DoS attacks: No remedy in sight

Summary:DoS attacks like the recent one on the CERT Web site are becoming more dangerous and all too common. Security experts agree: The Net is unprepared for handling what could become a DoS catastrophe.

Denial-of-service attacks are becoming more common and, in many cases, more serious, security experts said in the wake of an attack on the Internet's main warning system for security threats.

An unknown attacker last week hit the Computer Emergency Response Team (CERT) Coordination Center, an important agency for passing information on the latest vulnerabilities in computer systems among security experts.

The denial-of-service attack flooded the center's Web site with data requests and made the site--and its crucial security advisories--almost impossible to access for more than 24 hours.

"While there are other agencies out there providing similar services to CERT, what if it had been a more sensitive system or one we had more dependence on?" said Stefan Savage, a professor of computer science at the University of California, San Diego, and co-founder of security company Asta Networks.

For Stefan and other security experts, the CERT attack and a similar series of May attacks of the main White House Web site, Whitehouse.gov, underscore the Net's lack of preparedness for handling what could become a catastrophe.

Thousands of attacks happen each week. Savage co-authored a paper published last week that found that at least 4,000 denial-of-service attacks happen each week.

The potential damage from such attacks rises as increasingly critical services are being put online, Savage said.

"If you disrupt e-business enough, then you do some lasting damage to people's trust in that part of our economy," he said. "There are systems that would have more far-reaching impact. The trading networks for one. Anything that would allow you to disrupt other infrastructure: power grids or medical databases, for example."

The largest problem with denial-of-service attacks is that, for the most part, they can't be traced.

In a typical attack, an online vandal will use a computer to send millions of access requests to a Web server, overloading the target computer. Each request will have a randomly chosen return address, leaving the victim unsure where the actual attack is coming from.

The attacks--which can also take the form of specially formatted data that can crash servers--are almost impossible to stop, unless the victim has enough clout to convince their Internet provider to help track the source.

Just ask Steve Gibson, an independent security consultant known for his free Shields Up service for testing a PC's security across the Web. Since early May, Gibson has been the target of frequent denial-of-service attacks.

While previous ones have been easily stopped with the cooperation of his ISP, on Friday another, more complex, attack took down his Web site. The attack--detailed on his Web site--used the random-source technique to make it seem as if data was coming from all over the Internet.

"There is no defense," he said. "That is what is so important for people to understand."

In a long posting on GRC.com, Gibson described a month of attacks on his site by an allegedly 13-year-old "script kiddie," a term used by security experts for young online vandals.

"I hope it is becoming clear to everyone reading this," he wrote in the posting, "that we can not have a stable Internet economy while 13-year-old children are free to deny arbitrary Internet services with impunity."

The problem is only getting worse.

Earlier in the year, access to many of Microsoft's major Web sites was cut off for more than a day by two denial-of-service attacks. The same week, the FBI's Web site also was bombarded. Last year, the Internet Relay Chat system repeatedly came under attack over a period of more than three months.

Gibson blames a lack of initiative on the part of Internet service providers for many of the problems.

"For three years now, it has been known that we should filter packets on the way out of the network to make sure their addresses are valid," he said. "One of the things that could happen is that major backbone providers should make it a requirement that invalid packets are filtered out."

Companies such as Savage's Asta Networks, and competitors Arbor Networks and Mazu Networks, are attempting to automate the response to such attacks. But such a technique would still require the cooperation of the major Internet service providers to be truly effective.

Until Internet service providers start to police people who send data with improper sourcing, denial-of-service attacks will continue, Gibson said.

Until then? "I'm going to have a long lunch," he said. "There's nothing I can do. Check GRC.com every day or two and maybe we will come back."

Topics: Security, Servers

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.