Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
FCC defends new net neutrality proposal
New iPad rumor rollup for week ending April 23
Dell adds Big Switch to its SDN mix
Google Plus now minus chief Vic Gundotra
Heartbleed prompts joint vendor effort to boost OpenSSL, security
Microsoft Surface Mini seems likely to ship soon
China working on Linux replacement for Windows XP
FCC adds $9 billion to broadband subsidy fund
Raspberry Pi alternatives emerge to fill need for speed
It's now possible to wirelessly charge 40 smartphones from 16 feet away
Ex-FCC commissioner to head CTIA in latest Washington shuffle
Go time traveling with Google Maps
While Heartbleed distracts, hackers hit US universities
Survey respondents shun much-hyped mobile shopping technologies
7 Ways to Advance Your Project Management Career
How Apple's billion dollar sapphire bet will pay off
US to vote on sharp increase in broadband subsidies
iPhone 6 rumor rollup for the week ending April 18
NSA spying revelations have tired out China's Huawei
Arista co-founder may have switch maker by its jewels
Open source pitfalls – and how to avoid them
AT&T's expanded 1 Gbps fiber rollout could go head to head with Google
Verizon: Web apps are the security punching bag of the Internet

Denial-of-service threat gets IETF's attention

Today's breaking news
Send to a friendFeedback

Remember the denial-of-service attacks that brought,, eBay and other popular Web sites to their knees in February? The Internet engineering community is developing technology that promises to minimize the damage these hacker attacks cause by quickly identifying the computer systems where they originate.

The Internet Engineering Task Force (IETF) last week launched a working group to develop ICMP Traceback Messages, which would let network managers discover the path that packets take through the Internet. Nicknamed itrace, the new working group plans to submit a proposed standard for traceback messages to the IETF leadership next January.

Itrace can't prevent denial-of-service attacks. But it will be an important tool for network managers trying to isolate and stop these attacks. The itrace approach also can address denial-of-service attacks inside a far-flung corporate network built on Internet standards.

"Itrace is a pretty important initiative," says John Pescatore, research director for network security at Gartner Group, a Stamford, Conn., market research firm. "What we need are standard mechanisms that can be built into the Internet switching infrastructure. That's the only place it will work to stop distributed denial-ofservice attacks."

One drawback of itrace is it identifies the machines that are sending a denial-of-service attack - not the hacker who programmed them. Therefore, itrace will not help law enforcement officials trying to catch and prosecute hackers.

Itrace also faces a deployment challenge because it becomes effective only after the technology is installed across the Internet's backbone and edge routers. In the best-case scenario, the itrace rollout will take 18 months.

Nonetheless, itrace is the most promising technology that the Internet engineering community has conceived for battling denial-of-service attacks.

"The ISPs don't have good tools to trace these kinds of attacks back today. That's what we're trying to do," says Steve Bellovin, a network security researcher at AT&T Labs who is heading the IETF effort. "Itrace will be quite helpful, but I don't think it's a panacea. What you really want to do is deal with the attacks and stop them from hurting you."

In a distributed denial-ofservice attack, a hacker breaks into other people's servers and programs them to flood a Web site with massive amounts of bogus traffic until the Web site crashes. In the much-publicized February attacks, it took Web site operators and their ISPs several hours to thwart the attacks and get sites back up and running.

One of the reasons it takes so long to stop a denial-of-service attack is the hacker sends the bogus traffic using fake IP addresses. Itrace would let Web site operators and ISPs track denial-of-service attacks back to their true sources within minutes.

With itrace, routers randomly generate a traceback message about a packet and send it to the packet's destination. Each traceback message provides information about the packet being traced, what time it was sent, where it came from, where it went and authentication of the packet transfer.

Network managers can piece the traceback messages together into a chain that represents a packet's path through the Internet. This capability is important because a packet takes as many as 20 hops through routers at various ISP locations as it moves through the Internet from sender to recipient.

Because the traceback messages are sent at a rate of one out of every 20,000 packets, they won't have a significant impact on the performance of the router or the Internet overall. However, with enough traceback messages from enough routers along the path, a network manager can find the source of a large amount of illegitimate traffic.

One disadvantage of itrace is it stores information in the traceback messages in compressed form, so the information is ambiguous and requires some analysis and guesswork, says Fred Baker, chair of the IETF. "Due to this ambiguity, itrace is not a silver bullet. But it gives us a clue, where right now we are often completely in the dark."

The main challenge for itrace is getting router vendors to support it and ISPs to deploy it. One question is whether ISPs will deploy it just on their border routers or on all the routers in their networks. The latter approach is better because itrace is more helpful if it is deployed on more routers.

"Nobody can compel the ISPs to deploy this," AT&T Labs' Bellovin says. "The goal is to produce a specification that has support from router vendors such as Cisco and Juniper and from the ISPs."

ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks.

Still, ISPs seem positive about the itrace approach. "The ISP industry is going to welcome any attempt to standardize tools that help customers fight against distributed denial-of-service attacks," says Mark McFadden, chief technology officer for the Commercial Internet Exchange Association.

McFadden says the ISP industry also needs tools that detect and identify denial-of-service attacks, vs. sudden, large flows of legitimate traffic.

"Itrace is one part of a solution toward distributed denial-of-service attacks," says Stefan Savage, an assistant computer science professor at the University of California at San Diego who has developed an alternative packet traceback technique. "There's a whole host of tools that you need to detect attacks, trace them back and perform countermeasures. Tracing back alone doesn't solve the problem."

The itrace working group is the IETF's first attempt at addressing denial-of-service attacks. The idea for itrace dates back to January, when a group of network security researchers from Cisco, Nortel, Lucent, UUNET and AT&T began developing a traceback methodology that would scale across the Internet.


Related links

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

An alternative packet traceback technology
from the University of Washington.

Research: Denial of service
Learn more about these attacks with primers, white papers and more.

Special briefing: DoS attacks
Register for this free online tutorial about denial-of-service attacks from Webtorials.

Sign up for our Security newsletter
and stay up on all the latest security news.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.