Search /
Advanced search  |  Help  |  Site map
Click for Layer 8! No, really, click NOW!
Networking for Small Business
How a cyber cop patrols the underworld of e-commerce
Kill switches coming to iPhone, Android, Windows devices in 2015
Galaxy S5 deep-dive review: Long on hype, short on delivery
Google revenue jumps 19 percent but still disappoints
Windows XP's retirement turns into major security project for Chinese firm
Teen arrested in Heartbleed attack against Canadian tax site
Still deploying 11n Wi-Fi?  You might want to think again
Collaboration 2.0: Old meets new
9 Things You Need to Know Before You Store Data in the Cloud
Can Heartbleed be used in DDoS attacks?
Secure browsers offer alternatives to Chrome, IE and Firefox
Linksys WRT1900AC Wi-Fi router: Faster than anything we've tested
Heartbleed bug is irritating McAfee, Symantec, Kaspersky Lab
10 Hot Hadoop Startups to Watch
Server makers rushing out Heartbleed patches
Fortinet, McAfee, Trend Micro, Bitdefender battle in socially-engineered malware prevention test
Net neutrality ruling complicates US transition to IP networks
Net neutrality ruling complicates US transition to IP networks
6 Social Media Mistakes That Will Kill Your Career
Canonical's new Ubuntu focuses on the long haul
4 Qualities to Look for in a Data Scientist
Big bucks going to universities to solve pressing cybersecurity issues
Mozilla appoints former marketing head to interim CEO
Box patches Heartbleed flaw in its cloud storage systems
Obama administration backs disclosing software vulnerabilities in most cases

Denial-of-service threat gets IETF's attention

Today's breaking news
Send to a friendFeedback

Remember the denial-of-service attacks that brought,, eBay and other popular Web sites to their knees in February? The Internet engineering community is developing technology that promises to minimize the damage these hacker attacks cause by quickly identifying the computer systems where they originate.

The Internet Engineering Task Force (IETF) last week launched a working group to develop ICMP Traceback Messages, which would let network managers discover the path that packets take through the Internet. Nicknamed itrace, the new working group plans to submit a proposed standard for traceback messages to the IETF leadership next January.

Itrace can't prevent denial-of-service attacks. But it will be an important tool for network managers trying to isolate and stop these attacks. The itrace approach also can address denial-of-service attacks inside a far-flung corporate network built on Internet standards.

"Itrace is a pretty important initiative," says John Pescatore, research director for network security at Gartner Group, a Stamford, Conn., market research firm. "What we need are standard mechanisms that can be built into the Internet switching infrastructure. That's the only place it will work to stop distributed denial-ofservice attacks."

One drawback of itrace is it identifies the machines that are sending a denial-of-service attack - not the hacker who programmed them. Therefore, itrace will not help law enforcement officials trying to catch and prosecute hackers.

Itrace also faces a deployment challenge because it becomes effective only after the technology is installed across the Internet's backbone and edge routers. In the best-case scenario, the itrace rollout will take 18 months.

Nonetheless, itrace is the most promising technology that the Internet engineering community has conceived for battling denial-of-service attacks.

"The ISPs don't have good tools to trace these kinds of attacks back today. That's what we're trying to do," says Steve Bellovin, a network security researcher at AT&T Labs who is heading the IETF effort. "Itrace will be quite helpful, but I don't think it's a panacea. What you really want to do is deal with the attacks and stop them from hurting you."

In a distributed denial-ofservice attack, a hacker breaks into other people's servers and programs them to flood a Web site with massive amounts of bogus traffic until the Web site crashes. In the much-publicized February attacks, it took Web site operators and their ISPs several hours to thwart the attacks and get sites back up and running.

One of the reasons it takes so long to stop a denial-of-service attack is the hacker sends the bogus traffic using fake IP addresses. Itrace would let Web site operators and ISPs track denial-of-service attacks back to their true sources within minutes.

With itrace, routers randomly generate a traceback message about a packet and send it to the packet's destination. Each traceback message provides information about the packet being traced, what time it was sent, where it came from, where it went and authentication of the packet transfer.

Network managers can piece the traceback messages together into a chain that represents a packet's path through the Internet. This capability is important because a packet takes as many as 20 hops through routers at various ISP locations as it moves through the Internet from sender to recipient.

Because the traceback messages are sent at a rate of one out of every 20,000 packets, they won't have a significant impact on the performance of the router or the Internet overall. However, with enough traceback messages from enough routers along the path, a network manager can find the source of a large amount of illegitimate traffic.

One disadvantage of itrace is it stores information in the traceback messages in compressed form, so the information is ambiguous and requires some analysis and guesswork, says Fred Baker, chair of the IETF. "Due to this ambiguity, itrace is not a silver bullet. But it gives us a clue, where right now we are often completely in the dark."

The main challenge for itrace is getting router vendors to support it and ISPs to deploy it. One question is whether ISPs will deploy it just on their border routers or on all the routers in their networks. The latter approach is better because itrace is more helpful if it is deployed on more routers.

"Nobody can compel the ISPs to deploy this," AT&T Labs' Bellovin says. "The goal is to produce a specification that has support from router vendors such as Cisco and Juniper and from the ISPs."

ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks.

Still, ISPs seem positive about the itrace approach. "The ISP industry is going to welcome any attempt to standardize tools that help customers fight against distributed denial-of-service attacks," says Mark McFadden, chief technology officer for the Commercial Internet Exchange Association.

McFadden says the ISP industry also needs tools that detect and identify denial-of-service attacks, vs. sudden, large flows of legitimate traffic.

"Itrace is one part of a solution toward distributed denial-of-service attacks," says Stefan Savage, an assistant computer science professor at the University of California at San Diego who has developed an alternative packet traceback technique. "There's a whole host of tools that you need to detect attacks, trace them back and perform countermeasures. Tracing back alone doesn't solve the problem."

The itrace working group is the IETF's first attempt at addressing denial-of-service attacks. The idea for itrace dates back to January, when a group of network security researchers from Cisco, Nortel, Lucent, UUNET and AT&T began developing a traceback methodology that would scale across the Internet.


Related links

Contact Senior Editor Carolyn Duffy Marsan

Other recent articles by Marsan

Reaction: Here's what some Fusion users are saying about this article: What do you think? Add your comments to the thread

An alternative packet traceback technology
from the University of Washington.

Research: Denial of service
Learn more about these attacks with primers, white papers and more.

Special briefing: DoS attacks
Register for this free online tutorial about denial-of-service attacks from Webtorials.

Sign up for our Security newsletter
and stay up on all the latest security news.

NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.