'DDoS' Attacks Still Pose Threat to Internet

[InfoSec News <isn () c4i org>]

http://www.washingtonpost.com/wp-dyn/articles/A61714-2003Nov4.html

By David McGuire
washingtonpost.com Staff Writer
Tuesday, November 4, 2003; 8:49 AM 

On October 21, 2002, people around the world cruised through 
cyberspace the way they do every day -- bidding on auctions, booking 
airline reservations, sending e-mail -- all the while unaware that 
someone was working overtime to try to bring the Internet to its 
knees.

Around 5 p.m. Eastern time, operators of the Internet's root servers, 
the computers that provide the roadmap for all online traffic, saw an 
unnaturally large spike in the amount of incoming data. It was a 
"distributed denial-of-service attack," a concentrated attempt to 
throw so much information at the servers that they would shut down.

Seven of the 13 servers went down completely, and two were badly 
crippled. In the course of the next frenzied hours, their operators 
tried to repel the attack as Internet users typed and clicked away 
with little idea that anything was wrong. In the end, the Internet 
held firm but nearly everyone who fought off the attack agreed that it 
came closer than ever before to sustaining major damage.

A little more than a year later, experts have been working to improve 
the Internet's defenses but they say a better coordinated attack could 
do even worse damage. The weapons are cheap and simple and plenty of 
people know how to use them, leaving the Internet's caretakers looking 
for new ways to win a lopsided electronic arms race with online 
criminals.

"The people who did it last time were chicken-boners," said Paul 
Vixie, president of the non-profit Internet Software Consortium, which 
operates one of the root servers. "I'm sure that there are still 
serious, well funded cyberwarfare people who would look at what we've 
done and say 'yeah, there's a way that we could nail that'."

DDoS (pronounced "DEE-Doss") attacks are one of the simplest ways to 
cause online havoc but one of the most difficult to defend against. 
Hackers snare "zombie" computers -- usually unprotected home or 
business PCs -- and force them to send bundles of data to their 
targets to try to make them crash.

If a DDoS attack took down all of the root servers -- something 
experts said is unlikely -- Internet communications would slowly 
cease. Because most computers store the information they get from the 
root servers, it would take about three days to feel the full effect 
of the attack.

The code that lets hackers into zombie computers spreads through worms 
and viruses that roam the Internet looking for vulnerable PCs. Getting 
that process started requires almost no investment on the part of the 
attacker.

"Those things are in the hands of any angry teenager with a $300 Linux 
machine," Vixie said.

Computer experts have found that the best way to fend off an attack is 
considerably more expensive -- buy lots of extra bandwidth to handle 
all the data coming their way.

Mountain View, Calif.-based Internet security company VeriSign Inc., 
has spent tens of millions of dollars to secure the two root servers 
it supervises, but Ken Silva, VeriSign's vice president of networks 
and information security, said the company worries that other 
operators don't have the money or resources to follow VeriSign's lead.

Silva said that the servers should be in the hands of entities that 
can afford to operate them securely. In October 2002, "when it was all 
said and done and you looked at who survived ... it was the people who 
made the investment," he said. "It is scary that at the root of the 
Internet a significant number of these root servers are quite frankly 
just run as a hobby. You don't get paid for running a root server."

Other root server operators include the University of Maryland, the 
U.S. Army Research Lab and NASA's Ames Research Center.

The idea that other server operators aren't up to the task has earned 
a chilly reception from other members of the Internet community.

Vint Cerf, chairman of the Internet Corporation for Assigned Names and 
Numbers (ICANN), said that the current model is faring well.

"It is an arms race, but so far we've kept up," Cerf said. "Here it is 
in 2003 -- 20 years into the release of the 'Net -- and you look at 
how far we've come since 1983, you have to have some appreciation for 
the robustness of the system."

ICANN supervises the Internet's addressing system.

Karl Auerbach, an Internet software engineer and former ICANN 
director, said that the server operators have performed admirably.

"All the work that's really been done has been done by the root server 
operators themselves. [VeriSign Chief Executive] Stratton Sclavos has 
been belittling the fact that the operators aren't professional. Well, 
they've been doing a very professional job."

That work -- along with greater coordination among operators -- has 
made the Internet safer, said Steve Crocker, who runs ICANN's Security 
and Stability Advisory Committee. "I think it's unlikely that you'd 
have a long sustained attack that wasn't dealt with," he said.

One of the ways sever operators have made the Internet less vulnerable 
to attack is by decentralizing their operations.

The Internet Software Consortium runs the "F" root server in 12 cities 
instead of one. Splitting up the server's location, an idea known as 
"anycasting," helps foil DDoS attacks that try to slam a single target 
with a flood of data, Vixie said.

With anycasting, a DDOS attack targeted at "F" will get shunted off to 
several different computers around the world, lessening its impact.

It's a simple way to deflect a destructive problem, Vixie said, but 
most root server operators were reticent to try it until the October 
2002 attack made them realize the stakes of maintaining the status 
quo.

"An attack of a certain volume can be launched this year by someone 
with only half as much intelligence and skill as was necessary last 
year," he said.

Silva said that VeriSign also runs the "J" server this way -- 
splitting its functions between several locations in the United States 
and the Netherlands. Nevertheless, he said, not enough root server 
operators are using the technique.

And the server operators are almost sure to get tested again as worms 
continue seeding computers with instructions to launch DDoS attacks.

"There's a trend in attack tools. First, attacks are invented, then 
they're automated, and when they're automated, any moron with a 
computer can do them," said Bruce Schneier, co-founder of Counterpane 
Internet Security Inc., and author of Beyond Fear: Thinking Sensibly 
About Security in an Uncertain World.

Auerbach, the former ICANN director, said that's not good news for the 
people charged with keeping the Internet running.

"There's a lot of people out there who seem to have nothing better to 
do than take down the infrastructure we have ... Sooner or later it's 
going to happen [again] and it's going to happen with a degree of 
virulence and professionalism that makes prior attacks look wimpy," 
Auerbach said.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.