Data Centers

"Pulsing zombie" DoS attack hits research network

A research network based in Abilene, KS, is expanding Internet bandwidth as part of the Internet2 project. It was hit recently by a new DoS attack that one company has dubbed ?pulsing zombie.? This week?s Locksmith has the details.


Zombies in the Wild West? Yep! Abilene, KS, (cow town and railhead) was the quintessence of the Wild West—and in a similar way, an optical backbone named “Abilene” is at the frontier of Internet research. Although Abilene isn’t available directly to business users, it is facilitating developments that will soon find their way onto commercial networks.

One of the most important contributions Abilene has made so far is providing an opportunity for security experts to study a new network threat—the pulsing zombie. In this article, we’ll look at Abilene’s role in identifying this threat and explain how pulsing zombies differ from traditional DoS attacks. We’ll also share a discussion with a director at Asta Networks, which has been monitoring network activity on Abilene and has developed a possible defense against these attacks.

What is Abilene?
Everyone talks about the need for bigger pipes and a faster Internet, but one group is actually doing something about it. Internet2 (I2) is a consortium that’s developed an experimental network being tested at more than 180 universities around the world. According to I2, its primary goals are to:
  1. Create a leading edge network capability for the national research community.
  2. Enable revolutionary Internet applications.
  3. Ensure the rapid transfer of new network services and applications to the broader Internet community.

Unfortunately, one of the things I2 recently discovered in Abilene is the pulsing zombie denial of service (DoS) attack. Zombies aren’t new to security specialists—the term aptly describes the way innocent computers are taken over remotely and then used to attack third parties. But the “pulsing” element adds a new twist.

Traditional zombies
System crackers use zombies for two reasons. First, it makes it more difficult to trace their activities. Second, crackers seldom have the sort of hardware resources needed to conduct a concerted denial of service attack, which requires the ability to initiate a large volume of traffic.

But zombies are becoming easier to trace now that more investigators know what to look for. And just like dumb kidnappers on the old police shows (in the days before caller ID) who kept talking long enough to let the cops trace their calls, traditional zombie attacks are continuous events and can therefore be traced fairly easily.

Pulsing zombies
In pulsing zombie attacks, however, the attack is intermittent rather than constant, making it extremely difficult to detect and even harder to trace the source. A pulsing zombie doesn’t trigger a traditional DoS event; rather, it ties up resources, often just “below the radar” of system administrators, slowing response times and degrading service for legitimate users instead of completely shutting down the system under attack.

Examining the potential threat
The pulsing zombie threat is somewhat theoretical at the moment, but security specialists who want to stay at the cutting edge of network technology need to monitor what is happening on the university-based Internet2. Threats that develop there may eventually lead to attacks on commercial networks—especially if commercial developers aren’t aware of the known threats when they begin developing applications.

So why should a hard-headed businessperson care about these theoretical threats? Simple: The latest trend in DoS attacks is far more sophisticated than the crash-and-burn scenarios played out in the early, experimental days of DoS. When your server is brought down, you know it—and can take steps to fix the problem. But if an intermittent DoS attack such as a pulsing zombie slows your system instead of causing a complete crash, it is costing you real money and is far more difficult to detect.

Since so many things can slow network response, a limited DoS attack probably isn’t the first thing that leaps to mind when you get complaints that the system is slow. Intermittent DoS attacks not only slow response times, they eventually cause companies to lose bandwidth.

In this case DoS stands for degradation of service, not denialof service.

Asta Networks, a company specializing in providing anti-DoS services and software, conducted extensive monitoring on the Abilene network and coined the term pulsing zombie to describe this form of attack. A spokesperson for the company said that in at least one instance, a school experienced a six-fold increase in traffic for several months, all due to a degradation of service attack.

Three new types of denial of service attacks have been identified by technicians from Asta Networks during the six-month period the company monitored the Internet2 Abilene backbone.

Monitoring the threat
You can get an overview of the Abilene network’s topology at http://www.ucaid.org/abilene/html/maps.html. If you’re interested in some details about the Abilene network, you can see current performance statistics at http://hydra.uits.iu.edu/~abilene/traffic/abilene.html. Even around noon on a workday, line utilization was averaging under 5 percent.

To find out more about this new threat, I went to the source—in this case, Melissa (Covelli) Derry, a director at Asta Networks. Here’s the gist of our discussion.

Locksmith: Can you estimate how serious this threat is to the Abilene network?
Derry: Over the last couple of months, Asta Networks has seen hundreds of attacks on Internet2, which is one of the reasons we have installed our technology across the Internet2 backbone. In addition to being a test bed for next-generation Internet technologies, Internet2 has connections to 180 educational institutions, which are notorious for generating and receiving attacks [making it the perfect place to look for new vulnerabilities]. Internet2 does transit real customer traffic, and in one recent attack, a university in Japan was knocked offline due to a DoS attack coming from Latin America and Eastern Europe. According to Steve Corbató, director of backbone infrastructure at Internet2, "Understanding more about DoS attacks will ultimately help us eliminate a significant threat to tomorrow's Internet.”

Locksmith: The point is, of course, that because of its exposure to the top computer students, I2 is the perfect place for security companies to learn about new kinds of attacks that will likely migrate to commercial networks. Can you describe why commercial users should be interested in this problem, which thus far is strictly found on the I2 university network?
Derry: This problem is certainly not restricted to the I2 network. On Monday [May 21, 2001], Asta Networks released what [we think is] the first ever quantitative research done on the scope and prevalence of DoS attacks on the Internet. One of our founders, Stefan Savage, conducted this research along with colleagues at UCSD. Here are some of the key findings:
  • During a three-week period, the study shows 12,805 attacks against more than 5,000 distinct targets ranging from Internet bellwethers such as Amazon and AOL to small foreign ISPs and dial-up connections.
  • No country is immune. Web sites in Romania were hit nearly as frequently as domains ending in .net or .com, and Brazil was targeted almost more than .edu and .org combined. Canada, Germany, and the United Kingdom were all targeted frequently, and several attacks were directed at Belgium, Switzerland, and New Zealand.
  • Attacks can be relentless. Overall, most targets were attacked five or fewer times. However, five targets were inundated with traffic between 60 and 70 times, and one unfortunate victim was besieged 102 times in one week.
  • Home machines are also at risk. A significant fraction of attacks were directed at home machines—both dial-up and broadband. Some of these attacks constituted large, severe attacks, suggesting that DoS attacks are frequently used to settle personal vendettas.
  • The majority of the attacks monitored were fast enough to overwhelm existing attempts to solve DoS, and a fraction were fast enough to overwhelm even optimized countermeasures.

Related links
Check out the initial report here:

Locksmith: How can your company help users protect their networks from pulsing zombies or other DoS attacks?
Derry: Asta Networks will soon be broadly releasing its distributed system for protecting companies from DoS attacks. Some of the details about how our technology works are available at:

Conclusion
Never heard of pulsing zombies? That’s not surprising, since Asta Networks coined the term. But I find it very descriptive, so I’ve decided to use it to describe this type of attack. Obviously, Asta is a relatively new company and is promoting itself with this pulsing zombie idea. However, it looks like a legitimate threat to me. Only time will tell whether the threat becomes widespread and how well Asta Networks’ countermeasures will work.

Have a comment?
We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.

Editor's Picks

Free Newsletters, In your Inbox