WHAT TO DO WHEN TERRORISTS KEEP ATTACKING

Previous page
Table of content
Next page

  < Day Day Up > 


WHAT TO DO WHEN TERRORISTS KEEP ATTACKING

At 9:15 a.m. on Feb. 7, 2000, AT&T researcher Steve Bellovin walked up to the podium at the North American Network Operators' Group and started a talk. His topic: How a relatively unknown type of Internet attack couldn't be stopped by current technology. Less than an hour later, Yahoo seemingly dropped off the Internet, as the company's servers were targeted with the very attack that Bellovin had warned about.

Today, e-commerce and information sites worldwide remain vulnerable because there are (still) no strong defenses deployed-thus, terrorists keep attacking. The DDoS (distributed denial of service) attack that knocked out Yahoo used a host of hacked servers (dubbed 'slaves' or 'zombies') to inundate a Web site or Internet-connected server with data, effectively stopping the server's ability to respond to Web page requests or other access attempts. The attack could not be easily pinpointed, as data seemingly came from 100 or more points across the Internet. Simple DoS (denial of service) attacks only come from one source, although attackers can make data appear to come from multiple sources.

Two days later, eBay, Amazon.com, Buy.com, ZDNet, CNN.com, E*Trade, and MSN.com joined Yahoo, dropping off the Web for hours at a time. The attacks affected other sites as well. Overall, Internet traffic slowed by as much to 37%, according to Net performance watcher Keynote Systems.

Although repeated attacks have increased awareness of the problem, and technologies for dealing with a DoS attack are seemingly on their way, 2000's messes are only the tip of the iceberg, there is a lot more to come. Also, the attacks have become more sophisticated.

Recently, Microsoft became the latest proof when it suffered a router glitch and two DoS attacks that left access to the company's Web properties spotty at best. The outage followed attacks on worldwide Internet Relay Chat (IRC), servers that collapsed parts of the service for hours at a time.

And the problem is not going away. At least one tester of anti-DoS technology (a major Internet provider) has estimated that anywhere from 6 to 11% of the traffic on its networks is, in reality, data sent by vandals intent on a DoS attack.

The attacks have gone from just Web servers to enterprises and infrastructure. Private companies cannot become complacent. So, what do you do when terrorists keep attacking?

Solutions on the Way

Several groups are attempting to work together to fight denial-of-service attacks. The Internet Engineering Task Force has started working on a technology to trace back the origin of a piece of data to its source. So-called ICMP Traceback Messages, or itrace, could turn DoS attackers from anonymous vandals into easily tracked criminals. Other groups are forming to share information about attacks, to be better prepared to defend against them.

The Information Technology Association of America, with 20 other major technology companies, has formed the Information Technology Information Sharing and Analysis Center, or IT-ISAC. The center hopes that by sharing attack data, members will be better prepared for future DoS attacks (among other Internet threats) and better able to track attacks to the source.

Such tracking is difficult today because the tools used by the vandals who start such attacks can be modified to appear to come from a completely different source than the real one. Called 'IP spoofing,' such a technique requires every company whose server routes data to cooperate to pinpoint the attacker. Without such cooperation, an attacker may be difficult to find, but stopping the attack is possible. The Holy Grail is to have an ubiquitous deployment all throughout the Internet.

Today, customers are more interested in keeping their connection to the Internet up and working rather than prosecuting an attacker. The customers' first priority is not to make these things go away. They just want to keep on doing business.

Everyone Must Work Together

While some companies want just to keep on doing business and not solve the computer attacker prosecution problem , others believe the problem won't be solved without Internetwide cooperation. The only solution is to trace things back and turn them off, and that requires a lot of cooperation.

Any technology like these has to be widely deployed. It has got to be a community effort.

DoS attacks seem to (and in some cases, actually do) come from dozens or hundreds of locations at the same time. Without Internet service providers cooperating, tracking the attacks is impossible.

Cooperation has become critical because the Internet is still rapidly growing, and more, rather than fewer, mistakes are being made. There are more and more machines out there. And, consequently, that means more and more vulnerable machines.

The attacks on Microsoft have shown that hackers are more than willing and able to carry out successful attacks. Until companies act together to make the Internet more reliable, business on the Net is at risk.

Hack Back

'Hacking back' is another tactic that private companies can use when terrorists keep attacking. However, some companies have become either a virtual vigilante or packet pacifist. Network executives have mixed feelings about whether to retaliate against an attack.

Nevertheless, in December 1999, when protesters were rampaging through Seattle in an attempt to disrupt the World Trade Organization (WTO) summit meeting, other activists were launching a (DoS) attack on the WTO Web site. But the WTO's Web-hosting service spotted the attack and repelled it, bouncing the flood of page download requests back to the origin server, which was run by a group calling itself 'electrohippies.'

The e-hippies coalition, based in the U.K., never publicly acknowledged that the attack had been turned back on its own server. But the next day, a notice appeared on the e-hippies site apologizing that people have had problems getting through to its site.

To retaliate or not to retaliate? In cyberspace, there is no simple answer.

Conxion, the San Jose hosting service that reversed the attack on the WTO server, recognized the attack was coming from a single IP address belonging to the e-hippies server. Conxion then redirected their filtering software to redirect any packets coming from these machines back at the e-hippies Web server.

Conxion was so proud of having given the attackers a dose of their own medicine that it issued a press release about the incident. However, the reaction among IT professionals to the counterstrike was decidedly mixed.

According to industry analysts, most IT professionals will not strike back in cyberspace, for fear of hitting an innocent bystander. But they're not averse to taking some action when they're sure of the perpetrator's identity.

If vendor tools are any indication, fighting back may indeed be gathering acceptance in the IT community. Intrusion detection tools, for example, can be configured to reverse attacks. New reactive tools are also popping up in the marketplace, and freeware attack-reversing tools abound on the Web.

Nevertheless, brace your networks for more distributed attacks, nastier viruses, and more chaos until these issues sort themselves out. Cyber crime is going to get worse before it gets better.


  < Day Day Up > 


Previous page
Table of content
Next page
Computer Forensics. Computer Crime Scene Investigation
Computer Forensics: Computer Crime Scene Investigation (With CD-ROM) (Networking Series)
ISBN: 1584500182
EAN: 2147483647
Year: 2002
Pages: 263
Authors: John R. Vacca
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
Mastering Delphi 7
Pocket Guide to the National Electrical Code(R), 2005 Edition (8th Edition)
Cultural Imperative: Global Trends in the 21st Century
The Oracle Hackers Handbook: Hacking and Defending Oracle
GDI+ Programming with C#
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy