Denial of Service Attacks (DoS Attacks)
Although it was not intended as an information security awareness program, the recent televising of Homer’s Odyssey served to freshen our collective memory of the original Trojan horse. This beast lives on, several millennia later, in malicious code that gains access to systems by masquerading as something it is not. But the war between Greece and Troy also illustrates a potentially more serious information security problem, denial of service attacks.
Systems Under Siege
The lifeblood of today’s organization is information, and the denial of service attacks we are going to talk about in this article are attempts to prevent or delay access to information, or information processing systems.
In their crudest form, denial of service attacks simply abuse systems and software to such an extent that they fail. Lately, we have seen a rash of announcements about the susceptibility of Windows NT to such attacks. But Windows NT is not the only operating system that is open to such attacks.
A variety of Unix processes can be compromised this way and TCP/IP itself can be abused to the point where it breaks down. This is essentially what happens in a SYN flood attack, the most widely reported example of which targeted PANIX, the New York ISP (denying crucial services to about 6,000 individuals and 1,000 companies.
Many other ISPs have faced similar attacks, apparently inspired by similar motives. For example, while researching this article we learned of a large European Internet service provider who was recently targeted by someone looking for personal revenge against the administrator for terminating an account.
Why Do They Happen?
According to Sarah Gordon, a data security analyst, “many of the current denial of service attacks are ‘acting out’ by scripters with nothing better to do.” Such acting out has become a whole lot easier in the last twelve months, with widespread online publication of scripts for SYN flooding and other attacks.
In March, Jon McCown, who tests firewalls submitted for the National Computer Security Association’s certification process, warned of a SYN attack tool written for Windows 95 or NT, which “makes ‘jamming’ a site very much a point-and-click affair.” Although initial testing showed that it did not alter the source IP (allowing the culprit to be traced more easily) McCown noted that it did do “a fair job of saturation, using multiple source sockets with adjustable settings for link speed/target characteristics.” Developments like this suggest that attacks are likely to increase.
Internet security expert Steve Bellovin thinks we “will see more such attacks by people who just want to gain attention.” Christopher Hughes, a senior analyst with Computer Sciences Corporation, concurs, saying that, at least in the short term, “denial of service attacks will become increasingly common, especially against Windows NT and 95 boxes.” However, Hughes is hopeful that, “After a year or so, the real hackers will tire of it, and there will be patches available for the known exploitations.”
Types and Levels of Attack
We have listed seven recent denial of service (DoS) attacks in the box below. Attacks currently in vogue on the Internet tend to fall into one of four categories:
1. tying up the server with bogus requests
2. tying up CPU cycles, memory, or other resources
3. disabling web traffic by misconfiguring routers (often an accidental occurrence)
4. mailbombs to individuals, lists or domains
But to some security experts, these attacks are just a subset of a potentially larger problem. According to Michael Miora, president of Spectria InfoSec, a security and disaster recovery consultancy based in Playa del Rey, CA, “denial of service attacks are an important element of overall security and they will become ever more important as other security attacks become more difficult.”
This echoes the thesis advanced by the Winn Schwartau, the author of Information Warfare. Schwartau has probably done more than anyone else to raise public and professional awareness of the inherent weaknesses in our information infrastructure. He postulates that “as we continue to deploy better and better defenses, such as strong encryption and sophisticated firewalls, we will be able to achieve the first two goals of information security, that is, insuring the confidentiality and integrity of our data…but that will only lead some attackers to target the third goal, availability.”
Schwartau has experienced denial of service attacks first-hand. His Web site, www.infowar.com, was targeted by hackers who objected to one of the guests he hosted in his chat room. But he thinks the real problem is much more sinister, pointing to the recent trial of IRA supporters in the UK who are alleged to have plotted a total shutdown of London’s electricity supply. They planned to do this with a few small explosive devices strategically placed at switching units.
For many years the IRA has known just how much disruption is caused when computer and communication equipment is destroyed by a single large device exploded outside financial offices. But strict security precautions within London, directed against truck and car bombs, appears to have displaced the threat, to sites outside the city.
You might think cutting off the electricity is the worst denial of service attack that an information system could face, but telecommunications expert Ron Eward of Melbourne, FL-based Martech, Inc. would beg to differ. He sees the telecom layer as the weakest link in today’s globally networked systems because “the concentration of traffic in some areas is so intense that they represent obvious points of vulnerability in the network.” Accordingly, “We are advising clients to look beyond simple backup lines, beyond diversity to triversity routing and other strategies to protect mission critical data flows.”
Just how mission critical is network traffic? One source at a major US airline, who preferred to remain anonymous for obvious reasons, told us that if the company’s network ever went down for more than 48-hours it would never recover. The figure might be even less for businesses heavily dependent upon just-in-time shipments, such as large retail chains operating on tight margins. And as Eward points out, “you don’t have to cut the cable to cause havoc with delivery schedules – some denial of service attacks can be subtly controlled so as to degrade network traffic, slowing it down rather that blocking it completely, and making it harder to identify the culprit.”
Of course, not everyone accepts Schwartau’s theory, that attacks on information systems will be displaced by wider implementation of encryption and access controls. And even those that do are unsure when this will take place. As Bellovin points out, cryptography is only half the answer to current problems, the other half is “a solution to the buggy software problem -- and we don't have one.” He suggests that a large percentage of the problems revealed by the last eighteen month’s worth of CERT advisories cannot be fixed with encryption and “most are due to buggy software.”
Responding to DoS Attacks
These days it seems all network administrators have more than their fair share of bug-inflicted denial of service attacks, and there is no doubt that these do cause genuine losses. But Miora cautions security managers not to overlook the more remote, yet still real possibility of “physical sabotage and other destructive acts.” He urges close cooperation with contingency planners “to ensure there are measures in place for prevention, protection, and recovery.”
As Bellovin points out, the current crop of network-based denial of service attacks “are hard to counter because they can occur any time it's cheaper for the attacker to send a message than it is for the recipient to deal with it.” He doesn’t see any general solution to the problem.
Yet specific responses have been effective in some cases, for example, as Kennedy points out, “the UNIX vendor community responded promptly to SYN floods by releasing kernel modifications.” However not all vendors participated and UNIX and the TCP/IP stack are not the only vulnerable systems.
Kennedy suggests that the real answer might be intrusion detection “I would not be surprised to see IDS deployed widely to protect large enterprises over the next one to two years…the intrusion detection suites have become more sophisticated and provide more features.” He adds that “All of the commercial products I'm aware of include SYN flood defenses as well the ability to detect other attacks on the networks they protect.” Firewall vendors have also responded to the problem. For example FireWall-1 SYNDefender intercepts all SYN packets and mediates connection attempts before they reach the operating system, preventing the target host from being flooded by unresolved connection attempts.
It is somewhat ironic that, Marcus Ranum, chief scientist at V-ONE, Inc. and a leading pioneer of firewall technology, thinks the answer may not lie in technology, but in “legal structures backed by tracking technologies that will allow us to sue the jockey shorts off of the clowns who think it's cute to harm other people's businesses for a laugh.” He believes the best way to deal with the problem is to “locate the perpetrator and make him (or less likely her) wish they had never heard of the Internet.”
Gordon concurs that the only long-term solution is “an
improvement in the standard of behavior.” She sees “an awareness
of the ethical implications of their actions” as a vital element
society’s education of users. Clearly, education on a number of
levels is vital to our efforts to minimize the DoS problem. As Bellovin
observes, “increased awareness of the problem will aid in future
protocol designs.” Already there are some hopeful signs, for example,
IPv6 addresses the TCP session issue by encrypting the packet headers
and validating where the packet is coming from, meaning that anyone trying
a denial-of-service attack over TCP/IP could be traced easily. Now that
we are learning to take denial of service attacks seriously, detection,
prosecution, education, and system hardening will all play a role in defending
against, and ultimately discouraging, their perpetration.
Seven Deadly SYNs?
Recently Observed Denial of Service Attacks
Ping of Death
Chargen DoS Attack
Out of Band Attacks