Denial-of-service (DoS) attacks will become the weapon of choice for cyberterrorists. Perhaps that prediction is easy to make now. But when security expert Stuart McClure made that prediction in his book Hacking Exposed several months prior to the DoS attacks on Yahoo!, eBay, and other well-known sites, it wasn’t so obvious a trend forecast.
McClure coauthored the book Hacking Exposed: Network Security Secrets & Solutions, which explains protection and intrusion detection procedures for UNIX, Windows NT/95/98, and Novell networks.
DoS attacks “are easy to do and they make a big splash,” said McClure, president of the computer security training and consulting company Foundstone, Inc. He explained that for every DoS attack that makes headlines, fifty go unreported—and that number is on the rise. “We’ve started to see an increase in UNIX attacks,” he said, “and I have a colleague who’s starting to see an increase in NT attacks. So it’s increasing across the board.” One of the reasons these attacks are popular is that they don’t require a great deal of technical skill.
What can IT managers do to protect their networks? “The first step is education,” McClure said. “You just can’t learn enough about how simple it is to break in. With one command online, someone actually can bring down a whole Web server. If people understand that, their attention to the problem usually increases dramatically.”
By Stuart McClure, George Kurtz, and Joel ScambrayMcGraw-Hill, September 1999ISBN: 0072121270Price: $27.95 at fatbrain.com
Four types of DoS attacks
Bandwidth Consumption: McClure identifies bandwidth consumption as the most insidious form of DoS attack. Attackers will consume all available bandwidth to a particular network. A typical scenario is “someone who has a T1 (1.544-Mbps) or faster network connection flooding a 56-Kbps or 128-Kbps network link. This is equivalent to a tractor-trailer colliding head on with a Yugo—the larger vehicle, or in this case the larger pipe, is going to win this battle,” said McClure. It’s difficult to identify the cyberterrorist because they usually spoof their source address.
Resource starvation: Results of resource-starvation attacks include system crashes, hung processes, and full file systems.
“A resource-starvation attack differs from the bandwidth consumption attack in that it focuses on consuming system resources [including CPU utilization, memory, and file-system quotas] rather than network resources,” said McClure.
Programming flaws: McClure said these flaws are failures of an application, operating system, or embedded logic chip to handle exceptional conditions. The conditions usually are the result of a user sending unintended data to the vulnerable component.
“Many times, attackers will send weird non-RFC-compliant packets to a target system to determine if the network stack will handle this exception or if it will result in a kernel panic and a complete system crash. For specific applications that rely on user input, attackers can send large data strings thousands of lines long. If the program uses a fixed-length buffer of say, 128 bytes, the attackers could create a buffer overflow condition and crash the application.”
Routing and DNS attacks: A routing-based DoS attack involves attackers manipulating routing table entries to deny service to legitimate systems or networks. Most routing protocols such as Routing Information Protocol (RIP) v1 and Border Gateway Protocol (BGP) v4 have no or very weak authentication.
McClure said this creates a vulnerability cyberterrorists can exploit by altering legitimate routes. “Victims of such attacks will either have their traffic routed through the attackers’ network or into a black hole, a network that does not exist.” Most attacks on domain name servers involve convincing the victim server to cache bogus address information. When a DNS server performs a lookup, attackers can redirect them to the site of their liking, or in some cases redirect them into a black hole.
Preventing DoS attacks
Here are a few suggestions from McClure on how to prevent your Web site from suffering a DoS attack:
- Set “no IP broadcast” filters on routers.
- Block spoofing at network ingress points.
- Use SYN flood protection technologies.
- Deploy smart bandwidth throttling features.
“The fixes are fairly easy, but no one wants to spend the time or effort to actually deploy them before they get hit—only afterwards. After they get stung by the bee, they start to run from the bee. I’m convinced that if more people just deployed a couple of security measures on their router, they immediately wouldn’t be as vulnerable,” said McClure.
The IT manager’s security role
IT managers play a vital role in maintaining network protection, according to McClure. It’s the IT manager’s responsibility to draw attention to security concerns so that upper management allocates the proper resources for security, which is often the last thing to be considered in application and network design.
“One of the best pieces of advice I can give is to perform a security assessment and give your system administrators approval to perform an attack-and-penetration exercise on your own network. Let them get in as far as they can and gather sensitive information so upper management will realize the breadth of the risk,” said McClure
“Hacking, in general, is on the rise…. It never ceases to amaze me how bold most attackers are, and it’s because they’ve never been caught. It hasn’t been difficult for them to get into these systems. If you don’t make it difficult, people get confident. They get cocky. And they keep doing it.”
Thomas Pack is a freelance technology reporter. He is based in Louisville, KY.Have you ever performed an attack-and-penetration exercise on your own network? What did you learn? Post a comment below or send us a note.