A Funny Thing Happened on my Way to the (Risks) Forum this month. I had planned to write a column on the ever-burgeoning risks of denial-of-service (DoS) attacks relating to the Internet, private networks, computer systems, cable modems, and DSL (for which spoofing is a serious risk), and the critical infrastructures that we considered here in January 1998.
DoS threats are rampant, although there are only a few previous cases in the RISKS archivesfor example, involving attacks on PANIX, WebCom, and Australian communications. There are many DoS types that do not even require direct access to the computer systems being attacked. Instead, those attacks are able to exploit fundamental architectural deficiencies external to the systems themselves rather than just widespread weak links that permit internal exploitations.
Well, just as I started to write this column in February, an amazing thing happened. Within a three-day period, Yahoo, Amazon.com, eBay, CNN.com, Buy.com, ZDNet, E*Trade, and Excite.com were all subjected to total or regional outages of several hours caused by distributed denial-of-service (DDoS) attacksthat is, multiple DoS attacks from multiple sources. Media moguls seem to have been surprised, but the DDoS concepts have been around for many years.
Simple DoS flooding attacks (smurf, syn, ping-of-death) can be carried out remotely over the Net, without any system penetrations. Other DoS attacks may exploit security vulnerabilities that permit penetrations, followed by crashes or resource exhaustion. Some DDoS attack scripts (Trinoo, Tribal Flood Network and TFN2K, Stacheldraht) combine two modes, using the Internet to install attack software on multiple unwitting intermediary systems ("zombies"), from which simultaneous DoS attacks can be launched on target systems without requiring penetrations. In general, DDoS attacks can cause massive outages, as well as serious congestion even on unattacked sites.
DoS attacks are like virusessome specific instances can be detected and blocked, but no general preventive solutions exist today or are likely in the future. DDoS attacks are even more insidious. They are difficult to detect because they can come from many sources; trace-back is greatly complicated when they use spoofed IP addresses.
Common security advice can help in combatting DDoS: install and properly configure firewalls (blocking nasty traffic); isolate machines from the Net when connections are not needed; demand cryptographic authenticators rather than reusable fixed passwords, to reduce masqueraders. But these ideas are clearly not enough. We also need network protocols that are less vulnerable to attack and that more effectively accommodate emerging applications (interactive and noninteractive, symmetric and asymmetric, broadcast and point-to-point, and so on)for example, blocking bogus IP addresses. For starters, we need firewalls and routers that are more defensive, cryptographic authentication among trustworthy sites, systems with fewer flaws and fewer risky features, monitoring that enables early warnings and automated reconfiguration, constraints on Internet service providers to isolate bad traffic, systems and networks that can be more easily administered, and much greater collaboration among different system administrations.
As attack scripts become increasingly available, DoS and DDoS attacks become even more trivial to launch. It is probably naive to hope that the novelty of these attacks might wear off (which is what many people hoped in the early days of viruses, although today there are reportedly over 50,000 virus types). But if the attacks were to disappear for a while, the incentives to address the problem might also diminish.
The FBI and its National Infrastructure Protection Center (NIPC) are taking a role in trying to track down attackers, but the flakiness of the technology itself makes tracing difficult. Above all, it is clear this is a problem in desperate need of some technological and operational approaches; relying on law enforcement as a deterrent is not adequateespecially against attacks mounted from outside of the U.S. This is not just a national problem: every computerized nation has similar risks, and attacks on any site can be launched from anywhere in the world.
The Internet has grown without overall architectural design (as have many of its applications). Although this may have accelerated expansion, some current uses vastly exceed what is prudent. We urgently need to launch a concerted effort to improve the security and robustness of our computer-communication infrastructures. The recent DoS problems are only a foretaste of what could happen otherwise.
©2000 ACM 0002-0782/00/0400 $5.00
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee.
The Digital Library is published by the Association for Computing Machinery. Copyright © 2000 ACM, Inc.
No entries found