Several years ago, I worked at a small Web site hosting
company, where I first encountered the confusion and havoc caused by a
denial-of-service (DoS) attack. On one occasion, after several hours of being
unable to access the Internet, customers no longer cared what the problem was—they
just wanted it fixed.
I determined that the traffic was HTTP requests, so I
focused on checking Web servers. We hosted a number of popular Web sites, and I
checked these first.
The size of one Web server log file was considerably larger
than any of the others by several orders of magnitude. And one solitary IP
address was requesting the same URL over and over again. While the Web server
itself was operating fine, the traffic was saturating our 1.5-Mbps T1 Internet
circuit and cutting off customers.
To identify where the flood was coming from, I used Nslookup
and found the domain name for the IP address causing the problem, which WHOIS
resolved to another local hosting company. After several phone calls to the
competitor’s technical support number and a lengthy discussion with several
technical staff members, the flood of traffic finally stopped.
I never received a clear answer about what happened to knock
us offline. But the company folded during the dot-com crash, and a former
technical support staff member later told me the attack was intentional—a
conclusion I had already come to myself.
Unfortunately, DoS attacks have evolved into much more than
one company trying to cause problems for another. With broadband access almost
ubiquitous, there are no longer “simple” DoS attacks.
As we’ve seen, compromised broadband hosts under remote
control can knock out even the biggest Internet companies, including Google and
Microsoft. Writers of malicious code know that the majority of broadband
computers are poorly maintained, making them ripe targets to install Trojan
programs to later use for remote control as a group.
These days, the number-one threat to the Internet as a whole
is the targeted distributed DoS (DDoS) attack, which uses vast armies of
compromised broadband computers. Fighting a DDoS attack is like trying to swim
up Niagara Falls.
Most Internet companies, even those staffed with the best IT
pros, can do little to abate a DDoS flood without a lot of work and assistance
from upstream ISPs. And non-Internet companies generally have no idea when
they’re under attack—they often don’t even know what’s going on.
The writers of DDoS attacks know this all too well. There
are already documented cases of extortion using the threat of DDoS attacks.
Stopping and recovering from a DDoS attack takes time, money, and a skilled
DoS and DDoS attacks are not a new threat; they’ve been
terrorizing the Internet for years. And yet, only a few vendors offer products
that can help defend networks from DoS attacks, and even those tools can’t
withstand a sustained DDoS attack.
Denial of service is the new plague of the Internet—just ask
Google and Microsoft. But after all these years, we’re still no closer to
learning how to deal with this problem.
DDoS attacks are on the rise. And unfortunately, while most
organizations won’t necessarily be a target for attacks, they’ll still be a
victim of their effects.
Miss an issue?
Check out the Internet Security Focus
Archive, and catch up on the most recent editions of Jonathan Yarden’s
Want more advice for
locking down your network? Stay on top of the latest security issues and industry
trends by automatically
signing up for our free Internet Security Focus newsletter, delivered each
Jonathan Yarden is the
senior UNIX system administrator, network security manager, and senior software
architect for a regional ISP.