Although it's impossible to safeguard your network completely against denial of service attacks, deflecting them is possible if you have a strong defensive strategy and a solid understanding of the different attack typesI remember a favourite prank from my university days that involved wedging a locked door's bolt against the frame by cramming pennies in the gap between door and frame. This ensured that the rightful occupant couldn't turn the key in the lock, which seemed incredibly funny, until it happened to me. That was a primitive form of a denial of service.
Of course, in the enterprise business environment, DoS (denial of service) carries much higher stakes. Today, DoS attacks are a constant concern for IT executives and managers, particularly those who hold responsibility for high-profile sites that are critical to the success of corporate strategies.
A number of apologists have tried to excuse the actions of DoS perpetrators by equating their attacks with innocuous childhood pranks, such as doorbell ditch or crank telephone calls. The distinction is that I have the choice to ignore the doorbell or telephone (and I often do). An Internet server has no choice but to respond to network queries and its unavailability can literally spell death for a company.
DoS attacks are scary because you usually don't know who the enemy is and you often don't know how compromised your systems are. But perhaps worse is that you're now torn between the need to protect your company's business and plug that leak and the equally compelling need to collect enough evidence to nail the jerk, particularly if you want a case that will stand up in court. The best way to avoid that dilemma is to prevent DoS attackers from getting that far in the first place. Preventing their success requires a solid defensive strategy that considers internal as well as external threats.
Knowing your attacker
Of course, not all DoS problems are attacks. Some accidents are inevitable in a decentralised environment such as the Internet, where a corrupt routing table can wreak havoc in minutes.
Internal networks face similar problems, although a well-designed enterprise network will partition traffic in such a way that problems can be easily isolated.
Actual attacks, of course, can come from either inside or outside the organisation. Although this discussion focuses on the external adversary, any plan to mitigate the effects of a DoS incident must allow for the possibility of an internal threat as well.
But despite the risk of attack from within, the greatest threat to the security of companies using the Internet remains the roguery of the teenage male. (Although interest in and understanding of computer network operations has grown among young women, statistics still indicate that computer hacking is a predominantly male pastime.) The truly unfortunate thing is that today, tools exist that allow relatively unsophisticated computer users to launch attacks from the family computer. The script kiddies' grow in number with every day, so DoS is likely to get a lot worse before it gets better.
The ABCs of DoS
DoS attacks encompass an extremely broad range of methods. Among these, three of the most popular involve disabling services, monopolising or usurping resources, and sabotaging data.
Drastic DoS attacks involve configuration changes or physical assault of the attached network devices. The physical threat is usually the easiest to defend; traditional gates, guards and guns' security principles usually work well in this instance.
Network-borne DoS attacks have gained ground in the last year or so, aided by a new method of distributing the attack among several hosts. This increases the likelihood of a successful penetration by using the cumulative processing power and network resources of the hijacked hosts. These DDoS (distributed denial of service) attacks became familiar in 1999 when attackers used the Stacheldraht' (a German word for barbed wire') and Tribe FloodNet tools to bring down some of the most popular Internet destinations, including Yahoo and eBay. In both cases, the tools use the massed attack approach to overwhelm targeted hosts.
Of course, in one form or another, DoS attacks have been with us for a while: radar and radio jamming' are classic examples. But as the Internet becomes a mainstay of economic prosperity, any disruption in its traffic acts as a hand clutching the windpipe. Here are some of the most common ways that DoS vandals like to grab your throat.
Hogging' is a classic attack method that usually involves bypassing normal operating system controls to run a program on a host that consumes system resources until the OS fails and crashes the host.
The Robert Morris Internet worm of 1988 provides a good example of hogging, despite the fact that it is generally classified as a Trojan horse by virtue of its exploitation of the sendmail bug. Morris had intended his program to run undetected over a period of days or weeks, but a gross design flaw caused it to replicate too quickly, thus overwhelming its mail server targets in a manner of minutes.
Because this sort of attack has been around for a long time, many operating systems have elementary safeguards in place. Unfortunately, as any Windows NT manager will confirm, adding features to an operating system increases the number of security holes, so you can't consider hardening' a system to be a closed-end project.
Hostile applets' are a form of DoS attacks that target users rather than servers. An applet-based attack will essentially hijack a computer through a Web browser that lets applets run by default. Organisations that can enforce a no-applet policy and make it stick have an edge against this type of attack, but that may not be worth forgoing the benefits of applet technology.
Mail bombs' are simple and brutal: they overload a mail server with vast amounts of bogus traffic. Needless to say, even the biggest mail server has its limits, so no mail systems are immune to this type of attack. (Note to vandals: our mail server isn't worth your time, really. Now go and do your algebra homework. Please.) In these cases, you may want to use filters to identify and reject suspicious traffic, but you take the risk of bouncing legitimate communications.
The Ping of Death' exploits the PING (Packet Internet Groper) utility by sending an illegally sized test packet. Although this is most commonly seen in IP environments, there's nothing that prevents it from being executed over IPX, for example. The oversized packet can crash or induce network problems in unprotected systems.
SYN flooding' is specific to TCP (Transmission Control Protocol) and attempts to usurp all network connections, thus denying legitimate traffic access to network services. This exploits the functions of the SYN (SYnchronise sequence Number) packet that initiates a conversation between two hosts.
By falsifying the identity of the packet sender and then sending a barrage of fake packets that the target server must respond to, the attacker ties up the server with the replies. The server is unavailable to regular users except those lucky few who slip through among the bogus requests.
Zombies' are computers that have been compromised by an attacker and are being used (or held in reserve) for an attack. The DoS attacks that were so prominent last year used zombies to generate enough traffic to disrupt operations at the Internet's most-visited sites.
What can be done?
Unfortunately, many organisations don't realise they have a DoS vulnerability until the hoodlums are running amok. Even if the assault is aimed strictly at your network connections and isn't attempting to penetrate sensitive company data, this is still too late to begin implementing a defence.
But a good offence is a bad idea. Retaliation is strongly discouraged, because you can't be certain in the heat of the moment that your attacker isn't using someone else's identity as a front and because any network-based counterattack is going to violate the same laws you want to use for a conviction, if it goes that far. This isn't a home invasion and you don't have the right to shoot back.
Obviously, there are some things you can do in advance to minimise your vulnerability. If you don't have a good, well-understood firewall in place, get one. The well-understood part is the key; too many shops install a firewall but fail to train key employees in its configuration and use.
Thankfully, any decent firewall available today will come configured to deny all traffic, reducing the problem to the traffic that you've explicitly enabled. Other devices on your network, such as switches, routers, and desktop computers, should also be checked to verify that they're only passing permitted types of traffic.
Other perimeter security measures you can take include e-mail filters and virus-detection software. These need to be maintained religiously to be effective but are useful in providing a defence behind the firewall.
Having baseline network traffic data can help distinguish traffic surges caused by legitimate transmission of rich media files from those caused by a swarm of hackers.
A new and interesting type of active defence is Recourse Technologies' ManTrap, which provides a decoy Web environment that diverts hackers away from your crown jewels and into a secure cage' where you can log their activities and gather an evidence trail for law enforcement.
One eye on the headlines
Staying informed is key to any good defensive strategy. Because of the global nature of the Internet, a problem that starts in the Philippines can be affecting servers in Australia in a matter of minutes.
Although the Web sites of the FBI and other government and industry watchdog organisations are a wealth of information, the mainstream news media is becoming cognisant of the importance of computers in today's economy and society and is usually a good source of real-time information regarding system assaults and computer virus outbreaks.
One step I cannot over emphasise is to keep current with application and OS patches. A difficulty here is walking the line between ensuring that patches won't destabilise a production system and having a secure configuration.
Test your patches, but have a procedure in place that allows you to upgrade machines as soon as possible once your testing is complete.
Ensuring that machines, and not just computers, are configured to run only essential and necessary services is paramount. Although Web-based interfaces are certainly prettier than a Telnet console, Cisco users are finding out the hard way that adding management features to a router might raise more problems than it solves. Shops using the software-based HTTP server in recent versions of the Cisco OS, which allows the router or switch to present data via a Web browser, were advised in mid-May that under certain circumstances the HTTP server could be compromised.
Preparing for the worst is a grim task, but it saves a lot of shouting when the fertiliser hits the fan. One of the biggest mistakes companies make during a crisis is forcing people in the front lines to wait while upper management struggles to cope with the emergency.
An organisation's emergency response team is designed to address this problem. Determining in advance who has the authority to cut network connections, shut down or restart servers, or perform other drastic steps may cause some ruffled feathers but is worth it when time is a crucial element.
Another aspect of preparing for the worst is training. Simulating a DoS attack is the best way to determine where your organisational vulnerabilities exist and to familiarise staff with emergency procedures. Addressing these issues won't prevent your next attack, but drilling staff on critical tasks will make the correct reaction a matter of routine. An external audit is also a good idea. Although tiger teams' are available for hire to probe networks, I'd recommend against using any but the most reputable of companies for this kind of work. When it comes to probing your network for weaknesses you're probably better off looking for a professional auditing firm with network security experience as opposed to a consultant, because this is one of the instances where the auditor's training outweighs any technical issues.
Unfortunately, there's not a lot you can do to prevent a DoS attack, but you can make one difficult and unrewarding for the perpetrator.
Much of what I've outlined here is common sense, but it bears repeating: Don't enable services you aren't using, keep your systems patched, use the same game plan in practice that you will on game day, and you might survive the next one with your job and your data intact.
See Buyers guide.
Security information sites
www.auscert.org.au - Australian Computer Emergency Response Team
www.cert.org - CERT Coordination Centre (US)
http://ciac.llnl.gov - Computer Incident Advisory Capability (CIAC)
www.first.org - Forum of Incident Response and Security Teams (FIRST)
www.telstra.com.au/info/security.html - Telstra Security Pages
www.cs.purdue.edu/coast - Coast Home Page
www.iss.net - ISS Home Page