Outage shows network insecurity

The DDoS attack on Microsoft signals the things to come--it was first such attacks to aim directly at router instead of server. The attacks will get more sophisticated and while risks can be minimize, there is no real antidote.

P>The recent denial-of-service attack on Microsoft represents a new level of threat on the Internet and illustrates how security is now an issue that extends beyond a corporation's boundaries into territory it doesn't directly control.

Security experts say site managers and enterprise e-commerce managers can take many steps to ward off or minimize the effects of these attacks. But to choke them off at the source and then identify the perpetrators "would take a level of cooperation among Internet service providers [ISPs] that doesn't exist today," says Gorka Sadowski, director of emerging technology at firewall maker NetScreen Technologies.

Indeed, the loosely administered and open nature of the Internet practically guarantees attacks will continue and perhaps move beyond the disruptive denial-of-service attack of the sort launched upon Microsoft. Denial-of-service attacks, which bombard a target with hundreds of thousands or millions of false messages, disrupt Web site operations or cause delays in customer access. Worse may be yet to come.

"What causes me to lose sleep," Sadowski says, "is the thought that someone has penetrated my systems without leaving a trace. He knows my system and, after six months of observation, he's started relieving six-figure accounts of small amounts of money."

The attack on Microsoft was more blatant than that, but the way it was executed may hint at things to come. The stage was set on Jan. 24, when a Microsoft technician made a mistake while updating the company's Domain Name System (DNS) servers. Because of the mistake, traffic could not be sent to the proper sites at Microsoft.com and the MSN properties. MSNBC.com, MSN.com, Expedia.com, HotPoint.com and Hotmail.com went down as far as users were concerned. After 22.5 hours of outages, Microsoft technicians were able to bring the sites back online, only to see them go down again for four hours, as the result of a denial-of-service attack.

Instead of attacking a Web server or group of servers, this denial-of-service attack identified and then brought down a set of routers controlling traffic to the DNS servers for all the Microsoft sites. Usually servers are the targets of such attacks. "This was the first dramatic example of a router being the target," says Ted Julian, chief strategist at Arbor Networks, a security firm launched Feb. 5.

Indeed, as attacks move back from Web servers and mail servers toward the base of the network - toward such devices as bridges, switches and routers - they become more serious because more of the network is disrupted, Julian says.

Microsoft representatives concede their network design for the DNS servers was faulty, because the routers running traffic to the domain name servers were on one network segment and were inadequately protected by "third-party software products," says Rick Devenuti, vice president and chief information officer at Microsoft. Except for being directed at routers, the attack was a typical denial-of-service maneuver. "Someone attempted to block legitimate access to our Web properties by flooding our network routers with large volumes of bogus requests," Devenuti says.

But outside security analysts say that, for the attack to succeed, the attacker "must have done some reconnaissance" to identify the correct network segment and routers. Then the attacker likely had to activate dozens or hundreds of infiltrated computers on the Internet with a command to start sending repetitive, bogus messages to the routers in an attempt to flood their capacity. The computers infiltrated with a sleeping agent by hackers are known as zombies, because they play no role in hacking until woken up by a remote command.

Such an attack is termed a distributed denial-of-service attack because the messages are sent simultaneously from many machines and from multiple ISP domains. The messages sent by the zombies have borrowed, or "spoofed," addresses so the target can't trace the attack back to the machines launching it, says Michael Warfield, senior researcher for the malicious code team, X-Force, at Internet Security Systems, a security firm.

All of this would have been unlikely to happen if Microsoft hadn't inadvertently signaled to the world that it was vulnerable to attack. When the Microsoft technician fouled up the DNS routing tables, all the Microsoft sites disappeared together. "A lot of people became aware that all of Microsoft's domain name servers were sitting on the same network segment," he says. To the hacking mentality, the routers handling that traffic became "a big, juicy target," Warfield says.

As a result of the attacks, Microsoft signed a deal with Akamai Technologies for backup services to fortify the company against future attacks.

By distributing its DNS servers over different network segments, Microsoft could prevent another such attack from succeeding at the same magnitude, Warfield says. But preventing another attack altogether is a different matter.

Firewalls can be configured to recognize the signature of a denial-of-service attack and can identify the range of addresses that need to be blocked or slowed down to make such an attack ineffective, says NetScreen's Sadowski.

But "there's no antidote," Warfield adds. To prevent future attacks, the perpetrator must understand he will be pursued and probably apprehended. Because of address spoofing and the use of distributed zombies, it is extremely difficult for a company like Microsoft to unravel the attacker's trail across multiple ISPs and Web servers to corner him.

"The only place to counter a denial-of-service attack is close to point of origin," Warfield says. To do that, ISPs would have to be watching their servers and routers, lest they forward an attack. But security experts agree few ISPs are doing that.

"Most ISPs worry about attacks coming in, not those launched from their environment," Sadowski says, noting that to also worry about the launch site would require unprecedented levels of cooperation among ISPs.

One ISP would have to call another and demand that routers forwarding the attack be reconfigured to screen it out. "Imagine one ISP calling another and saying, 'Kill that segment of your network with 20 routers because one of our customers is experiencing a denial-of-service attack.' The voice on the other end of the line would say, 'Who are you again?' " Sadowski says.

In addition, ISPs are in a cost-conscious, competitive business, trying to squeeze as many customers as possible onto their existing systems. Watching for denial-of-service attacks would take additional memory and computing power, while ISPs are typically "running the cheapest possible equipment as close to the wire as they can get," Warfield says.

If ISPs became liable for forwarded attacks, that would change how they viewed making the investment in preventing them. But courts in the U.S. have made clear they will not hold them liable, Sadowski says.

Meanwhile, security experts foresee more sophisticated attacks. Today, ISPs use trusted relationships in peering arrangements in which they update one another's routing tables in order to handle mutual traffic. A clever hacker could play havoc with an operation by infiltrating those relationships somewhere on the Net, Arbor's Julian says.