FRAMINGHAM (07/26/2000) - Remember the denial-of-service attacks that brought Amazon.com Inc., CNN.com, EBay Inc. and other popular Web sites to their knees in February? The Internet engineering community is developing technology that promises to minimize the damage these hacker attacks cause by quickly identifying the computer systems where they originate.
The Internet Engineering Task Force (IETF) last week launched a working group to develop ICMP Traceback Messages, which would let network managers discover the path that packets take through the Internet. Nicknamed itrace, the new working group plans to submit a proposed standard for traceback messages to the IETF leadership next January.
Itrace can't prevent denial-of-service attacks. But it will be an important tool for network managers trying to isolate and stop these attacks. The itrace approach also can address denial-of-service attacks inside a far-flung corporate network built on Internet standards.
"Itrace is a pretty important initiative," says John Pescatore, research director for network security at Gartner Group Inc., a Stamford, Conn., market research firm. "What we need are standard mechanisms that can be built into the Internet switching infrastructure. That's the only place it will work to stop distributed denial-ofservice attacks."
One drawback of itrace is it identifies the machines that are sending a denial-of-service attack - not the hacker who programmed them. Therefore, itrace will not help law enforcement officials trying to catch and prosecute hackers.
Itrace also faces a deployment challenge because it becomes effective only after the technology is installed across the Internet's backbone and edge routers. In the best-case scenario, the itrace rollout will take 18 months.
Nonetheless, itrace is the most promising technology that the Internet engineering community has conceived for battling denial-of-service attacks.
"The ISPs don't have good tools to trace these kinds of attacks back today.
That's what we're trying to do," says Steve Bellovin, a network security researcher at AT&T Labs who is heading the IETF effort. "Itrace will be quite helpful, but I don't think it's a panacea. What you really want to do is deal with the attacks and stop them from hurting you."
In a distributed denial-ofservice attack, a hacker breaks into other people's servers and programs them to flood a Web site with massive amounts of bogus traffic until the Web site crashes. In the much-publicized February attacks, it took Web site operators and their ISPs several hours to thwart the attacks and get sites back up and running.
One of the reasons it takes so long to stop a denial-of-service attack is the hacker sends the bogus traffic using fake IP addresses. Itrace would let Web site operators and ISPs track denial-of-service attacks back to their true sources within minutes.
With itrace, routers randomly generate a traceback message about a packet and send it to the packet's destination. Each traceback message provides information about the packet being traced, what time it was sent, where it came from, where it went and authentication of the packet transfer.
Network managers can piece the traceback messages together into a chain that represents a packet's path through the Internet. This capability is important because a packet takes as many as 20 hops through routers at various ISP locations as it moves through the Internet from sender to recipient.
Because the traceback messages are sent at a rate of one out of every 20,000 packets, they won't have a significant impact on the performance of the router or the Internet overall. However, with enough traceback messages from enough routers along the path, a network manager can find the source of a large amount of illegitimate traffic.
One disadvantage of itrace is it stores information in the traceback messages in compressed form, so the information is ambiguous and requires some analysis and guesswork, says Fred Baker, chair of the IETF. "Due to this ambiguity, itrace is not a silver bullet. But it gives us a clue, where right now we are often completely in the dark."
The main challenge for itrace is getting router vendors to support it and ISPs to deploy it. One question is whether ISPs will deploy it just on their border routers or on all the routers in their networks. The latter approach is better because itrace is more helpful if it is deployed on more routers.
"Nobody can compel the ISPs to deploy this," AT&T Labs' Bellovin says. "The goal is to produce a specification that has support from router vendors such as Cisco and Juniper and from the ISPs."
ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks.
Still, ISPs seem positive about the itrace approach. "The ISP industry is going to welcome any attempt to standardize tools that help customers fight against distributed denial-of-service attacks," says Mark McFadden, chief technology officer for the Commercial Internet Exchange Association.
McFadden says the ISP industry also needs tools that detect and identify denial-of-service attacks, vs. sudden, large flows of legitimate traffic.
"Itrace is one part of a solution toward distributed denial-of-service attacks," says Stefan Savage, an assistant computer science professor at the University of California at San Diego who has developed an alternative packet traceback technique. "There's a whole host of tools that you need to detect attacks, trace them back and perform countermeasures. Tracing back alone doesn't solve the problem."
The itrace working group is the IETF's first attempt at addressing denial-of-service attacks. The idea for itrace dates back to January, when a group of network security researchers from Cisco Systems Inc., Nortel Networks Corp., Lucent Technologies Inc., UUNET Technologies Inc. and AT&T Corp. began developing a traceback methodology that would scale across the Internet.