The Day the Internet Broke

What could be the largest denial of service (DoS) attack in the history of the Internet struck in the early hours of Saturday, January 25, 2003. A recurrence took place on the evening of Sunday, January 26. The attack was another Microsoft-focused worm that preyed on a known security vulnerability in Microsoft SQL Server 2000 (addressed by the patches in Service Pack 3). The worm spread quickly across the globe, flooding the Internet with traffic, and rendering many sites unreachable. The hardest hit country was South Korea, where the majority of the nation’s fixed-line and mobile Internet users were unable to access Web sites for up to 20 hours. Monitoring firm Matrix NetSystems reported global aggregated Internet packet loss exceeded 20 percent, a marked increase from the normal operating packet loss of less than 1 percent.

Event Analysis

The perpetrators of the worm, known as SQL Slammer, Sapphire, and MS SQL worm, launched the attack on a weekend, thus sparing a major business outage. This most recent attack was far less deadly than the mid-2001 Code Red attack that caused more than $2 billion in damages. However, this worm did cause a distributed denial-of-service (DDoS) attack as the infected hosts flooded networks with millions of udp port 1434 requests. This latest attack is a warning of what will happen if designers do not build security into their networks at a time when ever-growing numbers of corporations are looking to IP and the Internet to solve many business problems.

Market Impact
Deployments of IP-based solutions will still occur, but many organizations will delay implementations until they are sure that security risks are minimized. Security consultants who offer security audits as part of their portfolio will see an increase in sales, while infrastructure vendors with a weak security message will struggle.

Well-positioned vendors

• Niche security vendors: In most cases, end-users prefer end-to-end solutions from a single vendor to best-of-breed technology. However, security is one of the exceptions where best-of-breed technology does prevail, because even a small technical advance could make the difference between protection and a security breech. Products from network security vendors such as Arbor Networks, Captus Networks, Mazu Networks, and NetContinuum, which act on recognized anomalies in traffic behavior, become viable components in network security architecture.
• Configuration management vendors: Recovering from a network-wide attack may require network managers to reconfigure every network device. This can be time-consuming and error-prone if done device by device, which is compounded in a multi-vendor network environment. Software from vendors such as Intelliden can reduce the amount of time it takes to reconfigure a network from an all-day process to just a few foolproof mouse clicks.
• Service providers with denial-of-service solutions: Service providers that assume responsibility for actively protecting networks against deviant traffic spikes are well positioned to use DDoS protection as a competitive advantage in negotiating service-level agreements with enterprise accounts.

• Market share leaders: Software and hardware from market-leading vendors such as Microsoft, Cisco, and Oracle will continue to be the attack points of choice for hackers because of their ubiquity across company networks and the Internet. Unfortunately for these vendors, this penalty comes with being the market leader.
• Signature-based security vendors: This attack, based on a vulnerability that the industry has known about for months, still proliferated instantly through the Internet. Enterprises are asking why the money they are spending on network and application security does not bring them greater protection. Security vendors need to make their signature-based products easier to configure so enterprises can more effectively block outbreaks of attacks such as the SQL Slammer

Vendor Recommendations

• Stop blaming end users. Vendors typically tell enterprises to apply patches, monitor network traffic 24x7, and respond rapidly to intrusion alerts. In many cases, it took enterprises more than 20 hours to mitigate the attack. Vendors should automate the process of identifying and applying patch updates according to the enterprise’s policy for configuration testing and deployment.
• Security vendors need to deliver solutions that work harder to prevent exploits. Vendors of signature-based technologies and vulnerability assessment tools need to invest in signature updates for published vulnerabilities before hackers exploit them. Network intrusion detection agents need to act on anomalies to maintain a minimal quality of service.

• The network matters. Of all the components that enable business services (applications, systems, and networks), CIOs often view the network as being the least critical; some describe it as a commodity. The network is every bit as critical as applications and systems, and IT leaders need to treat it as such.
• Make security part of the corporate DNA. Technologies such as IP VPNs and Web services will continue to erode the walls of the enterprise private network. As this migration continues, developers must build security into the design of the network infrastructure. In addition to strong security products, companies also must deploy strong security policies and bridge trade-offs between security recommendations and IT operational responsibilities.
• Deploy configuration management and network control software. Enterprises often do not enforce robust change management and network control policies within the network silo. Advanced configuration management software can reduce the time to reconfigure network equipment across the enterprise by as much as 90 percent.
• Consider multiple vendors as a way to increase uptime. Multi-vendor environments can help protect against vendor-specific attacks. However, multiple vendors also add to the complexity of the environment and create manageability problems. We recommend considering multi-vendor solutions for any mission-critical service directly exposed to the public Internet.