SAN MATEO (03/06/2000) - The smattering of DDoS (distributed denial of service) attacks during the week of Feb. 7 was a wake-up call for much of the media, but from our vantage point they were simply par for the course. We've long been writing about the importance of security, explaining that in an instant your business can be brought to a screeching halt by a bored teenager looking for a little fun. The recent security events have only supported our claims.
In case you missed the newscasts and headlines, what started out as connectivity problems for Yahoo Inc. and Buy.com Inc. quickly escalated into full-fledged panic. Yahoo and Buy.com, as well as eBay Inc., CNN.com, Zdnet.com, Etrade.com, and Amazon.com Inc., experienced the wrath of one or more individuals apparently enjoying pointing out one of the many weaknesses in businesses' e-commerce armor: denial of service.
But is the sky falling? Many security experts would like you to believe it is because that kind of fear sells more products and services. But the answer is never so simple. DDoS attacks can be enormously effective at clogging up the pipes to a Web site, but that's all they can do. As a result, customers can't reach your Web site. Besides soft-dollar losses, DDoS attacks don't exactly signal Internet Armageddon.
But in the bigger security picture, business leaders have much to fear. We think that for every denial of service attack trumpeted in the media, another 50 attacks pass unnoticed. We hear about dozens of attacks every week. Although some of them are founded more in paranoia than fact, the vast majority of attacks are legitimate.
Just take the DDoS attacks as an example. This attack requires the breaching of various systems by gaining root (on Unix systems) or Administrator (for Windows NT systems) access and then installing a daemon or server application to perform their denial of service (or other) bidding. For this attack alone, more than a hundred computers were intimately compromised, and no one at those sites knew about it. If this doesn't scare you, you may want to get a warm-blood transfusion.
If a computer has been compromised, attackers using it as a denial of service slave should be the least of your worries. At this point, the attackers can perform any whimsical desire. They can capture network traffic to and from the compromised system (even on a switched network) by setting up sniffers on the network interface cards. They can collect database information, including credit cards and social security numbers. They can spoof someone's identity to gain access to additional systems. They can deface your Web page. And they can even affect the stock market by posting erroneous information on your Web site or intranet announcing a merger, for example.
But worse than the initial system compromise is the subsequent ones. Once attackers gain access to a system, they rarely stop there, often using it as a jumping off point for further attacks into your internal network, including exploiting trust relationships such as .rhosts and /etc/hosts.equiv settings.
Worse, they can use the system as a port forwarder for attacking alternate operating systems behind it. If a Unix system is hacked and internal NT systems are accessible from this system that weren't available from the outside, an attacker can install port redirectors, such as datapipe and rinetd, to attack NT systems as if they were on the outside network.
The last thing we want to do is to shine the spotlight of blame. Everyone -- ISPs, e-commerce companies, the government, universities, and consumers -- has to take responsibility for security attacks. Without easy pickings on the Internet, attacks would hold little ferocity. The consciousness of every Internet participant must be raised before we as an industry can expect to truly defend ourselves against attack.
So was the media attention to the DDoS attack all there is for the security industry? Will the mainstream media pick up on the other, more viscious attacks that go on every day? Let us know at email@example.com.
Stuart McClure is president/CTO and Joel Scambray is a managing principal at Rampart Security Group (www.ramsec.com).