http://www.eweek.com/article2/0,3959,985389,00.asp By Dennis Fisher March 31, 2003 Eighteen thousand computers tied together in less than 24 hours; a virtual army of machines, standing ready to do the will of their new master. Think of the possibilities that kind of processing power holds: cracking immense encryption keys or helping to sequence the human genome or even aiding the search for transmissions from extraterrestrials. But the controller of these zombie machines has a different purpose in mind: a massive, DDoS (distributed-denial-of-service) attack or perhaps several smaller attacks launched against key peering points or backbone routers on the Internet. Downstream ISPs and their end users will be suddenly shut off as technicians and engineers struggle to filter the tidal wave of traffic choking the target machines. Traffic in several segments of the global network will slow to a crawl as the malicious packets keep on coming. It will be several hours before normal service is restored and experts can go about the business of assessing the damage and trying to find out what happened. What sounds like a doomsday scenario concocted by a marketing executive desperate for sales, is, unfortunately, real life. And the harsh reality, experts say, is that it could be far worse than the situation described above. Vendors are trying to do their part. Security companies such as Arbor Networks Inc. are rolling out applications with sophisticated defensive features designed to detect and throttle DDoS attacks at the service provider so that downstream networks and users never feel the attack's effects. But even with these new defenses, some experts say it will take a sea change in the way end users and administrators think about security to truly solve the DDoS problem. "There needs to be a fundamental change in the way we educate users on security and the way they use a PC," said George Bakos, a senior security expert at the Institute for Security Technology Studies at Dartmouth College, in Hanover, N.H. "We're going to get spanked over and over again with this. Hopefully, it won't take too many more lessons, but I fear it will." For several weeks now, experts at government agencies, private security companies and universities have been monitoring several very large networks of machines that have been compromised and loaded with "bots," which are tiny applications that allow remote attackers to control the machines via Internet Relay Chat. Hundreds or thousands of these machines can then be used in concert to launch DDoS attacks. Bill McCarty, an associate professor of Web and information technology at Azusa Pacific University, in Azusa, Calif., said a Windows 2000 "honey pot" machine that he runs has been added to several bot networks, or botnets, in recent weeks. (A honey pot is a machine connected to the Internet and left defenseless so that security experts can observe hackers' activities or methods.) One of these networks amassed more than 18,000 PCs in about 24 hours. Meanwhile, officials at the CERT Coordination Center, in Pittsburgh, said they are aware of several large botnets, one of which stood at more than 140,000 machines earlier this month. Unleashing an attack on a single target—especially one such as a small government agency or enterprise—from a network of that size would be devastating. Even the most well-prepared and vigilant security staff would be overwhelmed by that level of malicious traffic. To help ISPs and telephone companies defend against these attacks, Arbor Networks last week introduced a new version of its Peakflow anti-DDoS software. Peakflow SP integrates many of the techniques that security staffs have developed over the years in fighting DDoS attacks. Among the new features is support for both black-hole routing and sinkhole routing, two common defensive techniques. Black-hole routing allows the administrator to take all malicious traffic and route it to a null IP address or drop it. Sinkhole routing is similar, except that the traffic is sent to an IP address where it can be examined. Both techniques are often used by administrators at the enterprise level. But they're far more effective when the ISPs employ them, as this prevents the malicious traffic from reaching the customer's network. Most, if not all, ISPs have some level of DDoS traffic crossing their networks virtually all the time. And while this costs them money in terms of bandwidth and annoys customers, many filtering and routing defenses catch legitimate traffic as well. This puts the service providers in a tight spot. "It's not that the service providers are a bunch of idiots. It's that they're saddled with this network and a bunch of issues that are directly in conflict with their customers' interests," said Ted Julian, chief strategist at Arbor Networks, based in Waltham, Mass. But in the end, curtailing or halting DDoS attacks will take a coordinated effort from end users up through the service providers, the security institute's Bakos said. - ISN is currently hosted by Attrition.org To unsubscribe email email@example.com with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 03 2003 - 05:34:11 PST