Security pros dig in for new DoS attacks
Distributed denial-of-service attack -- which by some estimates total more than 4,000 a week -- are likely to get much worse as the perpetrators hone their skills and new weaknesses in popular platforms are discovered and exploited.
As vendors such as Asta Networks and Mazu Networks prepare to launch their anti-DDoS solutions in the coming weeks, attackers across the Internet are fine-tuning their tools and creating sophisticated assaults designed to elude even the best defences.
In addition, those malicious programmers could get a big assist this fall when Microsoft releases Windows XP, which some security experts say provides attackers with a made-to-order launching pad for their DDoS assaults.
The operating system will include support for "raw sockets", a Unix-style function that lets users write raw IP packets and send them to any host they choose.
The functionality also gives users the ability to spoof the IP address of the originating machine, something not possible with out-of-the-box Windows 9x installations. This, combined with the fact that XP will largely be deployed by security-challenged home users, has experts fearing the worst.
"This is a vastly powerful tool for mass destruction," said security expert Steve Gibson, of Gibson Research in California, whose Web site was hit by several DDoS attacks last month. "No home software has any need for [raw sockets]."
However, officials of the software company and some security specialists say that the feature has been in Unix and its open-source descendants for years and that it has always been possible to spoof IP addresses on Windows 9x with plug-ins.
Meanwhile, Asta, of Seattle, this week will release its Vantage System, a distributed network of hardware sensors capable of detecting and responding to all known flood-based DDoS attacks, as well as previously unknown ones. The sensors are hardened appliances that communicate through a central "coordinator" via encrypted channels.
When one of the sensors detects an attack, it automatically forwards the data to the coordinator, which analyses it and presents a detailed picture of the attack to network engineers. The coordinator also notifies the other sensors.
Mazu plans to release its anti-DDoS solution next week. Details were not available. But software can't prevent DDoS attacks, a fact not lost on administrators.
"The best we can hope for is to detect the attack and automate some of the notification and other processes," said Jeff Ogden, associate director for high-performance networking at Merit Network, an American ISP (Internet service provider). "Even if we stop the flood, the hacker is still out there banging on the door. These sophisticated attacks take a fair bit of analysis."
Malicious hackers have also beefed up their repertoire of DDoS attacks to include assaults involving "pulsing zombies" that send waves of traffic instead of steady streams; low-bandwidth attacks that consume less than 100 percent of the victim's bandwidth, thereby eluding alarms; and reflector attacks that bounce traffic off random hosts to mask their point of origin.
The attack that took down Gibson's site last month began as a flood of fragmented User Datagram Protocol and Internet Control Message Protocol packets aimed at his ISP's router. But once the ISP implemented filters to stop the flood, the attack morphed into assaults on the T-1 interfaces of the router and on his firewall.
"These guys are coming up with lots of different kinds of attacks, so there's no one software package that can prevent them all," Gibson said.
And the attacks are only going to get worse, thanks to the growing menu of DDoS tools and attack scripts available on the Internet.
Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.
Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.
Let the editors know what you think in the Mailroom. And read other letters.