FRAMINGHAM (05/08/2000) - A respected computer security authority sounded the alarm last week about a new tool that crackers could use to launch Web site attacks similar to the lethal ones that brought down several sites in February.
Experts said there is little that administrators can do to prevent such distributed denial-of-service attacks, so the key is to be prepared to deal with the problem quickly to mitigate damage.
"Prevention isn't the issue so much as the ability to rapidly defeat" an attack, said Fred Cohen, president of Fred Cohen & Associates, a security consultancy in Livermore, California.
The Computer Emergency Response Team (CERT), a group at Pittsburgh-based Carnegie Mellon University that monitors security issues, last week issued a warning about a tool called mstream, which a few sites found late last month.
An analysis of the tool shows it to be buggy and still in the development phase, according to a report published by David Dittrich, a computer administrator at the University of Washington in Seattle.
But it's still capable of producing "a severe denial-of-service condition against one or more victim sites," warned the CERT bulletin.
Distributed denial-of-service attacks seek to cripple a Web server by flooding it with thousands of simultaneous messages from computers that have been tricked into launching them. Such attacks were launched against several heavily trafficked Web sites such as Yahoo Inc., eBay Inc., CNN.com, Buy.com Inc. and Amazon.com Inc. in February.
In each case, the sites were targeted with a massive volume of forged messages that overwhelmed servers and blocked out legitimate traffic for several hours.
Apart from the business disruption caused by such outages, another danger is that hackers could use a distributed denial-of-service attack as a diversion to infiltrate enterprise networks with even more malicious code, warned Harry DeMaio, president of Deloitte & Touche Security Services LLC in Deerfield, Illinois.
Currently, there is no easy defense against the attacks, because the barrage of traffic comes from thousands of computers, analysts said.
"The objective, therefore, is to make it as difficult as possible" for someone to carry out and sustain a distributed denial-of-service attack, said Bob McKee, vice president of system security at The Hartford Life Insurance Co. in Hartford, Connecticut.
Hartford has installed new software for boosting its network's intrusion-detection capabilities. The company also installed technologies for quickly identifying and filtering out suspicious Internet traffic from its networks. Hartford is in constant communication with its Internet service provider to make sure it remains on top of things, McKee said.
"It is the same rationale you use when putting in a good auto or home security system," said Josh Turiel, network service manager at Holyoke Mutual Insurance Co. in Salem, Massachusetts.
Such technologies won't "stop a really determined person from getting into your systems, but it will keep a majority of amateurs away," Turiel said.
Also crucial is the need to have multiple incoming paths for Web traffic and mirror sites to which traffic can be quickly diverted if a primary server comes under attack, DeMaio said.
This means, for example, that companies should have domain name servers planted across the Internet so that when one server gets hit, they can quickly switch to another, said Cohen. Similarly, having multiple Internet service providers hooked up to a site, in addition to having standby servers, will allow a user to rapidly shift loads when under attack, he said.
Corporations should also make sure their servers don't become part of a distributed denial-of-service attack, said Ira Winkler, president of the Internet Security Advisors Group in Severna Park, Maryland.
That means keeping in constant touch with your service provider and ensuring that filters are put in place to prevent IP address forgery and to block traffic from places that allow forgeries, Winkler said.