Security /

Web attackers run roughshod

By Sandra Gittlen, Ellen Messmer and Denise Pappalardo
Network World, 02/14/00

Last week's unprecedented series of attacks on top e-commerce and news Web sites appeared to have waned by the weekend, but industry experts warned that there's no easy way to prevent such attacks from happening again.

The unknown aggressor or aggressors attacking Amazon.com, CNN.com, eBay and other sites used a new breed of network weapons called distributed denial-of-service attack tools. The tools can unite hundreds or even thousands of computers to flood the routers or servers of target Web sites with bogus requests, blocking legitimate users and shutting down e-businesses.

Last week's targeted sites, working closely with their ISPs and Web-hosting providers, needed an average of three hours to get their Web sites up and running after being struck. Equipment vendors and service providers were tripping over one another last week to claim tht their latest offerings could prevent or minimize damage from denial-of-service attacks.

But security experts say companies are largely defenseless against attacks as powerful as the ones launched last week, though they say properly configuring certain switches and routers can help ease the pain.

"It's just not possible to shut down denial-of-service attacks today," says Roberto Medrano, general manager for Hewlett-Packard's security division. "But it is important how you react to them, by filtering out addresses and giving priority to the ones you want.

"The FBI, which is working with the victims of last week's attacks to find the culprit or culprits, is encouraging companies to visit the National Infra-structure Protection Center (www.nipc.org) to download free software that can help determine whether their computers are being used as staging areas for denial-of-service attacks. Companies can also consult the new IETF draft RFC 2267 to find procedures, such as router rate-limit filtering, designed to thwart denial-of-service attacks.

UUNET's Mark Krause, senior manager of infrastructure security, says he'd like to see tools that let ISPs detect and track denial-of-service attacks in real time. Most of last week's victims are UUNET Internet access customers, he says. Two security software vendors, CyberSafe and Internet Security Systems, are working separately on versions of their intrusion-detection products for ISPs. But this future vision was little help to the half-dozen sites temporarily forced out of business by a bombardment of unwanted IP packets.

Despite the FBI's involvement and strong words from U.S. Attorney General Janet Reno, observers don't expect a fast resolution. But they are hopeful that the investigation will be successful over time.

"It's hard, but we caught people at NASA just a few months ago," says Tom Talleur, a KPMG director who specialized in commercial crimes at NASA and U.S. intelligence agencies. "They took out our servers at NASA all the time.

"Reports late last week said the FBI was zeroing in on undisclosed locations in California and Oregon as possible sources of the attacks.

Based on the information it collected last week, the FBI believes all the attacks involved the use of any of the four known distributed denial-of-service attack tools. Two of them, the Unix-based Trin00 and Tribal Flood Network (TFN), were discovered last November. Two more, Stachel-draht (German for "barbed wire") and TFN2K (a version of TFN ported to Windows NT that encrypts its IP packet bombardments to make them harder to detect) were found on the Web just last week.

The older denial-of-service attack tools, which have been around for years, are limited to one attacker firing bogus packets at a victim's server or router. But the newer distributed type operate on the idea that the attacker, with client software, can remotely control several servers to launch the attacks through a "master" server. "To my knowledge, the attack came from all directions," says Monty Mullig, vice president of Internet technology at CNN, whose news site gets 2.5 million page views each day. CNN, which uses six ISPs, noticed problems with its routers at around 7 p.m. last Tuesday. "The attack was broadly distributed across all our providers," he says.

GTE Internetworking, an ISP for CNN.com and three other assault victims - E*Trade, Amazon.com and ZDNet - worked to set up filters at upstream routers away from the Web servers to block the IP-based attacks. Kelly Cooper, Internet security officer at GTE Internetworking, says the ZDNet news site was swamped by a massive attack of bogus requests called a "SYN Flood." Once ZDNet and GTE Internet-working realized the attack was on, at about 7 a.m. last Tuesday, they started looking for suspicious traffic patterns in the server logs and upstream routers.

After SYN flooding was determined to be the cause, GTE Internetworking began filtering out illegitimate traffic at the router. Cooper says it wasn't possible to determine the source of the attack because the IP addresses had apparently been spoofed. This type of traffic was using IP addresses set aside by the Internet Assigned Numbers Authority to be used only in private IP networks, Cooper says. The fact that the addresses looked out of place on the Internet helped identify them in order to filter them out.

An e-commerce site, Buy.com, was jammed from 11 a.m. to 2 p.m. Tuesday. During that time, Exodus Communications, the Buy.com Web-hosting service provider in Santa Clara, managed to analyze the offending traffic and filter it out.

Gary Grossman, director of security research and development at Exodus, declines to state the exact nature of the attack on Buy.com. But he urges organizations to ensure that distributed denial-of-service attack code has not been secretly installed on their servers.

Yahoo, the first known victim in last week's string of attacks, was lost in cyberspace for about three hours. Yahoo's Sunnyvale, Calif., Web hosting company, Global Center, worked closely with Yahoo once the Internet portal realized it was being hit.

"Both Yahoo and we noticed traffic changes simultaneously," says Laurie Priddy, an executive vice president at Global Center, which houses Yahoo's routers and server farm. The first sign of trouble, she says, came early last Monday when "the outbound traffic flow had dropped dramatically while inbound had increased.

"Staff from Yahoo and Global Center spent half an hour diagnosing the routers and at first thought there were interoperability problems between the Yahoo and Global Center routers.

"Everything had been fine one moment, and the next - not!" Priddy says. "All the traffic had stopped, and packets were being dropped." Another network service provider also called to report problems.

After 30 minutes of equipment diagnosis, Yahoo and Global Center realized a denial-of-service attack was under way in which massive amounts of unwanted ICMP echo reply packets, or pings, were aimed at the Yahoo gear. Global Center managed to get the situation under control by implementing a rate-limit filter in the routers to stop the ICMP bombardment.

Some security experts believe the denial-of-service at-tacks are coming from the university community, in which students have large amounts of network bandwidth and budding curiosity. Universities acknowledge there's plenty of opportunity for it.

"The very idea of having an open, accessible network invites the type of attack that we're seeing," says John Fisher, director of network support services at Rensselaer Polytechnic Institute in Troy, N.Y. "This is the first time students get exposed to that much bandwidth. It's almost like electronic crack."

Fisher adds that denial-of-service attacks can be difficult to trace. "If the attackers are clever and are masquerading who they are, they're probably using other systems they've broken into, and it can be very difficult."

Senior Editor Carolyn Duffy Marsan also contributed to this report.