[ISN] Mydoom lesson: Take proactive steps to prevent DDoS attacks

From: InfoSec News (isn@private)
Date: Mon Feb 09 2004 - 01:37:30 PST

  • Next message: InfoSec News: "[ISN] Nature of the internet makes cybercriminals hard to catch"

    http://www.computerworld.com/securitytopics/security/story/0,10801,89932,00.html
    
    By Jaikumar Vijayan 
    FEBRUARY 06, 2004 
    COMPUTERWORLD
    
    Dealing with a distributed denial-of-service attack such as the one
    that took down The SCO Group Inc.'s Web site this week continues to be
    a major challenge for companies, security experts said.
    
    But several options are available to at least help alleviate the pain
    for those that become targets.
    
    A DDoS attack typically involves thousands of compromised "zombie"  
    systems sending torrents of useless data or requests for data to
    targeted servers or networks.
    
    The SCO attack, for instance, was launched using systems that had
    previously been infected by the Mydoom virus (see story). The virus
    contained code that instructed thousands of infected computers to
    access SCO's Web site at the same time, rendering it inaccessible to
    legitimate users.
    
    Stopping the flood of traffic can be very difficult because it's
    coming from so many sources, said Bruce Schneier, president of
    Counterpane Internet Security Inc. in Mountain View, Calif.
    
    "From a philosophical perspective, if the attacker's pipe is bigger
    than the defender's pipe, the attacker can always knock out the
    defender," said Schneier.
    
    There are several approaches companies can take to prepare for attacks
    such as this, said Paul Mockapetris, inventor of the Internet's core
    Domain Name System and chairman of IP address management vendor
    Nominum Inc. in Redwood City, Calif. One is to set aside extra network
    bandwidth and server processing capacity to withstand sudden surges in
    traffic, he said. Another is to "retreat from your domain name" and
    essentially park your Web site at another address while the attack
    plays out.
    
    Geographically distributing Web servers is another approach worth
    considering, Schneier said. That way, even if one server or network
    segment is taken down by an attack, normal traffic can be redirected
    to other servers.
    
    But putting in place extra server processing capacity to handle DDoS
    attacks can be expensive and is likely to make sense only for larger
    companies, Mockapetris said. "There's a bit of a digital divide when
    it comes to the ability of companies to defend themselves against
    these attacks," he said.
    
    "The long-term answer to DDoS protection has to be in the [service
    provider] networks and backbones," said John Pescatore, an analyst at
    Stamford, Conn.-based Gartner Inc. That's because upstream service
    providers are in a better position to detect and choke off traffic
    directed at a specific IP address, said Schneier.
    
    As a result, it's a good idea to require service providers to offer
    some sort of guarantee against DDoS attacks, said Schneier. Gartner
    has in fact been advocating this for more than two years, urging users
    to include DDoS protection language in their service-level agreements
    with Internet service providers and data center hosting companies.
    
    But less than 1% of companies overall are buying such services,
    Pescatore said. "Most enterprises say, 'It isn't raining, so the roof
    isn't leaking. Why fix it?' " he said.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomo@private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Mon Feb 09 2004 - 04:12:55 PST