[ISN] Scared of 'Zombies'? You Should Be

From: InfoSec News (isnat_private)
Date: Thu May 31 2001 - 00:09:51 PDT

  • Next message: InfoSec News: "[ISN] EPRI Initiative Helps Address Electronic Security Risks"

    By Alex Salkever 
    Business Week
    May 30, 2001
    It was akin to the fire station burning down. On May 21, Web surfers
    trying to access the site of the Computer Emergency Response Team
    (CERT) Coordination Center at Carnegie Mellon University encountered
    an error message. The reason? CERT had been effectively wiped from the
    Internet by malicious hackers who barraged it with bogus queries for
    information, a technique known as a denial-of-service (DOS) attack.
    Like callers trying to reach a popular radio-station request line and
    getting the busy signal instead, those who attempted to view CERT's
    Web site were rewarded with nothing but error messages. For two days,
    CERT's staff struggled to find the source of the attack and contain
    the problem.
    Unwitting Accomplices
    The attack on CERT is far from an anomaly. The Defense Dept., the
    White House, Yahoo!, Microsoft, and other big-name entities have
    watched helplessly as their sites went down under DOS attacks.
    According to a study released last week by scientists at the
    University of California-San Diego's supercomputing facility, more
    than 4,000 DOS attacks happen each week. The most sophisticated and
    serious last for days as dozens, hundreds, even thousands, of hijacked
    "zombie" computers pour forth an unceasing barrage of Web-page
    requests, all unbeknownst to the machines' owners.
    But the situation with CERT underscores how vulnerable to DOS attacks
    computer networks really are. The federally funded center is one of
    the key organizations sending out warnings to tech companies about
    computer-related security hazards. Each day, thousands of systems
    administrators check CERT's site to see what new security flaws have
    cropped up. And CERT staffers perform and coordinate analysis of a
    wide array of pending and public Internet system vulnerabilities.
    What's more, CERT's staff comprises some of the most security-savvy
    people in the country. Yet they were virtually helpless in the face of
    an attack that could have been launched from virtually anywhere on the
    As more and more critical functions, from international phone traffic
    to early-warning systems, go onto the Internet or networked systems,
    the potential damage from a DOS attack rises -- from lost business at
    Yahoo! to communications blackouts between government entities, even
    between countries.
    How could this happen? Although the attack on CERT keyed on the unique
    Internet address -- also called the Internet protocol address -- of
    that organization's Web server, all devices that are nodes on the
    Internet have such a number.
    Unrecognized Hazards
    That means the backbone routers used to direct massive amounts of data
    traffic through phone companies and Internet service providers (ISPs)
    each have an individual IP address, which makes them potential
    casualties for DOS attacks. Something similar happened on May 24, when
    routers for the Weather Channel's Weather.com were hit with a DOS
    attack that slowed traffic and impeded access for almost eight hours.
    Those routers were hosted by Exodus Communications, one of the largest
    hosting companies in the business.
    Microsoft, too, was hit by a router DOS attack earlier this year, an
    assault launched after hackers figured out the IP address of one of
    the main Microsoft routers and then bombed it with data packets.
    Because a number of Microsoft sites, including MSN.com, Hotmail, and
    Expedia, relied on that router for access, the entire Microsoft
    Network of sites was affected for days.
    These scenarios are relatively mild compared to what could happen if
    sophisticated hackers ever figure out the IP address of a backbone
    router for AT&T's transoceanic traffic. That would affect not only
    data but voice traffic as well. "A lot of people don't realize it, but
    they are routing a lot of their voice traffic over those lines,"
    explains Ted Julian, the chief strategist for Arbor Networks, which
    makes equipment to fend off DOS attacks. According to Julian, special
    equipment and software can filter and foil most nuisance hacks.
    Identifying the Threat
    For more sophisticated attacks -- the ones where hackers take control
    of larger clusters of machines and generate random IP addresses with
    no discernible pattern -- Arbor can only try to isolate which of the
    main Internet connection points feeding into a network is carrying
    most of the DOS traffic, then cut off the data. The downside? "We
    would end up screening out some legitimate traffic," admits Julian.
    Over time, as systems such as Arbor's become more widely deployed,
    controlling DOS attacks should become easier. Ideally, the key
    operators of Internet infrastructure and the backbone data pipes will
    share information about what's happening on their networks through a
    woven mesh of DOS-prevention systems. That information could allow
    them to spot attacks more quickly.
    Increased cooperation is far more promising than the current approach,
    where network engineers for a single company, or a host, pore over
    reams of logged events to determine how the DOS happened and where it
    originated. A widespread approach would also allow network operators
    to more easily spot the origin of big bursts of traffic that mark a
    DOS attack. This capability would help alleviate the problem of
    sophisticated hackers generating random IP addresses that elude
    Behaviour Modification
    Equally important is getting computer users -- especially those
    individuals and institutions with broadband connections -- to lock
    down their computers. Left insecure, the machines can be turned into
    zombies. "A large number of vulnerable systems can easily be marshaled
    by an attacker to create large networks. Anyone who owns a computer
    needs to understand that," stresses Dave Dittrich, a network engineer
    and security expert at the University of Washington who maintains a
    Web site on DOS techniques. For now, Dittrich warns companies to
    maintain redundant connection points and prepare their contingency
    plans. (He recommends the CERT Distributed Intruder Toll Workshop
    final report.)
    The upshot of all this? Just as Visa is making it mandatory for any
    merchant processing credit cards online to encrypt their databases and
    use firewalls, ISPs and telcos should insist that those who buy data
    connectivity become part of the DOS detection-and-prevention network.
    This could create some thorny privacy issues: Any device watching
    packets of data traveling over a network comes perilously close to an
    electronic wiretap.
    Considering that the Internet is rapidly becoming the most essential
    communications tool in the world, securing it against DOS attacks
    through cooperation will benefit anyone who's connected -- and quite
    possibly save billions of dollars in economic damages. It may even
    save lives one day.
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu May 31 2001 - 02:18:02 PDT