What do Yahoo!, CNN, Amazon.com, ZDNet, E*Trade, and Buy.com have in common? They’re all victims of network attacks in a three-day span.
What crippled these Net titans? Could the same methods be used against your network? How can you prevent it? And how much damage did it really do?
Unlike previous high-profile computer attacks, these are not the result of a cracker invading a system. No data was stolen; no files were deleted; no security was breached on the target computers. Instead, these are denial of service (DoS) attacks.
Details on the exact method of the attack are being kept quiet to protect against copycat attacks, but the concept is simple: Bogus requests are sent to the target in sufficient quantities so that nothing gets done.
DoS attacks are nothing new. The classic ping flood is well known by network administrators worldwide. Ping, of course, is the network test tool that sends out a packet that acts like a sonar “ping” and bounces back to indicate it found the target. Normally, an administrator would use the utility to identify trouble spots in a network, but by sending a flood of pings, the target is overwhelmed by the network traffic and becomes dysfunctional.
Note that dysfunctional does not always mean crashed. If your company’s business is to process orders via a Web page, like Buy.com and Amazon.com, you lose revenue every minute your server is unavailable. These attacks are right on par with tying up all the phone lines of a pizza delivery chain so they can’t get calls. Sure, the store’s open, but if no one can call to order pizza they’ll go out of business quickly.
In the “old days,” a network would be equipped with firewalls or filters that strip out non-productive requests like pings. There was still a quantity of bandwidth consumed by these “trash” requests, but it was generally considered inconsequential compared to the cost of an outage. And after all, a single attacker couldn’t generate that much traffic without giving away their position. Even with spoofed packets, if someone suddenly streams a huge amount of network traffic to a single location, the source network will probably take notice.
Distributed computing’s role
That’s where new computing models are used to overwhelm the security. Based on the distributed computing system used to share work across a variety of machines all over the planet, some malicious coders have scattered trojans across the net. These programs will respond to the author’s commands to send network requests to a specified target. Each infected machine makes only a few bogus requests at a time, not enough to set off any warning flags. However, when hundreds of machines are demanding processor time and network capacity, it can become incapacitating.
The downside is that virtually everyone is at some degree of risk right now. No network filtering system on the market is capable of identifying valid requests from false ones on its own. Firewalls will do their job of protecting private networks from the outside world but only by severing all contact with the rest of the network as it gets too busy to process outgoing requests.
Of course, this will change. Better algorithms will be able to identify the similarities between the DoS packets. Networks will develop protocols to implement upstream filters faster. More users, hopefully, will be using antivirus software that detects the trojans. And, as bandwidth and processors improve, it will take larger numbers to incapacitate servers.
For now, this is more like a horror story for system administrators than a widespread threat. The odds of being a victim of a distributed DoS, normal DoS, or cracker are still less than that of being in a car crash tomorrow. A few of the world’s most high-profile sites were attacked in a way that they now understand. Future attacks will be less and less effective as the systems are upgraded and adapt.
What can you do?
After you check your firewall’s configuration and ensure that your routers and switches are properly filtering traffic, it’s not the existence of these attacks that should keep you up late. I’d be more concerned about WHY they attacked those sites. There have been no demands, no claims of fame on an errant IRC channel, nothing bubbling out of the so-called cracker underground. Just a series of sites all attacked within a week of a new presidential mandate for electronic law enforcement and a new budget with significant funding available for electronic wiretapping. Is it the ramblings of a Fox Mulder-wannabe, or flashbacks to Nixon-era paranoia?
Maybe you’d better check those configurations twice.
James McPherson is a network administrator for a nationwide ISP.
Have a comment?
If you'd like to share your opinion, please post a comment below or send the editor an e-mail.