DoS) attack will happen—it's when.

DoS attacks are occurring with increasing frequency and virulence, and enterprises can no longer afford to base their defenses on shoring up networks by adding more bandwidth. Throwing more bandwidth at the problem is just too expensive, and it’s an ugly cycle to initiate, as that extra capacity is gobbled up quickly.

But there is new hope in the form of specific tools geared at mitigating DoS attacks—tools that might be able to detect potential attacks and fend off network destruction.

Tools detect traffic anomalies
Early adopters are evaluating, and in some cases, deploying emerging tools designed to mitigate DoS attacks, from companies such as Arbor Networks, Asta Networks, Captus Networks, Mazu Networks, Reactive Networks, and Riverhead.

The tools detect anomalies in network traffic, perform statistical analysis of packet data to give operators detailed information about traffic patterns, and in some cases, provide filtering techniques to block or deny bogus traffic from overwhelming network resources.

“Anomaly detection and statistical analysis seem to be the best ways to tackle DoS attacks," said Brian Amirian, director of hosting at MTVi, which is using Mazu Networks’ Enforcer appliance to protect the Web properties of MTV, VH1, and Nickelodeon.

The company tried to contain DoS attacks by tuning its routers’ access control lists (ACLs) and its server farms’ TCP/IP stacks to receive a higher rate of SYN packets.

“But nothing really seemed to work,” Amirian explained, citing inherent flaws in the design of the Internet as the culprit.

Amirian pointed out that an immediate benefit of anomaly-based DoS detection, which is installed on the network to perform traffic baselining, was the ability to notice attacks that the company didn’t already know about.

“We didn’t have the appropriate tools, and we were missing a lot. We were only catching things that would bring us to our knees,” Amirian said.

Attacks becoming more complex
In a DoS attack, a user bombards a system with floods of data packets—individual blocks of data used for transmission across the Internet—with the goal of stopping legitimate users from accessing a host or network. In some cases, a DoS attack provides hackers with a cover for other malicious activities.

While DoS attacks have been around for a while, concern has spiked this past year, as security watchdog groups, including the Computer Emergency Response Team Coordination Center (CERT/CC), and other security experts have seen new trends emerging.

Experts cite an increase in the combination and complexity of attacks, in discovered vulnerabilities that could be leveraged to launch distributed denial of service attacks, spikes in attacks on the network infrastructure, and increasing use of high-speed networks to transport attacks.

Today’s DoS scenario barely resembles the earlier approaches taken—such as the 1996 DoS attack against Panix.com, a New York-based ISP. An attacker used a single computer to send thousands of copies of a simple message that computers use to start a two-way dialog. The Panix machines receiving the messages had to allocate so much computer capacity to handle the dialogs that they used up their resources and were disabled.

By 1999, attacks had become more sophisticated. Hackers began breaking into multiple computers on the Internet to use them as a launch pad to coordinate assaults against other computers. In this scenario, a hacker installs programs known as “zombies” on the compromised machines that can be awakened at a later time to send bogus traffic to targeted machines.

This kind of coordinated attack toppled some of the largest commercial Web sites in February 2000, including Amazon.com, Buy.com, eBay, E*trade, and Yahoo.

Today, every enterprise faces much more complex attacks. The Nimda Internet worm, for example, which surfaced last summer, combines an e-mail virus, a worm, and a DoS attack, explained Steve Pao, VP of marketing at Asta Networks, a developer of a DoS detection appliance and software called Vantage System. Vantage System culls traffic information from standard routers including Cisco, Juniper, and Foundry Systems, and then recommends ways operators can stop an attack.

Instant message applications such as AOL Instant Messenger, MSN Messenger, and Yahoo Messenger, which are increasingly installed across enterprises without the supervision of IT, also pose more potential DoS threats, Pao pointed out. Microsoft recently admitted that flaws in MSN Messenger could allow code such as DoS zombies to be executed through the messaging application. Additionally, an increased number of unprotected host machines with access to broadband connections give hackers more available bandwidth to run attacks.

Experts hope that the new anomaly-detection tools will prove effective in preventing future DoS attacks, as “it’s not enough to recognize and shut down attacks,” said Aberdeen Group analyst Eric Hemmendinger. The truly helpful tools will not only keep out network vandals but also allow legitimate traffic to continue, he said.

Editor's Picks