point
Menu
Magazines
More »
Browse by year:
2024
2023
2022
2021
2020
November - 2001 - issue > Cover
DDOS AttacksPrecursor to Digital Terrorism
Thursday, November 1, 2001
The horrific attacks of Sept.11 have focused tremendous attention on the security of defense and civil infrastructures. Popular media is rife with speculations about the type of tactics and devices that terrorists may deploy in future attacks, including biological, chemical and nuclear weapons. An additional possibility that has the potential of massively damaging our military, civil and economic institutions, and indeed causing the loss of human life, is cyber-terrorism, consisting of digital attacks like none seen previously.

As the Internet becomes an integral part of the economic fabric, concerns about its safety and reliability continue to mount. Ironically, some of the most powerful features of the Internet, namely interconnectivity, distributed computing, and the ability to transmit information instantaneously, are the very factors that could bring down this digital lifeline and everything that it feeds. Hackers are increasingly using these very characteristics to exploit an inherently insecure Internet. Perhaps the most potent and difficult to tackle hacker attacks are distributed denial of service (DDoS) attacks.

Starting in the early morning hours on May 4, Web page requests to www.whitehouse.gov started to go unanswered. The FBI soon declared the White House Web site under a DDoS attack. The multiple Web properties of Microsoft Corporation, arguably the most powerful software company in the world and a perennial favorite of hackers, came under repeated DDoS attacks in late January. Similar attacks crippled several top e-commerce sites including Yahoo, Amazon.com, eBay, E*Trade and CNN in February 2000. Security experts have been warning for some time now that future attacks would come, not from “script kiddies” and casual hackers, but highly-trained cyber-terrorists and the cyber-armies of enemy states. The recently witnessed DDoS attacks could very well be harbinger to a digital Pearl Harbor, which would be marked by nationwide disruption in communication networks on an unprecedented scale.

From DoS to DDoS

DDoS attacks are derivates of Denial of Service (DoS) attacks, but leverage the Internet’s distributed architecture and millions of connected computers. The primary aim in a DoS attack is to render the target system completely useless. This is usually done using one of two strategies. The first strategy, a flood attack, involves flooding the target with spurious traffic and overloading it. Consequently, any legitimate traffic, which becomes a fraction of the total traffic, is denied service. For example, a legitimate buyer may not be able to complete a transaction at Amazon.com because the Amazon servers are too busy processing illegitimate information requests. The second strategy, a logic attack, exploits known software bugs on the target system in an effort to take it offline. Some common names given to flood attacks include ICMP attack, SYN attack, Smurf attack and Fraggle attack. Some common logic attacks are known as Ping of Death, Teardrop, Land and Chargen. Clearly, these Internet-based attacks are not only limited to commercial enterprises but could easily cripple any communications infrastructure that uses the Internet for its operation.

A DDoS attack has the same impact on a target as does a DoS attack. A DDoS attack differs in that the spurious traffic originates from multiple machines on the Internet versus originating from a single machine as in a DoS attack. Consequently, DDoS attacks have a much quicker impact and are more difficult to fight. From an implementation perspective, the attacker generally hunts for insecure user computers and impregnates them with either “zombie software” or “handler software.” Both pieces of software enable the attacker to take control of the impregnated computers at a later time. Zombie software is used to directly attack the target, while Handler software is used to control the zombies. This complete process — from initial search for insecure computers to their transformation into handlers and zombies — can be highly automated (see figure 1).

How Big Is the Impact?

One method to gauge the impact of DDoS/DoS attacks is to look at the financial damage caused by such attacks. Financial losses from a 24 hour outage at a brokerage firm is estimated at $156 million (see figure 2).

Clearly, as organizations become more dependent on the Web for revenue generation, the financial stakes will continue to grow higher. Consider the rate at which the recent Code Red worm spread. Taking advantage of vulnerability in Microsoft’s IIS product, these worms had infected more than 350,000 computers worldwide within 14 hours. If these worms were recruiting zombies, within 14 hours the hackers would have had an army of 350,000 slave computers — sufficient to successfully launch a devastating DDoS attack against any known network.

Another approach to estimate the potential impact is to understand how widespread these attacks are. In 2000, 36 percent of the respondents to CSI/FBI annual surveys indicated experiencing DDoS/DoS attacks, up from 27 percent in 1999. The first academic study on this subject (“Inferring Internet Denial-of-Service Activity,” Moor, Voelker and Stefan, 2001) suggests that as many as 4,000 DDoS attacks happen across the Internet each week.

What’s more alarming in this study are the estimated attack rates. Studies have shown that an attack rate of 500 packets per second is enough to overwhelm a commercial server. When specialized firewall designs are used to resist such attacks, a flood of 14,000 packets per second can disable the server. Forty percent of all attacks in the Moor, Voelker and Stefan study had estimated attack rates of 500 packets per second or higher, and 2.4 percent of all attacks could break through highly tuned/optimized firewalls.

Until now, we have talked about the impact of such attacks only on the commercial sector. Numerous civil and federal communication systems are equally vulnerable to such attacks. While they do not get much publicity, cross-country cyber-wars are regular occurrences between India and Pakistan, Israel and the PLO and China and Taiwan, to name a few nations. While cyber wars are extremely efficient for the attacker from a risk/cost perspective, they can be potentially as damaging for the attacked party as physical attacks. The Center for Strategic and International Studies (CSIS) estimates that 95 percent of U.S. military communications run through civilian phone networks. Clearly, an attack on these networks would devastate military communications.

On the civilian side, consider the Federal Aviation Administration (FAA) information systems, which are a complicated mesh of a large number of sub-systems. For example, the en-route centers alone (see figure 3) rely on more than 50 subsystems for information processing, navigation, surveillance, communications, and weather monitoring.

Systems from different facilities also have to interact continuously with each other to execute the complete air traffic control (ATC) process. In its September 2000 report on FAA Computer Security, the U.S. General Accounting Office (GAO) stated the following:

“FAA’s agency wide computer security program has serious, pervasive problems.”

It is not only the aviation system that could be a potential target for hackers. Numerous other civil infrastructure organizations are also critical for normal functioning in daily life. As these infrastructure components become increasingly interconnected, without proper coordination and security there is no telling whether an apparent series of accidents may really be outside the realm of coincidence on any given day.

DDoS, the Next Generation — Already!

While the Internet community is still struggling with DoS and DDoS attacks, the hackers are busy creating even smarter versions. Consider new types of DoS attacks that do not result in denial of service but cause degradation of service. These attacks are even more difficult to find because the target server is never shut down completely but is “always slow.” The server owner notices increased bandwidth cost for the increased traffic, without any accompanying increase in revenues. Another version of the attack involves “pulsating zombies,” which are active only on a periodic basis in short bursts versus normal zombies that are always on. It is much harder to detect them because the pulsating zombies are never active for sufficiently long durations.

Yet another new type of attack involves “reflectors”, which are essentially IP hosts that return a packet in response to a packet being sent to them. For example, the sent packet could be a SYN packet and the returned packet could be a SYN acknowledge packet. All Web servers, DNS servers, and routers are reflectors. In this attack, the zombies (a couple of hundred) send packages to reflectors (hundreds of thousands) after spoofing the victim’s source address. The reflectors think the packets are coming from the victim (because the victim’s source address was spoofed) and end up sending reply packages to the victim. These attacks are more potent because they can be massively scaled-up by using ubiquitous network devices (routers, Web servers, DNS servers, etc.) versus regular attacks that require more effort at spotting zombies and handlers.

Tackling DDoS

There are three aspects to tackling DDoS: detection, identification of the source, and solution. The toughest part of reliable detection is separating normal traffic from spurious traffic. Several algorithms are used for detection, including signature analysis (comparing traffic against a known attack signature), protocol anomaly analysis (looking for traffic that is stepping out of an expected behavior pattern), and trend analysis (e.g., abnormally high traffic in the middle of the night). Identification of the source involves backward tracing the path of attack and identifying the key devices (routers, servers, etc.) that are responsible for the spurious traffic. The solution aspect is multidimensional and may involve filtering the traffic and/or the complete/partial shut down of a certain network path.

Commercially available solutions take similar approaches to this problem. In-line or sampled data are usually gathered from multiple points on a network, followed by a detailed analysis of these data. The analysis may deploy signature and/or anomaly-based techniques, deep packet analysis, forensic analysis, or correlation analysis to identify attacks. Counter measures focus on assisting network administrators to tackle the problem as quickly as possible. The assistance could come in the form of simple notification of attack, automatic filtering of suspect traffic, or complete shutdown of connection to a network segment. As coordination among network owners increases, the counter measures will likely move toward a higher degree of automation.

An Emerging Business opportunity
Clearly, DDoS attacks could result in billions of dollars in lost business within hours. Not surprisingly, the VC community has supported DDoS solution vendors with enthusiasm. Over the past 18 months this sector has attracted more than $60 million in venture capital. Prominent pure play DoS/DDoS solution providers include Arbor Networks, Asta Networks, Captus Networks, and Mazu Networks. Given the distributed nature of the problem, for a higher degree of success, most of these vendors support and recommend a distributed version of their solution. Clearly, this requires highly-coordinated efforts across multiple networks and may involve several infrastructure owners (backbone operators, ISPs, and carriers). The current level of security-related coordination among the infrastructure owners is relatively low. Consequently, there is no shared incentive for network owners to open their networks for a coordinated effort against DDoS attacks — an effort that will only directly benefit the end customer. We believe that as DDoS attacks become more prevalent, large customers such as Amazon will force their hosting partners or ISPs to fortify their systems against DDoS attacks. Such catalysts have the potential of triggering a network effect, forcing the keepers of Internet infrastructure to take preventive measures.

While it is too early to predict which technology and company will ultimately succeed against DDoS attacks, one thing is for sure: DDoS and other hacker attacks, irrespective of their place of origination (within or outside the national boundaries), are enjoying high mind-share with the U.S. Congress. On October 3, the U.S. House of Representatives started debating the new Provide Appropriate Tools Required to Intercept and Obstruct Terrorism (PATRIOT) Act, which will treat even low-level computer crimes as terrorist acts and will threaten hackers with life imprisonment.

Steve Sigmond is Managing Director and Research Analyst covering Internet infrastructure and applications for RBC Capital Markets. Vikram Kaura is a Sr. Research Associate at the firm. si

Twitter
Share on LinkedIn
facebook
google+

ON THE DECK

---
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story
Siliconindia (US) Cover Story


10 Best Immigration Attorney Firms 2024
20 Most Promising Companies Founded or Managed by Indians in the DACH
100 Most Promising Companies Founded Or Managed By Indians In The U.S
20 Most Promising Companies Founded Or Managed By Indians In APAC
Top 10 Devops Solutions Companies - 2023
Top 20 Most Promising Technology Companies Founded Or Managed By Indians In The U.S.
20 Most Promising Companies founded or managed by Indians in the UK 2023
Most Promising Company Founded Or Managed By Indians In Australia 2023
Top 10 Immigration Attorney Firms - 2023
Top 10 Immigration Consultants in GCC - 2023