SAN FRANCISCO (04/28/2000) - Much of the online world was caught off guard last month by the massive denial-of-service (DoS) attacks against such major Websites as eBay Inc., E*Trade, Yahoo Inc., and CNN, but Dave Dittrich wasn't.
Dittrich had made the acquaintance of distributed denial-of-service (DDoS) tools trinoo (aka trin00), Tribe Flood Network, and stacheldraht when some of the machines under his charge at the University of Washington were used in a DDoS attack against the University of Michigan.
That attack inspired Dittrich to write analyses of several of the DDoS tools so that security experts could better understand the threat. With Marcus Ranum, the head of Network Flight Recorder, Dittrich also coauthored a network-scanning utility named gag, which can help administrators detect the installation of DDoS tools on their systems.
SunWorld writer J.S. Kelly spoke with Dittrich about the recent attacks. During the course of their conversation, Dittrich discussed what could be done to prevent future episodes, whether the computer security community should join forces with the government to combat the possibility of large-scale attacks, and what the future holds for computer security stocks and computer damage insurance.
SunWorld: When we talked about DDoS tools in January, you said there was no way to protect yourself from a DoS attack. But now I hear that some security specialists are beginning to talk about how we might do so in the future.
Dave Dittrich: Right. A lot of good proposals are being presented now -- some of which are things we can do immediately, while others will take years to develop. The main ones I can think of right now are those that Elias Levy posted on Bugtraq, including RFC 2267 on Ingres filtering suggestions and rate-limiting features on routers. There are also some suggestions on how to use dynamic adaptive routines -- features in Cisco Systems' IOS that allow you to define limits on the percentage of traffic and the kind of packets you have -- to limit the rate at which Internet Control Message Protocol packets come into the network. After being flooded with smurf-style attacks, which are more devastating than other kinds of DoS attacks, you can use ICMP to reduce traffic flow and safeguard your network.
Work is also being done to beef up TCP/IP protocols and add facilities that identify hosts. This way you can prevent resource consumption attacks by changing the way sessions are established. And efforts are under way to add router capabilities that make it easier to trace packets, so sysadmins who aren't filtering their networks can still determine the source of the packets.
That is a big problem right now, because a large number of networks aren't configured to prevent certain things that make the smurf attack, for example, a very successful one.
Still other proposals now being introduced focus on how to make proper configuration mandatory or on incentives that coax network providers to do this comprehensively and correctly.
SunWorld: The president recently held a Web summit. Do you think that was appropriate?
Dave Dittrich: Certainly. I believe some of the fundamental issues, especially of DDoS attacks, are an educational problem in that people don't understand the underlying weaknesses of the Internet. On one hand, businesses are trusting the economy to the basic infrastructure of the Internet, which is pretty fragile and can be overwhelmed with attacks like this. Also, the Dow is going through the roof, and there's dot-com mania, so everyone is in awe of this whole thing and tends to forget about the underlying problem.
Then you've got the situation where the people who own this stuff aren't very aware of what the problems are and aren't patching the holes. So you have this large number of systems being compromised. The president can bring attention and provide organization to these matters.
For example, a presidential commission on infrastructure protection was established to explain the roles and responsibilities of those charged with protecting the infrastructure. I believe it was a directive [PDD 63] that created the National Infrastructure Protection Center, which is charged with exchanging information between the public and private sectors.
So there's a lot that can be done at that level to raise awareness and encourage cooperation from industry, academia, the government, and law enforcement.
SunWorld: What kind of cooperation?
Dave Dittrich: A lot of people criticize the FBI and government in general for not being very technically savvy. But if you can get government organizations such as law enforcement and the General Accounting Office to set up working relationships with industry -- with the people who actually know all the technical details -- you get a much better response. In the long run you get better proposals, better initiatives -- and the money is spent more efficiently.
SunWorld: Because they are communicating?
Dave Dittrich: Yes, because it brings agencies such as the FBI up to speed on how to do computer forensics. They are learning from industry. And vendors that provide hardware, such as the router manufacturers, learn what must be done to protect the infrastructure and design better products. It's all a matter of trying to bring attention to the right areas to solve the problem.
SunWorld: These attacks have made a lot of people worry about privacy rights.
Do you think their fears are justified?
Dave Dittrich: Absolutely. There is a high dollar value placed on the ability to monitor communications, and a lot of money is being spent in the proposed [national] budget for eavesdropping capabilities. However, there's also money in there for training, forensics, and all the other areas that really do need to be beefed up. So it's good that people are saying, "Look, you're proposing to spend a whole lot of money for something we don't think is important. Rather than spending it on that, we think it would be more efficient if you were spending it here."
SunWorld: If a communications monitoring standard were accepted, even without government backing, would it mean we would still need to worry about a potential loss of privacy?
Dave Dittrich: To a degree, yes, because that would make it possible to trace a connection from one point to another. However, it's important to remember that anonymity on the Internet will still be possible. For example, companies like Zero-Knowledge [a vendor of privacy-protection tools] would provide a mechanism for having anonymous communications, which of course there are valid reasons for.
DoS attacks, however, are an example not of free speech, but of resources co-opted and used in a malicious way, and administrators need to be able to trace where they're coming from. To stop those kinds of things, one must be able to identify quickly where the packets are coming from. The current configuration of Internet protocols makes the problem a difficult one to deal with.
SunWorld: If they do end up finding the person who launched the attacks, it seems like they'd go after that person pretty vigorously. Do you think that's a good idea?
Dave Dittrich: That's a hard one. A lot of people are speculating that it's probably a teenager who did it for a prank, and historically the DoS attacks I've seen have involved young people and Internet relay chat-related things. If this is the case, I see no need to use overwhelming force to go in there and squash him.
Some people speculated this was done to cause stock prices to drop so somebody could make a killing. Still others speculated that it's some kind of a statement about corporate invasion of the Internet. So there's a bunch of motivations and a whole bunch of different groups that could have that motivation. The punishment, I think, depends on who the culprits are and what their reasons were for doing it.
The problem is real, though, and the dollar losses are real, so it's not unreasonable to conduct a thorough investigation. Prosecutors and investigators need to educate and prepare themselves for the time when this may become a real attack by terrorists or perhaps even by a foreign government.
SunWorld: So, aside from making their systems as secure as possible, what can companies do to prevent such attacks?
Dave Dittrich: The one thing I've been trying to make really clear is that denial of service is not the only issue. People are only concentrating on the network outages and are ignoring a really big part of the problem, which is having poorly trained system administrators who are underappreciated by companies and looked at as overhead expenses rather than critical resources.
[People say,] "We don't want to pay these techno-wonks, so we'll just hire one of them and make them work 50 or 60 hours a week and have them spread over 200 computers." No wonder systems are getting broken into! Administrators have too much work, they're not paid well enough, they are not appreciated.
SunWorld: So how can we turn the outages into an opportunity to educate the public about the real problem?
Dave Dittrich: I think we need to make it very clear that these costs are associated with having our economy based on the Internet, and the sooner people understand that costs exist because of that, the better. It is possible the Internet economy may be growing too quickly and will collapse under its own weight because we haven't built it with a strong-enough base.
We need to look at a fast computer on a fast connection as being like an expensive car that needs somebody trained to work on it. You can't work on it yourself anymore; it's too complicated and you're going to screw it up if you do. If you ... keep a spare set of keys visible on the dashboard when you lock it up, people will break into it and use it.
These systems need workers who know how to do backups, keep up with patches, and turn services off -- and who understand how the operating system works, how to take it apart, and how to put it back together again.
SunWorld: Do you think that in the end we can get to a place where networks really are secure?
Dave Dittrich: Eventually, yes. To use cars again as an analogy: When they first started delivering them they didn't have seat belts. Or doors, for that matter. A lot of people died because cars weren't well built, nor were the roads. Over time, through suffering, people demanded government regulation, including safety requirements. With the Internet and software in general, those ideas aren't there yet, but I do see the government, and also insurance companies, eventually regulating the industry and legislating standards and practices.
SunWorld: Speaking of the insurance industry, I noticed somewhere that companies are beginning to offer insurance against these kinds of attacks. How does that work?
Dave Dittrich: I haven't looked carefully at the coverage, but one of Elias' posts mentions three companies that sell insurance related to "computer damage." I think it may be used as protection against denial of service. For example, if your business is based on online service revenue like Yahoo!'s is, you'll be forced to refund advertisers' money if the site is down for a given amount of time.
SunWorld: Do you think that's a trend that will continue?
Dave Dittrich: Probably. I also foresee litigation on big-dollar losses, with the people who own the computers being held liable for not adequately protecting them.
SunWorld: In this case, they seem to have traced at least some of the offending computers to UC Santa Barbara and Stanford. If that's proven true, are you saying those universities would be held accountable?
Dave Dittrich: I don't know if this is an instance where that would happen, but I think in the future it probably will.
SunWorld: But if they steal my handgun and use it in a crime, can I be held liable? I mean, if I left it out on the front lawn?
Dave Dittrich: In some jurisdictions, yes. I can think of one case of an ISP that had a problem with DoS attacks and sued one of its customers because the customer was repeatedly involved in attacks and was told to do something about it but didn't. So [such liability] will probably start to happen at some point.
SunWorld: Stock prices of computer security companies have gone up a lot recently because of this -- or at least that's the reason the analysts give. Do you think computer security has the potential of being the Next Big Thing -- or, if not the next big thing, then a next big thing?
Dave Dittrich: The government has been trying to get organizations to secure their computer systems for some time now, but quite often it's a problem of budget allocation. I don't know whether places such as universities are going to spend a bundle on security systems. Businesses, on the other hand, tend to have more money and need to ensure the protection of their infrastructure.
Everybody is looking for a solution, and a lot of vendors are saying they have one. It is a buyer-beware thing, though, because a lot of those vendors are selling snake-oil solutions that are no better than the ones out there for free.
SunWorld: So what can people do to make sure they implement security wisely?
Dave Dittrich: One person -- I wish I knew who it was -- said, "Every board of directors should have a hacker on it."
SunWorld: And by hacker you mean in the good sense of the word.
Dave Dittrich: In the good sense, yeah. I've recently started calling myself a hacker in interviews to send the message that hacking isn't, by definition, a malicious act.
SunWorld: I've seen a few media reports indicating the DoS tools used in these attacks were open source software. Does that seem right to you?
Dave Dittrich: Yes and no. The way they are talking about the tools being open source, or the development being like the open source development model, has to do with the fact that yes, the source code was available to the people who used it. They actively added features to it, and they may or may not have been in communication with the authors. I don't know. At least Mixter was doing some development of his own tool, which he made public, so in that sense, they did follow the open source development model. But in a way, I don't like the use of open source in this case, because it's just like the use of the word hacker. It gives open source a bad reputation.
SunWorld: So how do you think calling the tools open source got into the media reports? I mean, it isn't as though these tools were up at SourceForge or Freshmeat.
Dave Dittrich: That probably came from either the workshop paper or by quoting participants in that workshop. At the workshop we used the term open source development model to mean that source code was available to those using and developing the tools. Therefore, individuals completely independent of the author could modify the tools for their own purposes by adding new features.
Those features could be present in the tools' subsequent generations.
SunWorld: Earlier, you mentioned Mixter. I read in a different report that Mixter apparently released a tool that was not actually to be used, that it was sort of like SATAN. Do you believe that? Do you know Mixter?
Dave Dittrich: I have never met Mixter and have never had direct correspondence with him. We have responded to each other's mail on public mail lists, but that's as far as it goes.
To answer [your first] question, there was a time when I was experiencing intrusion problems at the university. So I'm sitting in a meeting with my boss and this student, and we're discussing how the break-ins happened and what could be done to close up the holes. After a couple of weeks it became apparent this student was the person who, along with another student at the time, was doing the hacking. So in those meetings we were effectively teaching this guy how to break down our defenses. When we questioned him, his response was that he didn't want to tell us [he was the hacker], because he wanted to see how we'd react, and that he only did it to "improve security."
So yes, security did get improved, but we spent a lot of time on it that could have been spent on something else. On the one hand, there was a waste of money, but on the other, there was a benefit.
But I don't think keeping these things private is necessarily a good thing either. To take a worst-case scenario, let's say the tools are developed in private by a team of people who are actively debugging them and making them more efficient. Somehow, an anonymous underground figure obtains them, and that person is a member of some group that really does want to wreak some havoc. So the tools exist, but nobody knows about them and nobody is prepared to deal with them. And then the underground group decides to use them to cause disruption to the stock market, the air traffic control system, or whatever. By keeping it private, isn't the outcome worse?
In this case, it's Mixter who's doing it, and it's very risky for him because he's publishing papers on how to deal with these things. He knows quite a bit, but if he wants to be a legitimate security person and have credibility in the computer security industry, it's a big risk for him. I don't know whether refraining from publishing this information would be a benefit, because then the problems won't get addressed. It's a really tricky argument.
SunWorld: Were you surprised when Slashdot asked you to do their weekly interview? How did you feel about that?
Dave Dittrich: Actually, yes, I was kind of surprised. The amount of attention I'm getting right now has been a little bit weird. There was supposed to be a profile in a column in the Wall Street Journal, and I felt a little uncomfortable when CBS News was considering interviewing me on-air. They eventually decided to take a quote instead.
But I'm glad the discussion is happening. I do think it's a positive thing coming out of this.
SunWorld: Before I interrupted you, you were talking about having a hacker on every board of directors.
Dave Dittrich: And that's not a bad suggestion. [This problem is] based on lack of information and lack of understanding. If you only have people [on the board] who are looking at ... their business plan and their projections for revenue -- and they go out and spend some money and meet those revenue projections -- the stock analysts [might] say, "They did a great job!"
But if they've completely forgotten that these things break and that they need to understand how to engineer them so they don't break, then they suffer one of these big losses because someone breaks in and steals all their customers' credit card numbers. And then what?
Historically, companies have tried to downplay those security problems because they didn't want others to know that they got a black eye. But by covering everything up nobody learns that there are serious flaws. If you had somebody on the board who said, "I think the way we're designing this is really, really fragile and we're running the risk of our stock prices dropping like crazy," developers would design things in a different way.
Going back to the growth in the computer security industry, I think consulting is the area that will have the most legitimate growth. People who break into systems are very knowledgeable about their task, and the consulting companies -- at least the good ones -- have that same knowledge base. If they can take that knowledge and use it in the design of ecommerce systems, infrastructure, or even software, that's a good thing.
About the author
J.S. Kelly is a freelance writer who lives in the San Francisco Bay Area.