By Jonathan Yarden
Several years ago, I worked at a small Web site hosting company, where I first encountered the confusion and havoc caused by a denial-of-service (DoS) attack. On one occasion, after several hours of being unable to access the Internet, customers no longer cared what the problem was—they just wanted it fixed.
I determined that the traffic was HTTP requests, so I focused on checking Web servers. We hosted a number of popular Web sites, and I checked these first.
The size of one Web server log file was considerably larger than any of the others by several orders of magnitude. And one solitary IP address was requesting the same URL over and over again. While the Web server itself was operating fine, the traffic was saturating our 1.5-Mbps T1 Internet circuit and cutting off customers.
To identify where the flood was coming from, I used Nslookup and found the domain name for the IP address causing the problem, which WHOIS resolved to another local hosting company. After several phone calls to the competitor's technical support number and a lengthy discussion with several technical staff members, the flood of traffic finally stopped.
I never received a clear answer about what happened to knock us offline. But the company folded during the dot-com crash, and a former technical support staff member later told me the attack was intentional—a conclusion I had already come to myself.
Unfortunately, DoS attacks have evolved into much more than one company trying to cause problems for another. With broadband access almost ubiquitous, there are no longer "simple" DoS attacks.
As we've seen, compromised broadband hosts under remote control can knock out even the biggest Internet companies, including Google and Microsoft. Writers of malicious code, such as the latest version of MyDoom with its Zindos payload, know that the majority of broadband computers are poorly maintained, making them ripe targets to install Trojan programs to later use for remote control as a group.
Related news and security articles
These days, the number-one threat to the Internet as a whole is the targeted distributed DoS (DDoS) attack, which uses vast armies of compromised broadband computers. Fighting a DDoS attack is like trying to swim up Niagara Falls.
Most Internet companies, even those staffed with the best IT pros, can do little to abate a DDoS flood without a lot of work and assistance from upstream ISPs. And non-Internet companies generally have no idea when they're under attack—they often don't even know what's going on.
The writers of DDoS attacks know this all too well. There are already documented cases of extortion using the threat of DDoS attacks. Stopping and recovering from a DDoS attack takes time, money, and a skilled staff.
DoS and DDoS attacks are not a new threat; they've been terrorizing the Internet for years. And yet, only a few vendors offer products that can help defend networks from DoS attacks, and even those tools can't withstand a sustained DDoS attack.
Denial of service is the new plague of the Internet—just ask Google and Microsoft. But after all these years, we're still no closer to learning how to deal with this problem.
DDoS attacks are on the rise. And unfortunately, while most organizations won't necessarily be a target for attacks, they'll still be a victim of their effects.
Jonathan Yarden is the senior UNIX system administrator, network security manager, and senior software architect for a regional ISP.