At least once each month, Terra Lycos SA's high-profile Internet media products, such as Lycos Mail, Tripod and Angelfire, come under a denial-of-service (DOS) attack. As host to more than 300 distinct Web sites and 40.3 million users, the international hosting and Internet media company makes an obvious target, explains Tim Wright, chief technology officer and CIO at Terra Lycos' U.S. headquarters in Waltham, Mass.
The attacks aren't the traffic-clogging distributed denial-of-service (DDOS) attacks that used remote-controlled servers to flood Amazon.com Inc., Yahoo Inc., eBay Inc. and others with debilitating levels of traffic in early 2000.
Oldie but Baddie
The DOS attacks Wright sees are much older than that. They're called syn flood, a type of attack that has been around as long as TCP. Syn floods fake the initial connection synchronization (syn) requests. The target responds with an acknowledgement (ack), for which it will receive no response. The target server holds the session open for a given length of time and then times out. A high-volume succession of these fake sessions prevents the machine from opening legitimate connections.
There's really no protection against syn floods, because they take advantage of the inherent purpose of routing protocols -- to route TCP session connection requests. "The worst kind of attacks are where the protocol says it's normal," Wright explains.
Now, syn floods are getting a whole lot nastier. A new form of syn, called a distributed reflection denial-of-service (DRDOS) attack, knocked Laguna Hills, Calif.-based Gibson Research Corp. (GRC) off the Web for four hours in January.
A DRDOS attack is the inverse of a syn flood, says Steve Gibson, president of GRC. Gibson coined the term for the new attack method after his experience in January.
That's when attackers sprayed GRC.com's IP across core Internet routers and connected TCP devices, making them believe that GRC.com was trying to initiate a connection. Being the obedient devices that they are, they responded en masse to GRC.-com with their ack replies. GRC.comís server, knowing that it didn't initiate the TCP session requests, simply dropped the acks. Thinking their ack requests were lost in cyberspace, the devices tried again -- up to four times -- magnifying the attack.
Gibson says he's aware of many companies that have come under such DRDOS attacks. "Web hosting sites and other major sites are the biggest targets," he says. "You upset some script kiddie -- they especially don't like spammers -- and they'll punish somebody."
Filtering doesn't help because it slows all traffic, say Wright and Gibson. In a DRDOS attack, the ack packets come from everywhere, so there's no way to filter.
The only way to deal with such an attack is to take the target machine off the Web and wait it out, or ask your Internet service provider to "null route" (drop incoming syn or ack packets to the affected machine), Gibson explains. That way, the attackers can't block traffic to other machines on that network segment. But then, he adds, "the attacker's still won. They've shut your site down."