Network Security
Date Prev | Date Next |
Date Index |
Thread Index |
Author Index |
Historical
Internet giants confer on denial-of-service attacks
- From: Paul Howell
- Date: Tue Sep 26 09:12:41 2000
At http://dailynews.yahoo.com/h/cn/20000926/tc/internet_giants_confer_on_denial-of-service_attacks_2.html
Tuesday September 26 08:00 AM EDT
Internet giants confer on denial-of-service attacks
By Paul Festa, CNET News.com
A coalition of Internet companies formed in the wake of February's
devastating denial-of-service attacks will offer a glimpse today of the
work they've done to stop a repeat of the assault that brought down
key sites across the Web, including those run by giants Amazon.com
and Yahoo.
The Bay Area DDoS Working Group, which includes Internet industry giants
across the country, will discuss a "best practices" document being drafted that
advises sites and Internet service providers (ISPs) how to respond when
under a distributed denial-of-service ( DDoS) attack. In a DDoS attack, the
perpetrator coordinates a flood of bogus queries to a Web server, overloading
its capacities.
The group formed when victims of February's DDoS outbreak
banded together in a high-tech survivors' support group, advising one
another on how to cope with future attacks and calling in experts and
allies for help.
Group members participating in today's panel include eBay, Yahoo,
Check Point Software, Internet Security Systems (ISS), Network
ICE and Recourse Technologies. Others of the working group's
more than 60 members include Amazon, E*Trade, Buy.com, Cisco
Systems, Lucent Technologies, IBM, Hewlett-Packard, Microsoft,
America Online, Exodus, AboveNet, Sprint and UUNet. The panel
coincides with this week's NetWorld+Interop trade show in Atlanta
but is being held independently at the Ritz-Carlton.
Working-group members sought to downplay expectations in
advance of the panel, noting the inherently intractable nature of
DDoS attacks and the collective need of the group to keep its
defense strategy under wraps.
"Right now, the problem is that we're powerless to stop DDoS
attacks," said Robert Graham, chief technology officer of Network
ICE, which sells network intrusion-detection systems. "There are
ways you can attack machines that cannot be stopped."
The working group is concentrating on less-than-surefire solutions,
such as improving methods of tracing the source of DDoS attacks.
Other panelists also sought to minimize expectations for today's
event, noting that for strategic reasons the group would be keeping
silent about its main findings, as it has kept the organization itself for
most of the past seven months.
"There is not going to be blockbuster information revealed at the
panel," said eBay representative Kevin Purseglove. "For the most
part, the working group will continue to maintain its confidentiality
because there is some concern that we do not want to disclose
anything that we have learned that would tip our hand to those
individuals who would repeat the attacks against eBay and other
sites."
Whatever degree of secrecy the consortium maintains, the diversity
of its membership could signal improved cooperation between ISPs
and Web sites. Many security analysts fault ISPs for not being
sufficiently involved in DDoS prevention and damage control.
"Stopping denial-of-service attacks is hard, but there are certain
basic steps that, if all the ISPs took them, would make it so much
harder for the bad guys," said Jeff Schiller, a network manager for
Massachusetts Institute of Technology who will present a tutorial on
network security at N+I.
Schiller and others cited as one example the implementation of
ingress and egress filtering, which ensure that packets coming in and
out of a network do not carry the spoofed return addresses that
DDoS attackers typically use to cover their tracks.
This kind of filtering is the subject of a request-for-comment advisory
at the Internet Engineering Task Force ( IETF), an influential
standards body. That document, written by Cisco, was posted in
January 1998.
A related effort at the IETF is the iTrace working group, whose goal
is to improve the tracing of Internet packets as they traverse the
Internet.
The working group meets as one of its members, ISS, warns of new
mutations on the original Trinity and Stacheldraht DDoS tools
implicated in February's attacks. Two variants, Stacheldraht
1.666+antigl+yps and Stacheldraht 1.666+smurf+yps, along with a
variant of Trinity dubbed entitee, have been observed in use on the
Internet.
The new versions provide for new types of attacks and come with
different encryption, according to ISS. That new encryption has
bugs, however, that the company says will facilitate its efforts against
it.
In bad news for Web sites--but apparently good news for security
firms such as ISS--new versions of DDoS attacks and tools show no
signs of letting up.
"It's like computer viruses," said Chris Rouland, in charge of ISS'
research and development team. "There are going to be new ones all
the time."
|
