The recent distributed denial of service (DDoS) attacks committed against Yahoo!, E-Trade, CNN Interactive, Amazon.com, eBay, Excite.com, and several other companies have stirred up some important debates that CIOs need to understand. Were the attacks serious, or just harmless pranks? What do denial of service attacks mean to e-commerce companies? How can company sites fight this criminal intent?
In this article, we’ll take a look at DDoS attacks, examining how they work and what they mean to your e-commerce company.
How denial of service attacks work
A denial of service attack disables a network server by flooding it with traffic. There are many types of DoS attacks, including:
- E-mail bombs: sending massive amounts of e-mail to a single system with intent to crash or spam the recipient's system
- Ping flood attacks or smurfing: when a site is bombarded by thousands of ping (Packet Internet Groper) messages each second. A ping is a small data packet that basically asks, "Are you there?" to another network computer and then waits for a response. Pings are commonly used to assure proper Internet protocol between computers.
- Teardrop attacks: This attack creates a series of fragmented IP packets that cause a server to crash, hang, or reboot when the fragments are reassembled.
- Bogus return addresses: This type of attack works like a ping attack, except that it creates a flood of requests for Web pages but then doesn’t give the Web server a legitimate URL address to send them to.
The most recent attacks were called distributed denial of service attacks because they employed a strategy using unprotected network computers in the attack. In a DDoS attack, a hacker first uses simple software packages, usually downloaded from the Internet, to identify network (or node) computers that are not secure. These computers are usually university or corporate computers where security is minimal. Once located, the hacker secretly installs software that will conduct the attack from these network computers.
Since these node computers are typically connected directly to the Internet with a T1 or T3 line, they are capable of transmitting thousands of messages per second. When the hacker has prepared 50 to 100 node computers, the hacker initiates the attack. Each individual node computer starts sending thousands of page requests to a Web site, quickly building up hundreds of thousands or even millions of requests. In addition, each request includes a false return address, which makes the targeted Web server use more time in trying to answer the request. Under these conditions, a server simply can’t handle the traffic. In addition, the node computers being used for the attack are often heavily affected. The figures below show how these transmissions are conducted under normal conditions and during a DoS attack.
|Ordinary Internet transmissions|
|Denial of service attack|
What’s the motive?
There are several possible motives for DoS attacks. The most common is simple vandalism. Young hackers often initiate DoS attacks to test their skills or to gain a reputation among other hackers. A hacker might also launch a DoS attack as purposeful sabotage against a specific company (this type of attack usually comes from a disgruntled employee). Other motives for a DoS attack include attempts by rival companies to indirectly steal Internet traffic, a cover attack so a hacker could do something else inside a server while administrators were trouble-shooting the DoS, and the offhand chance that cyberterrorists could test the water of U.S. e-commerce security.
The recent DoS attacks are considered relatively unsophisticated and were probably conducted by young hackers. The denial of server software tools used in the attacks are relatively simple to work with and are easy to find and download on the Internet. In addition, the sites attacked were all popular Web sites with lots of exposure—prime targets for young hackers looking to build a reputation. Still, there are indications that the hackers were probably well schooled in UNIX and studied each Web site’s topology for weak spots.
One other important point to know about DoS attacks is that, even though they are considered somewhat crude in the realm of hackers, they are difficult to protect against completely. DoS attacks usually exploit holes in software, networking practices, and operating systems. When administrators and software fix the problems that make DoS attacks possible, hackers invariably change strategies to find new methods for conducting attacks.
Ramifications for CIOs
First of all, CIOs should know that DoS attacks are nothing new. For example, in the first week of March 1998, the Internet was inundated with DoS attacks that exploited a problem with Microsoft Windows NT servers. This huge attack brought down thousands of NT stations, including ones at NASA, the Massachusetts Institute of Technology (M.I.T.), the U.S. Navy, and the University of California at Berkeley. At the time, U.S. Attorney General Janet Reno asked Congress for $64 million in funds for a new FBI investigation center devoted to computer security and hacker activities.
The March 1998 DoS attack helped establish the FBI’s Infrastructure Protection and Computer Intrusion Squad (IPCIS), which is responsible for investigating unauthorized intrusions into major computer networks, the illegal interception of signals, and infringement of copyright laws related to software. But it is questionable whether this agency can become a real deterrent to attacks such as the recent DoS attacks. The U.S. government is notoriously slow to act, while Internet hackers are anything but slow. Legislation doesn’t appear to be an answer to the problem, since young hackers don’t seem to know or care about the laws that Congress passes or the possible ramifications. In addition, most companies fail to report serious hacks, which typically aren’t as obvious as a DoS, for fear the publicity will damage the company’s reputation. Finally, even if authorities catch a hacker, and there are appropriate laws on the books, what good will this do an e-commerce company?
As Elizabeth Banker (former assistant general counsel to the President's Commission on Critical Infrastructure Protection once said, "There are civil remedies, but if it's a 16-year-old, you don't want to sue him for his allowance."
The point here is simple: E-commerce companies must take the initiative, just as hackers have. The Internet was designed as a distributed networking system in which communications couldn’t ever be completely interrupted. It is bigger than government regulations, bigger than any single firewall, but also bigger than hackers. The forces that are currently forming the Internet into a twenty-first century communications powerhouse include e-commerce companies’ investment strategies. To date, e-commerce has demanded customer-centric interactive functions and secure transactions, but not server security and effectiveness. For example, it is surprising that so much is made of the recent DDoS attacks when spam eats up exponentially more bandwidth each day than the denial of service attacks ever could. Somehow, because spam isn’t so immediately sensational or obvious, it is tolerated with little or no complaint or government legislation.
To overcome hacker attacks, CIOs must let software developers know that they are serious about the problem, and they must aggressively address the problem internally. There are several reasons why internal security (for machines and employees) is so important, but the number one reason to increase internal security is because the majority of true hacks come from inside an organization—so security for system administrators, passwords, and sensitive information needs to be tight. Keeping your company’s computers safe from an attack is only the first step. As e-commerce expands on the Internet, unwitting companies that find their computers used by a hacker to perform an attack may even find themselves at the wrong end of a lawsuit for negligence. Here are some security steps that you can discuss with your company’s system administrators:
- Develop a distributed infrastructure. Building an infrastructure across various networks increases the odds that customers can access a site during an attack.
- Regularly back up all important data, including operating system and e-commerce software.
- Develop an organized corporate security plan.
- Work with system administrators to see that security software can recognize and track attacks and defend the system.
- Routinely test network for vulnerabilities.
- Regularly change passwords and require that they use alphanumeric characters, especially when employees leave the organization.
- Encourage your ISPs to develop source-address anti-spoof filters, which help foil denial of service attacks.
- Minimize the number of modems on the system.
- Promote alternative forms of communication: In the event you are attacked, your customers should know that they can still contact you in other ways, such as a FAX or phone.
CERT Coordination Center: Denial of Service page
Managing Network Security
Yahoo!’s hacking page
Is Your PC a Hacker Tool? How to Test Security
Computer Crime and Intellectual Property Section (CCIPS)
"Current and Future Danger" offers threat briefing for corporate executives
Bruce Spencer is a freelance technical writer who has been working in the information industry since 1983 and writing about the Internet since 1995.Tell us what you think. What should be the consequences for hacking? Should there be criminal or civil penalties? Click here.