News

Nothing But Net/Mark McFadden: DoS Attacks: What Have We Learned?

• By Scott Bekker
• March 03, 2000

First, the attacks came as a big surprise to many, including those in government, the media, and perhaps in your own organization. But it should have been no surprise. Next, the attack itself reached almost mythic proportions: "The End Of The Internet As We Know It," and similar bunk. But in fact, the tools used in the attack are simple and well understood.

The attackers use intermediate nodes, or "slaves," to do their bidding. By hiding behind spoofed IP addresses -- somewhat like putting a fake return address on a post card -- the attackers disguise themselves and their intermediate, slave nodes. A single attacker can use thousands of slave nodes as a network-based parallel processing system to amplify the attack.

This time the exposure that made the systems vulnerable to becoming "slave" nodes in the first place are well known weaknesses in Unix applications. Mom and dad’s computer attached to the cable TV, or sister Susie’s Windows 98 machine attached to the DSL circuit at school are unlikely to be part of the problem -- at least this time.

Still, getting smug about Windows machines not being the source of the attacks is foolish. Next time there might be a trinoo or TFN2K for Windows 2000.

How should we respond? Any response must be tempered with the realization that security is the least liked task, second only to backups. Until there is a crisis, will your organization act on even the simplest suggestions?

An easy suggestion is to have organizations configure their routers so packets with inappropriate or spoofed addresses never leave their networks -- called egress filtering. It’s also easy to demand of ISPs that they filter all packets that have spoofed packets from being passed along -- called ingress filtering.

One proposal in front of the Internet Engineering Task Force is to outfit routers with a mechanism that occasionally sends as much information as it knows about the immediate previous hop of that packet along with the packet itself. In the event of a packet flood associated with a DoS attack, there would be enough of the packets to get a reasonably complete set of traceback packets, thereby simplifying the process of finding the attacking node.

It’s an idea worth considering.

In the meantime you and your company can take immediate action. ISPs and network providers have been victims of DoS attacks long before the assaults that battered Yahoo!, Etrade, and CNN. ISPs can help you set up egress filtering on your own network so you can’t inadvertently be the source of an attack. In addition, demand that your ISP do ingress filtering to ensure that inappropriate packets that manage to get inserted in the network can go no farther.

Filtering may not be the mechanism for ending DoS attacks but, until better traceback technology is in place, it’s one way to make sure we don’t become unwitting accomplices in these abuses.