DDoS attacks - one year later

Still no strong defences deployed against DDoS attacks

Even the Internet has a sense of fate.

At 9.15am on 7 February, 2000, AT&T researcher Steve Bellovin walked up to the podium at the North American Network Operators' Group and started a talk. His topic: how a relatively unknown type of Internet attack couldn't be stopped by current technology.

Less than an hour later, Yahoo! -- the number two Web property on the Internet -- seemingly dropped off the Internet, as the company's servers were targeted with the very attack that Bellovin had warned about.

A year later, the network security researcher said major e-commerce and information sites worldwide remain vulnerable because "there are [still] no strong defences deployed".

The so-called distributed denial-of-service (DDoS) attack that knocked out Yahoo! used a host of hacked servers -- dubbed "slaves" or "zombies" -- to inundate a Web site or Internet-connected server with data, effectively stopping the server's ability to respond to Web page requests or other access attempts. The attack could not be easily pinpointed, as data seemingly came from 50 or more points across the Internet. Simple denial of service (DoS) attacks only come from one source, though attackers can make data appear to come from multiple sources.

Two days later, eBay, Amazon.com, Buy.com, ZDNet, CNN.com, ETrade and MSN joined Yahoo!, dropping off the Web for hours at a time. The attacks affected other sites as well. Overall, Internet traffic slowed by as much to 26 percent, according to Net performance watcher Keynote Systems.

While repeated attacks have increased awareness of the problem, and technologies for dealing with a DoS attack are seemingly on their way, last year's messes are only the tip of the iceberg, said Tom Anderson, cofounder and chief technology officer of Asta Networks, one of three companies that have popped up in the last year to offer remedies for DoS attacks and other Internet threats.

"The attacks have become more sophisticated. We have seen a little bit more of the iceberg, but there is a lot more to come," he said.

Two weeks ago, Microsoft became the latest proof when it suffered a router glitch and two DoS attacks that left access to the company's Web properties spotty at best.

The outage followed attacks on worldwide Internet Relay Chat, or IRC, servers that collapsed parts of the service for hours at a time.

And the problem is not going away. At least one tester of anti-DoS technology -- a major Internet provider -- has estimated that anywhere from 5 to 10 percent of the traffic on its networks is, in reality, data sent by vandals intent on a DoS attack.

"The attacks have gone from just Web servers to enterprises and infrastructure," said Anderson. "We cannot become more complacent."

Several groups are attempting to work together to fight against denial-DoS attacks.

The Internet Engineering Task Force has started working on a technology to trace back the origin of a piece of data to its source. So-called ICMP Traceback Messages, or itrace, could turn DoS attackers from anonymous vandals into easily tracked criminals.

Other groups are forming to share information about attacks, to be better prepared to defend against them.

The Information Technology Association of America, with 19 other major technology companies, has formed the Information Technology Information Sharing and Analysis Centre, or IT-ISAC. The centre hopes that by sharing attack data, members will be better prepared for future DoS attacks -- among other Internet threats -- and able to track attacks to the source.

Such tracking is very difficult today, because the tools used by the vandals who start such attacks can be modified to appear to come from a completely different source than the real one. Called "IP spoofing", such a technique requires every company whose server routes data to cooperate to pinpoint the attacker.

Without such cooperation, an attacker may be difficult to find, but stopping the attack is possible, said Phil London, chief executive of Mazu Networks, another start-up that believes it can prevent DoS attacks.

"The Holy Grail is to have an ubiquitous deployment all throughout the Internet," he said. "But we don't believe that is completely necessary to provide [DoS prevention] services to our customers."

London and his competitors -- Asta Networks and the newly announced Arbor Networks -- believe their customers are more interested in keeping their connection to the Internet up and working rather than prosecuting an attacker.

Ted Julian, chief technology officer of Arbor Networks, agrees. "Customers' first priority is to make these things go away. They just want to keep on doing business."

While that's true, others believe the problem won't be solved without Internet-wide cooperation.

"I think the only solution is to trace things back and turn them off, and that requires a lot of cooperation," said the manager of research and development for network security firm @Stake, who would only use his old-school hacker handle "Weld Pond".

"Any technology like these has to be widely deployed," he added. "It has got to be a community effort."

DoS attacks seem to -- and in some cases, actually do -- come from dozens or hundreds of locations at the same time. Without Internet service providers cooperating, tracking back the attacks is impossible.

Cooperation become critical because the Internet is still rapidly growing, and more, rather than fewer, mistakes are being made, said Weld Pond.

"There are more and more machines out there," he said. "And to me, that means more and more vulnerable machines. The attacks on Microsoft have shown that these people are more than willing and more than able."

Until companies act together to make the Internet more reliable, that makes business on the Net a waiting game.

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.