A year later, DDoS attacks still a major Web threat

Even the Internet has a sense of fate.

Can the Internet combat DDoS attacks?
Chris Rouland, research director, Internet Security Systems

At 9:15 a.m. on Feb. 7, 2000, AT&T researcher Steve Bellovin walked up tothe podium at the North American Network Operators' Group and started atalk. His topic: How a relatively unknown type of Internet attack couldn'tbe stopped by current technology.

Less than an hour later, Yahoo seemingly dropped off the Internet, as the company's servers weretargeted with the very attack that Bellovin had warned about.

A year later, the network security researcher said major e-commerce andinformation sites worldwide remain vulnerable because "there are (still) nostrong defenses deployed."

The DDoS (distributed denial of service) attack that knocked outYahoo used a host of hacked servers--dubbed "slaves" or "zombies"--toinundate a Web site or Internet-connected server with data, effectivelystopping the server's ability to respond to Web page requests or otheraccess attempts. The attack could not be easily pinpointed, as dataseemingly came from 50 or more points across the Internet. Simple DoS (denial of service) attacks only come from one source, though attackers can makedata appear to come from multiple sources.

Two days later, eBay, Amazon.com, Buy.com, ZDNet, CNN.com, E*Trade and MSN.com joined Yahoo, dropping off the Webfor hours at a time. The attacks affected other sites as well. Overall,Internet traffic slowed by as much to 26 percent, according to Netperformance watcher Keynote Systems.

Internet still vulnerable
Though repeated attacks have increased awareness of the problem, andtechnologies for dealing with a DoS attack are seemingly on their way, lastyear's messes are only the tip of the iceberg, said Tom Anderson, chief technology officer of Asta Networks, one of three companies thathave popped up in the last year to offer remedies for DoS attacks and otherInternet threats.

"The attacks have become more sophisticated. We have seen a little bit moreof the iceberg, but there is a lot more to come," he said.

Two weeks ago, Microsoft became the latest proof when it suffered a router glitchand two DoS attacks thatleft access to the company's Web properties spotty at best.

The outage followed attacks on worldwide Internet Relay Chat, or IRC,servers that collapsed parts of the service for hours at a time.

And the problem is not going away. At least one tester of anti-DoStechnology--a major Internet provider--has estimated that anywhere from 5 to10 percent of the traffic on its networks is, in reality, data sent byvandals intent on a DoS attack.

"The attacks have gone from just Web servers to enterprises andinfrastructure," said Anderson. "We cannot become more complacent."

Solutions on the way?
Several groups are attempting to work together to fight denial-of-service attacks.

The Internet Engineering Task Force has started working on a technology totrace back the origin of a piece of data to its source. So-called ICMPTraceback Messages, or itrace, could turn DoS attackers from anonymousvandals into easily tracked criminals.

Other groups are forming to share information about attacks, to be betterprepared to defend against them.

The Information Technology Association of America, with 19 other majortechnology companies, has formed theInformation Technology Information Sharing and Analysis Center, or IT-ISAC.The center hopes that by sharing attack data, members will be betterprepared for future DoS attacks--among other Internet threats--and able totrack attacks to the source.

Such tracking is very difficult today, because the tools used by the vandalswho start such attacks can be modified to appear to come from a completelydifferent source than the real one. Called "IP spoofing," such a techniquerequires every company whose server routes data to cooperate to pinpointthe attacker.

Without such cooperation, an attacker may be difficult to find, but stoppingthe attack is possible, said Phil London, CEO of Mazu Networks, anotherstart-up that believes it can prevent DoS attacks.

"The Holy Grail is to have an ubiquitous deployment all throughout theInternet," he said. "But we don't believe that is completely necessary toprovide (DoS prevention) services to our customers."

London and his competitors--Asta Networks and the newly announced ArborNetworks--believe their customers are more interested in keeping theirconnection to the Internet up and working rather than prosecuting anattacker.

Ted Julian, chief technology officer of Arbor Networks, agrees. "Customers'first priority is to make these things go away. They just want to keep ondoing business."

Everyone must work together
While that's true, others believe the problem won't be solved withoutInternetwide cooperation.

"I think the only solution is to trace things back and turn them off, andthat requires a lot of cooperation," said the manager of research anddevelopment for network security company @Stake, who would only use hisold-school hacker handle "Weld Pond."

"Any technology like these has to be widely deployed," he added. "It has gotto be a community effort."

DoS attacks seem to--and in some cases, actually do--come from dozens orhundreds of locations at the same time. Without Internet service providerscooperating, tracking the attacks is impossible.

Cooperation has become critical because the Internet is still rapidly growing,and more, rather than fewer, mistakes are being made, said Weld Pond.

"There are more and more machines out there," he said. "And to me, thatmeans more and more vulnerable machines. The attacks on Microsoft haveshown that these people are more than willing and more than able."

Until companies act together to make the Internet more reliable, business on the Net a waiting game.