Denial of Service – Exposed

Analysts credit advance warning about the Blaster worm, in addition to Microsoft’s clever rewriting of standard Internet-connection protocols, as the weapons used in defeating a denial-of-service (DoS) attack against the software company’s Windows help Web site on August 16th.

The Blaster worm, which infected more than one million computers worldwide in August, created a legion of willing computers with orders to launch an attack aimed at shutting down the Microsoft Web site. Some analysts point to new intrusion-prevention products that can slow down and stop future attacks of this kind. Others warn that such products will not provide computer users with a universal panacea.

“These anti-intrusion systems are quite effective in analyzing and responding to traffic flow to and from a computer network,” Matthew Silveira, vice president of Captus Networks, told TechNewsWorld. Captus develops technology designed to fight DoS attacks.

Hackers are continually advancing their worms and creating other viruses, so new anti-intrusion products are simply the latest generation of conventional security strategies, countered Ian Hameroff, a security strategist at Computer Associates. They are not, he said, a cure-all solution.

“Like the snake-oil salesmen of old, no one software solution will rid computer users of Internet-based attacks,” he told TechNewsWorld. “DoS threats are always going to exist.”

Users Amplify Problem

Hackers continue to wage attacks against corporate and government Web sites because typical home-consumer and small-business users don’t apply adequate security measures. Today’s most popular computing platform, Windows XP, makes it simple — in its default state — for hackers to gain access, according to industry analysts.

“A brand-new Windows XP computer can be infected with a worm within the first five minutes of connecting to the Internet,” Jerry Brady, CTO of Guardent, told TechNewsWorld. “The Windows XP platform is one of the most fertile sources for hackers.”

Speed is the key element in blocking an attack, said Computer Associates’ Hameroff. Hackers can launch attacks in very short time periods, thanks to the popularity of the Internet. Eventually, he said, hackers will succeed with what he called a “zero day attack” in which there is less than 24 hours between a vulnerability’s announcement and its exploit.

He said all users should become proactive in responding to media alerts about virus warnings so that their computers are not vulnerable.

Anatomy of an Attack

A denial-of-service attack resembles a telemarketer calling your home phone repeatedly. You would not be able to receive regular calls on that line because the telemarketer would be blasting your line with repeated attempts to connect to you.

A DoS attack, at its simplest level, takes the form of one computer user swamping a target computer with an overabundance of connection attempts. This bombardment of data packets overwhelms the attacked computer, which innocently attempts to respond to each individual packet it receives — much like an innocent home user attempting to pick up a telemarketer’s call several times per second. This activity keeps the attacked computer system so busy that it cannot respond to other access requests.

A distributed denial-of-service (DDoS) attack — the worst kind of DoS attack — uses more sophisticated techniques to enlist legions of hijacked computers in a massive assault against a single server. Often, the computers used in these DDoS attacks belong to unsuspecting DSL or broadband cable subscribers, who have been secretly hijacked by malicious hackers.

“When we start to talk about this type of denial-of-service, things get much more difficult,” Mikko Hermanni Hyppnen, director of antivirus research at F-Secure, told TechNewsWorld. In this case — extending the telemarketer example — the telemarketer is not making the phone calls alone. Instead, the telemarketer has enlisted hundreds or even thousands of telemarketers to dial your number simultaneously, over and over again.

“Your phone would ring off the hook, and there would be nothing you could do to stop it,” said Hyppnen. “That’s why DDoS attacks are so hard [to control].”

Attack Scenarios

Analysts see a growing trend toward hijacking personal computers instead of university networks to stage DDoS attacks. The hacker has a limitless supply of home computers that lack up-to-date virus software and have little or no intrusion protection in place.

Hackers can gain easy access to many machines by exploiting operating-system weaknesses. They gain access to well-known ports and services with viruses and worms. Typical DoS and DDoS attacks use a standard infection method or a variation on them. These attacks follow one of three primary methods.

The Smurf/Reflector attack — perhaps the most common DoS attack — spoofs the Internet Control Message Protocol (ICMP) to ping data packets with the IP address of the target host. The hacker randomizes the destination field or uses a list of known reflectors, which are known locations that will respond to a ping request. The reflectors send a response to the intended target with an ICMP Echo Reply packet. The target network is then overrun with useless traffic.

A TCP/UDP attack disrupts network communications or interferes with connection performance. The hacker uses standard Transmission Control Protocol (TCP) and the User Datagram Protocol (UDP) to target specific ports on a host, flooding a target network with useless traffic.

A spoofed-source attack — often called a SYN attack — conceals the originating address or source. The hacker sets the destination address field of the IP packet for the target host and randomizes the source address field. The target host processes each packet, opens a virtual port and responds to the address in the source field.

No Easy Prevention

DoS and DDoS attacks work, quite simply, because the Internet Protocol is based on trust. The protocol trusts that the contacting computers have legitimate business to conduct. The IP isn’t designed to test the trustworthiness of the connection itself — and it therefore can be exploited. The next version of IP — IPv6 — could solve some of these problems, but it has not achieved critical mass and is only reluctantly being rolled out because of associated costs.

Meanwhile, hackers continue to exploit the built-in trust problems of the current IP, said Guardent’s Brady. “They tend not to lock down systems they infiltrate and then trade them off to other hackers in exchange,” he said. “So once a computer is vulnerable, it tends to get reacquired.”

Analysts, who don’t see an easy end to DoS and DDoS attacks, say a solution can only come from a combination of several factors: Corporations must prepare in advance for possible attacks with instant-response plans; ISPs must strengthen their filtering mechanisms; and computer users must educate themselves about safe-computing practices.

Still, Captus Networks’ Silveira holds out hope. “I’m optimistic that new technology can address this problem now.”