The site outages raised eyebrows among some networking industry executives, who said safeguards against such denial-of-service protocol attacks are fairly well known.
"I was surprised those sites didn't have better security measures in place," said Keerti Melkote, director of product management in Nortel Networks' Internet Protocol (IP) Services group.
Roger Farnsworth, head of Cisco Systems' security products group, said the attacks seemed to be "more of an operational problem than a technical one."
Although he said he had no firsthand knowledge of the latest attacks on Yahoo! and other Web sites, Farnsworth said he thinks these attacks could have been avoided if the community was more virulent in applying common and well-known counter measures, such as the Internet Engineering Task Force's RFC 2267, which outlines measure to take to prevent such attacks.
"This is really a protocol attack," Farnsworth said. "People taking advantage of the openness of the Internet to do bad things. These attacks are an exploitation of those protocols."
Routers from Cisco and other vendors have the ability to detect the signature patterns of a denial-of-service attack, and the routers can filter out that traffic, Farnsworth said.
"The router knows which sources are legitimate or not and drops on the floor anything suspicious," Farnsworth said. "Generally speaking, ingress filtering and committed rates are effective in terms of preventing [malicious] traffic from ever showing up, or filtering it to a reasonable rate."
But Nortel's Melkote said many traditional Internet routers are not able to effectively stop large-scale denial-of-service attacks because they don't have adequate processing capacity to intelligently determine when a site is under attack. According to reports, Yahoo! and other sites were hit with packets from more than 50 source addresses all at once.
"When you get a 'ping of death,' you need to be able to detect that the ping of death is happening, and most routers don't have the horsepower to do that," Melkote said.
Traditional Internet routers were not designed to process high-level information about an IP packet. Routers typically operate at what is known as Layer 3 of the protocol stack, which provides information about the IP addresses of a packet's source and destination. Firewalls, on the other hand, are designed to look at all the data flowing into a Web site to catch potential security threats. But the problem with firewalls - most of which have long been able to prevent denial-of-service attacks - is that they cannot operate fast enough for high-capacity Web sites such as Yahoo!, Melkote said.
For very high-volume sites, newer Internet traffic management switches, which are able to route data based on packet information above Layer 3, may be able to stop large-scale denial-of-service attacks.
ArrowPoint Communications claimed its Internet traffic management switch could easily stop distributed denial-of-service attacks. Ervin Johnson, director of technical marketing at ArrowPoint, said the company's switches are able to process 40,000 Transport Control Protocol (TCP) requests per second - which would be more than capable of handling the up to 1-gigabit-per-second Internet connection that was being assaulted by a denial-of-service attack.
"ArrowPoint's switch actually intercepts the connection, so we can hold these half-requests, and if we don't see a subsequent source address [a characteristic of a denial-of-service attacks] we don't let them go through," Johnson said.
In addition, Johnson said, the ArrowPoint switch is able to restrict specific TCP/IP port numbers, so you could set it up to allow only HyperText Transfer Protocol to be able to get into a Web site. This is not a unique feature; other load-balancing products, such as those from F5 Networks, can be similarly configured to block all ports except for the HTTP port (port 80).
Intelligent switches from Alteon WebSystems and Foundry Networks have similar capabilities to block denial-of-service attacks.
Foundry's ServerIron family of intelligent traffic management switches is able to stop packet-flooding denial-of-service attacks, said Marshall Eisenberg, Foundry's director of product marketing.
"When a hacker sends an SYN request, a server reserves that connection - but the hacker doesn't respond, so that's a half-open connection that takes up resources," Eisenberg said. "We have a feature that is specifically designed to regularly go out and tear down the half-connections."
In addition, ServerIron switches are able to incorporate new security features as customers alert Foundry about different kinds of attacks. For example, Foundry is in the process of implementing a solution that prevents the "ping of death" attack.
"These things aren't meant to be deployed at will to solve all your problems," Eisenberg said. "These hacking techniques are all slightly different."
Joe McGarvey contributed to this report.
