Crushed By Too Much Information
Apr 1, 2004 12:00 PM, By Jacqueline Emigh
Certain cyberattacks are severe enough to bring even giants to their knees. Known as denial of service (DoS) attacks, these hacking crimes can shut down a corporate computer network for hours, days or even weeks at a time, costing anywhere from $1,000 to $1 million dollars in lost revenues. Victims include household names like Microsoft and CNN.
The perpetrators of DoS attacks — which range from pranksters to criminal extortionists — rarely get caught or punished. Fortunately, though, some companies have developed new technologies aimed at stopping DoS attacks.
In a DoS attack, hackers can use a variety of methods to cripple either an entire network or specific resources. Most attacks simply “flood” a network with more data traffic than it can physically handle.
DoS and DDoS: What's the difference?
In one common type of DoS attack, called “distributed denial of service” (DDoS), perpetrators use viruses and/or remote control software to generate throngs of “zombie” PCs, and to then direct the zombies to converge simultaneously on a targeted Web site, where they clog up availability. Unknown to the PC's owner, the zombie is actually under the total control of a hacker — who might be located anywhere on the globe.
News of major DDoS attacks has peppered the headlines for years now.
In February 2000, a series of DoS attacks took down popular Web sites that included CNN, Yahoo!, eBay, Amazon.com, E*Trade, and Buy.com. Investigations were launched by both U.S. and Canadian authorities.
In the largest attack of this sort to date, a DDoS attack against SCO Inc. involved an estimated one million PCs worldwide. All the zombies were infected with the MyDoom virus. The attack started on February 1, 2004, and SCO's main Web site was still under the weather several weeks later. SCO has called the FBI for help.
On Feb. 3, 2004, PCs infected with MyDoom.b, a variant of the same virus, began to attack Microsoft, along with the Web sites of about 60 information security consulting firms.
Other types of DoS attacks, on the other hand, are aimed at particular resources, such as a specific network server or the “routing tables” that determine where to send data traveling over the network.
Rewards and punishments
Beyond the comparisons to inciting a riot, DOS attacks have some other parallels to physical crimes, too. Microsoft and SCO, for example, have each offered rewards of up to $250,000 for information leading to the arrest and conviction of the MyDoom virus authors.
In the unusual case when an attacker is apprehended, he can be hit with criminal charges. In April of 2002, for instance, authorities caught up with a 15-year-old Canadian nicknamed Mafiaboy. The Canadian Royal Mounted Police charged the boy with two counts of “computer mischief” for an alleged attack on CNN two months earlier.
The youth was released on bail with a series of 11 conditions, including attending school, staying with his parents and living up to a curfew. The court also prohibited him from “connecting to the Internet, either directly or indirectly.”
As a juvenile, the alleged attacker could only be sentenced to two years confinement under Canadian law. Yet if Mafiaboy had been an adult, he might have faced up to 14 years in prison if convicted, according to Canadian officials.
Moreover, just as in more traditional crimes, DoS attacks can cause major damage to victims. “There are lots of different levels of cost. Some companies pay (network service providers) for network bandwidth, so that's a direct cost,” says Neel Mehga, research engineer at Integrated System Solutions Corp. (ISSC).
“Attackers steal not just access, but business opportunities,” says Carty Castaldi, vice president of engineering for Mazu Networks. Online advertising is one of these opportunities. “Advertisers can lose confidence in a site if it's been attacked.”
When Yahoo! got knocked offline in 2000, analysts estimated losses of about $500,000 in e-commerce and ad revenues, even though the outage lasted for just three hours.
Motives for the crime
Who's behind DoS attacks, and why? Experts emphasize different sorts of motives. “Most DoS attacks target a particular company. Usually, the attacker is someone with some sort of grudge,” says Bob Blakley, senior product manager, security services, at MCI.
“We've been hearing about attacks on political sites and technology companies. Some people get very upset when a computer company makes a pricing change, for instance,” says Castaldi.
ISSC's Mehga cites recent industry reports of blackmail and extortion. Most published accounts of incidents in this category have concerned offshore gambling sites. “The attacker says, ‘Wire me X amount of money by X date, or I'll take your Web site down,’” Mehga says.
“With the exception of vandalism, most crimes in the physical world aren't done just to raise havoc,” says Dayne Sampson, vice president of information technology (IT) for Internet search engine company Ask Jeeves.
“A lot of DoS attacks, on the other hand, are mischievous. People simply want to prove that they can do it. Notoriety can be elusive, though. An attacker cannot go out and identify himself, or the authorities will be all over him,” Sampson adds.
Most DoS attacks revolve around intrusions from the outside. However, it's also theoretically possible for an employee to mount an attack from inside an organization, for example.
Hard to solve
What makes apprehension and conviction so tough? “The Internet was originally created under the assumption that most of the users would be well behaved. So, it has some technical flaws,” Mehga says.
One of these flaws gives attackers the chance to cover their tracks by using forged or “spoofed” Internet addresses — a.k.a. “IP addresses” — in place of their own. “The actual source address is not verified, so you can put in any source address you want. Somebody can make it look as though the attack came from just about anywhere,” Mehga points out.
Prevention is hard, too, due to the wide range of techniques used in creating attacks. “The attacks are growing increasingly sophisticated,” Mehga says. Outside of DDoS, types of attacks include Ping of Death, Teardrop and SYN Flooding, to name a few.
Even DDoS attacks can be difficult to curb. Creators of bugs such as MyDoom usually manage to stay one step ahead of antivirus software makers. Generally, software vaccines do not become available until a virus has already hit the Web, experts say.
Fighting back
Organizations, however, are fighting back using a variety of approaches to help protect their computer networks. Large corporations, for example, are building networks with so much capacity that a DoS attack is less likely to halt operations entirely.
Typically, these high-capacity, attack-resistant networks include excess server capacity as well as “redundant,” or duplicate resources such as back-up data centers. If the main network goes down for any reason, the back-up resources kick into gear.
Meanwhile, vendors and service providers have come up with new technologies for helping to deal with DoS attacks. Vendors such as Mazu Networks, Arbor Networks and Asta Networks have released network hardware appliances meant to automatically tell the difference between normal network traffic and DDoS data.
In March, MCI became the first network service provider to offer an SLA (service level agreement) for DoS. Under the SLA, MCI will respond to a DoS within 15 minutes of a customer-generated complaint or “trouble ticket.” MCI is extending this agreement to all its customers, ranging from Internet connectivity and Web hosting customers to those using MCI network management services inside their networks under “collocation” deals.
“We've been protecting against DoS all along. This just adds a guarantee for customers,” according to Blakley. Meanwhile, MCI's also been developing some special technology. Some of this is designed for quick identification of where network traffic is really coming from. Other new technology from MCI routes illegitimate network traffic to “black holes,” to keep it out of circulation.
FOR THE RECORD
About the companies
For information, circle the Reader Service number (listed below) or visit securitysolutions.com
| Arbor Networks | 42 |
| Asta Networks | 43 |
| Integrated System Solution Corp. | 44 |
| Mazu Networks | 45 |
| MCI | 46 |
CLOSE-UP
Types of DoS Attacks
Beyond the DDoS attacks described here, DoS comes in a number of other flavors. Here are a few more types of attacks.
Ping of Death Attack — Sends out a software barrage of “IP Ping” data packets, which then overwhelm a network, a server, or a router.
TearDrop (a.k.a. Bonk or Boink) Attack — A variant of Ping of Death. The Ping packets are fragmented into smaller pieces, which are harder to detect.
SYN Flooding Attack — Ties up server availability by causing the server to keep “responding” to a nonexistent system.
Want to use this article? Click here for options!
© 2008 Penton Media Inc.
Today's New Product
|
Video Mount Products LCD Monitor Mount KitThe LCD-PV monitor mount kit from Video Mount Products includes a range of components required for public view monitoring. It provides two mounting points for a universal camera bracket and can rotate 260 degrees. The mount is adjustable from -5 degrees to a 30-degree tilt configuration, and its mast telescopes 18 in. to 30 in. from the ceiling. |
advertisement
This month in Access Control
- Opening Up About Door Closers
- An Enterprise Approach
- The Framework For Open Systems
- On A Higher Plane
- More from April's issue
advertisement
