Web attacks? The ISPs strike back!

The battle for an attack-proof Web rages on
Written by ZDNet Staff, Contributor

Eight Internet service providers (ISPs) have teamed up with Internet security firm ICSA.net to prevent more Denial of Service attacks like the ones that downed several major Web sites earlier this month.

The nine founding members of the Alliance for Internet Security (AIS) promise to adopt security measures that will not only make it difficult to attack their computers but, more importantly, prevent their systems from being used in an attack against others.

"The members of the alliance are coming forward to be part of the solution and demonstrate their commitment to the right thing on behalf of all of the Internet," said Peter Tippett, AIS chairman, in a statement. "The first step for each of us is to clean up our own backyards, ensuring that our systems cannot be used as attack agents."

Starting on 7 February with Yahoo!, a series of attacks slowed or, in many cases, downed major Web sites when a deluge of meaningless data and spurious access requests were targeted at their servers by unknown attackers.

By week's end, eBay, E*Trade, Buy.com, ZDNet, CNN, Amazon.com, Microsoft Network and Excite joined Yahoo! as victims of what are known as distributed Denial of Service attacks.

The lesson for ISPs? Individuals and businesses on the Internet must not only protect their own computers from attack, but also make sure that their systems aren't being used to attack others. Each member company must pledge to secure its own internal systems, add filtering technology to prevent "spoofing" or forging the source address of a piece of data, and provide support for others to do the same.

Founding members include Cable One, Cable & Wireless, Digex, Global Crossing and its US subsidiary Global Center, GTE Internetworking, Level(3), Road Runner and Sprint. "All Internet users should assure that their own network is in order, and that their ISP is doing the appropriate filtering on behalf of everyone," said Harris Schwartz, director of security for Time Warner's high-speed ISP, Road Runner.

Broadband providers offering individuals and small businesses fast connections are quickly becoming a stomping ground for Web vandals looking for easy targets. Most users of such services know little of how to secure their computers -- and as much as 10 percent of these systems are completely open to anyone on the network.

Educating such users about their role in making the Internet secure should be a top priority, said Stephen E Cross, director of Carnegie Mellon University's Software Engineering Institute, when he spoke on Wednesday before the Congressional Joint Economic Committee. "Support programs that provide early training in security practices and appropriate use... should be integrated into general education about computing," Cross said.

Yet, for the most part, the AIS will continue to overlook users and instead focus on businesses. "This is about companies that are Internet-connected companies," said Laurie Wagner, senior vice president of business development for ICSA.net.

Wagner pointed out that the alliance first needs to concentrate on the 5,000 or so small ISPs that may not know much about security. For now, users are on their own, she said. "ISPs are not being paid to be security consultants for their users."

What do you think? Tell the Mailroom and read what others have to say.

For full coverage, see the Denial of Service roundup.

Editorial standards