Denial Of Service Attacks: Still Network Security's Biggest Threat

Five years ago, network security experts gathered at a NetWorld+Interop conference and issued a dire warning: devastating Denial of Service attacks loom, they said, and they could not have been more prescient. Their call to action wasn't all hype, hyperbole, or overreaction. Today, DoS and Distributed Denial of Service (DDoS) attacks against Web sites of all sizes are common. Some pack alarming consequences, not to mention generally nasty surprises resulting in jaw-grinding headaches for site administrators.

Formed in response to the initial outbreak of high-profile companies whose networks were knocked offline by extremely high volumes of traffic, the industry consortium, known as RFC2267 DDoS Working Group, was charged with finding methods to halt the attacks. Way back then, attackers temporarily had crippled such e-commerce giants as Yahoo, eBay, Amazon, CNN, eTrade and Microsoft. Policy groups, such as the one at N+I Atlanta 2000, urged cooperation and information sharing among user groups and law enforcement. Then attention to DDoS faded about the same time real-world terrorism made cyberterrorists seem docile and flaccid by comparison.

But rather than subside over time, DDoS attacks and the attackers who orchestrate them have stayed one step ahead of security professionals who have been forced to deploy increasingly sophisticated and costly defensive measures. Network operators are struggling now more than ever to contain globally distributed DoS attacks, according network security provider Arbor Networks' September 2005 Global ISP Security Report.

"More than five years after the initial flurry of network attacks, and the news articles and research papers that followed, DDoS remains the number one concern for large IP network operators," the Arbor Networks report said. "Sixty-four percent of the survey participants said, 'DDoS is the most significant operational security issue we face today.'"

There are different types of denial of service attacks, but a simple way to understand them is by using a telephone analogy. If hundreds of people dialed the same telephone number repeatedly, the result would a continuous busy signal, which would 'deny service' to legitimate callers by keeping the line unavailable. It could also result in the loss of revenue for an e-commerce site or damage to reputation or credibility, for example, for a news and information site.DoS attacks work by flooding a network with large volumes of traffic. Some attacks send packets crafted to crash servers or services. That can be done by sending a large number of SYN or PING packets. Distributed DoS attacks launch from multiple sources, often from unsuspecting host or "zombie" machines on which the attacker has downloaded tools. Zombies are usually dormant until the attacker, often known as zombie's master, orders them to run an attack against a specific target.

"Compromised hosts--commonly referred to as zombies or bots--are everywhere," Arbor Networks said. "All respondents reported attacks involving thousands of compromised hosts, and that zombie networks or botnets, are employed in well over half of all DDoS events."

Motivations for DDoS attacks run the gamut, but highest on the network security providers' list of best hunches were "cyber terrorism/warfare, corporate espionage, disputes between adolescents on gaming sites, and cyber protests." Recent news events shed further light on the range of motivations, and some evidence suggests a purely capitalistic motive. Last week, for example, federal authorities arrested a California man and charged him with accumulating a botnet of more than 400,000 machines. He allegedly rented out some of his zombie network, including some purloined machines owned by the Department of Defense, or used them himself to win cash in fees from adware vendors.

In an infamous case, the SCO Group Inc., which had been the target of vitriolic criticism by open-source groups over the company's legal challenge of Linux, was struck by a large-scale DDoS attack in 2003. The attack knocked off SCO's e-mail system, corporate intranet, and customer support operations, according to reports.

Five years ago, the perpetrators of DDoS attacks went after big-name e-commerce or media brands such as Microsoft and CNN.com. There are indications now that much smaller voices on the Internet are also victims. Last month, mediachannel.org, a site that is highly critical of the big-name, mainstream media, had its servers repeatedly crashed by a DoS attack. "Someone is having fun at our expense, bringing our site and blogs down with powerful denial of service attacks" wrote Mediachannel director Danny Schechter in his Oct. 13 newsletter. "We are not laughing because it is diverting time and some of our meager resources to fight this. We are reaching out for help, and have spoken to a number of people with suggestions--but we have not found a solution. Someone, cloaked in anonymity is mounting these sneak attacks against our freedom of speech and desire to serve the growing community of Mediachannel readers and users. At first, we dismissed this as a prank. We don't any longer. But who can we turn to?"

Indeed, DDoS purveyors have also deployed to target political free speech on the Internet. Individual bloggers have had their sites targeted.

DDoS attacks have proliferated, in part, because the attackers know they can act with virtual impunity. Despite advances in network forensics, law enforcement and prosecution rarely play a role in responses to most DDoS instances. The Arbor Report said providers reported that they referred only 2 percent of actionable attacks to legal authorities during the last year. "There is a clear indication that an entire miscreant economy is evolving around DoS activity," the report said."After years of speculation about increasingly complex network attacks, the greatest threat still comes from relatively unsophisticated, brute-force DDoS attacks--the type of attack an unsophisticated "script kiddie" can launch with tools commonly found on the Internet."

There are no short-term solutions to eliminate DDoS attacks, says a DDoS white paper on the CERT Coordination Center of Carnegie Mellon's Software Engineering Institute. "Today's best practices involve making computers and networks more resilient in the face of an attack. We call this survivability," the paper says, emphasis not added.

That's just dandy. Five years or more into this fight against unseen predator hackers and the best we can come up with is some Cold War lingo about who will be left standing after bombs drop.

Stuart Glascock is news editor of TechWeb.

TechWeb's editors are busy assigning and editing and linking and otherwise creating the content you see on TechWeb.com and the Pipeline sites, but we wanted the chance to tell you what we see and what we think about it directly. So, each week, The TechWeb Spin will bring you the informed insight and unique perspective of a different TechWeb editor: Fredric Paul, Scot Finnie, Tim Moran, Stuart Glascock, Alexander Wolfe, Val Potter and Cora Nucci. We hope you like it, and even if you don't we hope you take the time to tell us what you think about it.Check out The TechWeb Spin Archive.