Tuesday, May 22, started out as just another day at CERT Coordination Center at Carnegie Mellon University in Pittsburgh. By day's end, CERT, widely regarded as the Fort Knox of computer security, would be knocked off the net by a distributed denial of service (DDoS) attack.
In 2001, even the crème de la crème of network security is vulnerable. If it can happen to CERT, it can happen to you.
You can help prevent DDoS assaults across the Internet and lower your vulnerability to attacks. But if someone really wants to put your business under with a DDoS attack, they will. Microsoft, Yahoo, and Exodus have all fallen to DDoS attacks within the last 12 months; you or your customers could be next.
The nature of the beast
Denial of service (DoS) attacks are exactly what they sound like: attempts to prevent your server from delivering services. Attackers can do this in many ways. For example, you could describe the Outlook email worm Melissa and its ilk as DoS agents because they cause their damage by making Outlook clients flood email servers with worm-laden messages to the point that the servers collapse under the load.
This is an important point. People tend to think of DoS attacks as causing havoc by jamming network bandwidth with useless traffic. While that's certainly one kind of DoS attack, another succeeds by devouring server resources. That means it's possible for a successful DoS raid to be made over a low-speed modem connection if it attacks server resources. To really protect a network against attacks, both network and servers should be armed and ready
For corporate users, firewalls and products like Zone Labs' Zone Alarm Pro can help. In addition, several companies, such as Asta Networks and Mazu Networks, now offer business-level protection against DDoS attacks.
Asta's Vantage System takes a page from anti-viral programs by looking for tell-tale signs of DDoS attacks. It constantly analyzes packets for known DDoS patterns and unusual patterns, such as a non-standard stream of packets on its way to your Domain Name Server (DNS). When it looks like an attack is on the way, the system notifies a network manager, who can then use router filters or even switch network providers in mid-stream to attempt to stem the attack.
Mazu Networks' TrafficMaster Inspector for DDoS tries to detect attacks in the making by using constant Gigabit Ethernet-speed traffic analysis as far upstream as possible. In essence, Mazu attempts to catch attacks in real-time, then allow good traffic to keep flowing by blocking only DDoS packets. Its approach makes it suitable for ISPs and data centres.
Usually, DoS attacks are aimed straight at your network's TCP/IP infrastructure. These assaults come in three varieties: those that exploit weaknesses in a given TCP/IP stack implementation; those that target TCP/IP weaknesses; and the tried and true brute force attack.
Contents
Breaking TCP/IP implementations
| |
 | |
|
Breaking TCP/IP | |
| |
|
Brute Force | |
| |
|
Distributed DoS | |
| |
|
If you think it's bad now... | |
| |
|
What can you do?
| |
| |
