DoS threats are rampant, although there are only a few previous cases in the RISKS archives--for example, involving attacks on PANIX, WebCom, and Australian communications. There are many DoS types that do not even require direct access to the computer systems being attacked. Instead, those attacks are able to exploit fundamental architectural deficiencies external to the systems themselves rather than just widespread weak links that permit internal exploitations.
Well, just as I started to write this column in February, an amazing thing happened. Within a three-day period, Yahoo, Amazon.com, eBay, CNN.com, Buy. com, ZDNet, E*Trade, and Excite.com were all subjected to total or regional outages of several hours caused by distributed denial-of-service (DDoS) attacks--that is, multiple DoS attacks from multiple sources. Media moguls seem to have been surprised, but the DDoS concepts have been around for many years.
Simple DoS flooding attacks (smurf, syn, ping-of-death) can be carried out remotely over the Net, without any system penetrations. Other DoS attacks may exploit security vulnerabilities that permit penetrations, followed by crashes or resource exhaustion. Some DDoS attack scripts (Trinoo,. Tribal Flood Network and TFN2K, Stacheldraht) combine two modes, using the Internet to install attack software on multiple unwitting intermediary systems ("zombies"), from which simultaneous DoS attacks can be launched on target systems without requiring penetrations. In general, DDoS attacks can cause massive outages, as well as serious congestion even on unattacked sites.
DoS attacks are like viruses--some specific instances can be detected and blocked, but no general preventive solutions exist today or are likely in the future. DDoS attacks are even more insidious. They are difficult to detect because they can come from many sources; trace-back is greatly complicated when they use spoofed IP addresses.
Common security advice can help in combatting DDoS: install and properly configure firewalls (blocking nasty traffic); isolate machines from the Net when connections are not needed; demand cryptographic authenticators rather than reusable fixed passwords, to reduce masqueraders. But these ideas are clearly not enough. We also need network protocols that are less vulnerable to attack and that more effectively accommodate emerging applications (interactive and noninteractive, symmetric and asymmetric, broadcast and point-to-point, and so on)--for example, blocking bogus IP addresses. For starters, we need firewalls and routers that are more defensive, cryptographic authentication among trustworthy sites, systems with fewer flaws and fewer risky features, monitoring that enables early warnings and automated reconfiguration, constraints on Internet service providers to isolate bad traffic, systems and networks that can be more easily administered, and much greater collaboration among different system administrations.
As attack scripts become increasingly available, DoS and DDoS attacks become even more trivial to launch. It is probably naive to hope that the novelty of these attacks might wear off (which is what many people hoped in the early days of viruses, although today there are reportedly over 50,000 virus types). But if the attacks were to disappear for a while, the incentives to address the problem might also diminish.
The FBI and its National Infrastructure Protection Center (NIPC) are taking a role in trying to track down attackers, but the flakiness of the technology itself makes tracing difficult. Above all, it is clear this is a problem in desperate need of some technological and operational approaches; relying on law enforcement as a deterrent is not adequate--especially against attacks mounted from outside of the U.S. This is not just a national problem: every computerized nation has similar risks, and attacks on any site can be launched from anywhere in the world.
The Internet has grown without overall architectural design (as have many of its applications). Although this may have accelerated expansion, some current uses vastly exceed what is prudent. We urgently need to launch a concerted effort to improve the security and robustness of our computer-communication infrastructures. The recent DoS problems are only a foretaste of what could happen otherwise.
See "Results of the Distributed-Systems Intruder Tools Workshop" (www.cert.org/reports/dsit_workshop.pdf) and some partial antidotes (such as www.fbi.gov/nipc/trinoo.htm). PETER NEUMANN (www.csl.sri.com/neumann/) is the moderator of the online Risks Forum (comp.risks).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Internet/Web/Online Service Information|
|Author:||Neumann, Peter G.|
|Publication:||Communications of the ACM|
|Date:||Apr 1, 2000|
|Previous Article:||Abstract Class Hierarchies, Factories, and Stable Designs.|
|Next Article:||FLYING THE RAILS.|