[ISN] Hack Attacks Become Deadlier: Is There a Defense?

From: InfoSec News (isnat_private)
Date: Fri Nov 30 2001 - 03:28:26 PST

  • Next message: InfoSec News: "[ISN] Fluffi Bunni Places Ads At Security Site"

    By Tim McDonald
    NewsFactor Network 
    November 28, 2001 
    A targeted attack that shut down a network router would not bring the
    entire Internet to a halt -- it would be more like a massive rush-hour
    traffic jam.
    The bad news is that denial-of-service (DoS) attacks are becoming more
    numerous on the Internet. Not only are DoS attacks more frequent, they
    are more potent with the potential to do much greater harm than
    they've done to date. The good news? Right now, according to experts,
    there isn't any.
    DoS attacks overwhelm computers, Web sites and servers with floods of
    bogus data, and hackers are increasingly aiming them at routers,
    according to a recent report by the federally funded Computer
    Emergency Response Team (CERT). Routers are the vital Internet
    components, either special-purpose computers or software packages,
    that connect two or more networks or parts of networks.
    "Essentially routers have trust relationships with each other, and are
    the means by which networks interconnect with each other," Kevin
    Houle, one of the authors of a CERT white paper on the subject, told
    NewsFactor Network.
    "If I can take advantage of that trust relationship to inject bogus
    routes in the routing tables, there's a potential for
    denial-of-service between two or more networks. They can be separated
    from each other."
    Massive Traffic Jam
    Routers do not have monitoring technology -- they spend their time
    looking at the destination addresses of the data packets passing
    through them and determining which route to send them on. Routers are
    the keys to larger networks, and if they are isolated, considerable
    disruption could occur on the Internet.
    "Traditionally, you think of DoS as 'packet flooding,' sending enough
    traffic down a pipe to fill up that pipe," Houle said. "In the case of
    a router-based DoS attack, what we're talking about is the route
    tables for a router being altered."
    A targeted attack that shut down a network router would not bring the
    entire Internet to a halt -- it would be more like a massive rush-hour
    traffic jam on an interstate highway that once flowed smoothly.
    'Autonomous Network Worms'
    The CERT research also found that multiple-source attacks are
    occurring more often and are increasingly aimed at multiple targets.
    "Autonomous network worms" are becoming more popular among the more
    sophisticated, malicious users, whereas once they simply inserted code
    manually via a Trojan Horse into the targeted computer.
    "In the case of the automatic model, the attack code is
    self-contained," Houle said. "In previous worms like ramen, the attack
    code was in an external site. The compromised computer had to go back
    to the attacking host to retrieve a copy of the attack code, install
    it and then execute it. The autonomous model is much more efficient.
    It doesn't have to take as many steps to initiate another attack."
    Also, users cannot employ the traditional packet filters to disable a
    particular site to stop propagation.
    DoS Will Always Be With Us
    Another disturbing aspect of DoS attacks is that security technology
    can only do so much to detect them and protect networks from them. And
    the problem will never be completely eradicated.
    "The problem of denial-of-service is fundamentally ingrained in the
    way that the Internet is built," Houle said. "The Internet is
    comprised of limited, consumable resources. Thus, it's possible to
    consume those resources. That's not likely to change any time in the
    near future."
    The very nature of the Internet that makes it global in reach and so
    wildly popular -- its very openness and interconnectedness -- is what
    makes DoS attacks so dangerous.
    "Security on the Internet is interdependent," Houle said. "In other
    words, I can spend an enormous amount of resources defending my
    systems on the Internet from intrusion, but my exposure to DoS is
    based on the security posture of the rest of the global Internet. Any
    number of systems on the rest of the Internet can be used to launch a
    DoS attack against me and consume the limited resources that I have."
    Quick To Exploit
    The CERT team also found a significant decrease in the time window
    from when a vulnerability is uncovered to the time when it is widely
    "What we're saying is DoS technology is advancing more in terms of
    management and control deployment technologies," Houle said. "The full
    DoS attack itself hasn't changed much -- it's just become more
    There are more than 57,000 computer viruses today, according to
    antivirus software developer McAfee, and more than a hundred new
    viruses are created every day. CERT, a part of Carnegie Mellon
    University, said the number of incidents reported to the center has
    more than tripled since 1999.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Fri Nov 30 2001 - 05:32:54 PST