Skip Links

ISPs take on DDoS attacks

By , Network World
November 17, 2003 12:03 AM ET

Network World - Although the number and intensity of distributed denial-of-service attacks are on the rise, users are hard-pressed to find tangible new services to help thwart or defend against such assaults.

However, the largest ISPs are doing more behind the scenes and are promising new tools by next year that will help predict and better defend against worms and viruses that act like distributed DoS attacks and true distributed DoS strikes.

"There have been more attacks in the last six months than there have been in the last 10 years," said Hossein Eslambolchi, president of AT&T Labs, at a recent press conference.

Carnegie Mellon University's CERT Coordination Center for reporting Internet security problems backs up such claims. Through the end of September, there were 114,855 security breaches reported by users and ISPs, which is 32,761 more than all of 2002. These reports include all types of security policy violations from distributed DoS to hacker attacks.

Although there are more security violations, the types of distributed DoS attacks have not changed much in 12 to 18 months, says Paul Morville, director of product management at Arbor Networks, which offers PeakFlow network behavior anomaly detection products to service providers. What has changed is the size and scope of these attacks.

"Attacks used to be largely assigned to an individual host. These days, the attacks are very large coming from multiple points on the Internet and are targeted at a network," he says. Arbor is seeing zombie armies, which are compromised host machines, with as many as 50,000 hosts attacking one network, Morville says.

While VPNs and managed firewall services are available from many ISPs, the primary goal of these offerings is to secure traffic that travels over the Internet. The largest business ISPs don't commonly offer intrusion-detection services that include anomaly detection aimed at mitigating the effects of distributed DoS attacks.

But that likely will change in the next 12 months.

MCI, like AT&T and Sprint, is testing tools that are designed to detect distributed DoS attacks, and worms and viruses that act like distributed DoS by trying to eat up a target's bandwidth.

"Around mid-next year we'll deploy a solution that will enhance our detection ability so we can be more proactive," says Bob Blakely, security services product manager at MCI. The tools that MCI is looking at deploying include anomaly and intrusion-detection elements. MCI says it's testing a number of vendor products, including Arbor gear.

While MCI says it's been doing in-house traffic analysis, it has not deployed network-wide anomaly detection gear because the tools haven't been mature enough and there have been network scalability issues, says Christopher Morrow, manager of network router security at MCI.

In the meantime the service provider recently has put a couple of projects in place to better deal with the slew of attacks.

Morrow says that in the past it was difficult to find the correct person to notify at another ISP when an attack was originating from its network. Now many of the large ISPs are part of an e-mail and voice-over-IP mailing list of sorts. Network administrators communicate regularly over this informal system in an effort to stop an attack quickly.

MCI also says it's sharing best-practice guidelines with peers and customers. These guidelines deal with traffic surges stemming from a distributed DoS attack or from a worm or a virus that is sending a flood of traffic. MCI assists a customer to block, or blackhole, this traffic, or customers do it themselves based on the ISP's guidelines.

"In most attacks we can blackhole traffic within two to three minutes," Morrow says. While the ability to react quickly is helpful to customers, the ISPs and users agree it's essential to be proactive instead of reactive when dealing with distributed DoS.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News