Joonja's Realm | home
Commentary: New Tools, Old Rules | Denial of Service | How Denial-of-Service Attacks Work | Bill Gates Hacked | Will Work for Fraud | AOL Scam | DoS attacks
DoS attacks
DoS attacks
How to stop DoS attacks
| By Bill Machrone, PC Magazine
March 20, 2000 9:00 PM PT |
Denial-of-service attacks are unacceptable. E-commerce is too important to the future of the country and the world to have it held hostage by script kiddies who get their ya-yas by blocking access to Yahoo! or eBay or ZDNet. They're not original or creative programmers; the templates for distributed denial-of-service attacks were created years ago. Even the latest distributed denial-of- service attacks are old hat in terms of technology.
Likewise, there's nothing heroic or quixotic about attacks on commercial sites; the attackers who thus delude themselves are probably too young to have experienced the wide-open, precommercial Internet. For those who missed those halcyon days, here's what it was like: slow and crude. Commercialization is the best thing that ever happened to the Internet in terms of infrastructure, content, speed, tools, and ubiquity.
What does it take to launch a DoS attack? Three things: downloading a script from a hacker site, probing millions of computers to look for vulnerable servers, and hiding the attack code in the servers. Fear of getting caught would be a good personality attribute, as would a disinclination to brag about your exploits.
The script clods' sophomoric stunts, however, are fair warning. E-commerce is still in its infancy, and the inconvenience and economic damage such people can wreak today is nothing compared with their potential effect tomorrow. Thus warned, we need to take immediate action before terrorists with more sinister motives get into the act.
DoS attacks are easy to perpetrate and almost impossible to defend against. The fault lies in the structure of the In ter net and its protocols. It was designed from the outset to be robust, to get the message through, no matter what. But it was also trusting, not geared to being subverted by peo ple who didn't share the designers' high-minded objectives.
The first step is to secure the servers. We need to do more white-hat hacking to ensure that our servers are bulletproof, do more ruthless purging of unknown files. If you break somebody's application, you can always apologize and restore. But then you know what the file is for.
Second, license the ISPs. Every ISP should conform to nationally agreed-on ethical and performance standards. Drive the incompetents out of the business. Lock out the spam havens, as is being done today by the volunteer corps in the net-abuse newsgroups, but start putting some lawsuits behind the lockouts. Instead of pursuing math geeks looking for the next prime number, sue the spammers and the ISPs that accommodate them for theft of service.
Third, make spoofed packets illegal. There is no reason to issue packets with anything other than your IP address in the header. Spoofed packets should never leave your ISP's routers. We're talking a handful of operating systems and router vendors, but implementing out going packet filtering would still be a huge task—and absolutely worthwhile. I've asked several ISPs why they allow spoofed packets, and all have said, "We don't. Our network access providers wouldn't allow anything that didn't originate in one of our domains." And yet spoofing remains the cornerstone of the vast majority of DoS hacks and virtually all spam. Someone is falling down on the job here.
What about anonymity? I'm a big believer in anonymity and privacy. But spoofing packets is the wrong way to do it. Through a combination of encryption and anonymizing layers of servers, you can go anywhere in complete privacy and shop securely. And the same anonymizing ISPs can stop rude or abusive users with relative ease by adhering to the same standards as all other ISPs.
Fourth: Authenticate everything. The Internet is a vast sea of messages in bottles, each easily read, wending its way to its destination. If every message requires authentication before it can get tossed in, the target sites will have an easier time defending against attacks, even while preserving anonymity. An anonymizing ISP can easily verify that a given packet is indeed from one of its authorized customers, even if it has no idea who that customer actually is.
Fifth: Ban the scanners. Ask anyone with a log file how many pings, prods, and probes he gets. None are legitimate Net traffic. All could be stopped by ISPs looking at the predictable behaviors of the address- and port-scanning programs. By squelching these and spam, we'd probably have a third more bandwidth across the Internet.
These are potentially wrenching, expensive changes. But they're far less costly than the damage that could be wrought two or three years from now, when business-to-business and business-to-consumer transactions are an order of magnitude larger than they are today.
| Home | Mac | Linux | Virus Alerts |
