Web attacks give new meaning to 'eternal vigilance'

"The price of freedom is eternal vigilance," Thomas Jefferson once said, After several high-profile denial-of-service attacks on some of the more popular Web sites, it looks like eternal vigilance is also the price of e-business.

In the past week, Ya-hoo, eBay, Amazon, CNN, Buy.com and ZDNet have all suffered denial-of-service attacks. Of these, Yahoo's is the most surprising since they have a good track record and long experience dealing with security threats. The fact that Yahoo fell victim to an attack should be a wake-up call to all Web sites.

Denial-of-service attacks are among the oldest forms of security threats on the Internet. A few years ago, many Linux-based systems fell victim to Syn flood attacks while Windows NT-based sites were knocked out by attacks that utilized holes in Internet Information Server 2.0.

While these attacks were mostly seen as a nuisance, the recent attacks have cost sites millions of dollars. Also, since the older form of denial-of-service attacks have been well documented and addressed by security upgrades, many sites may have felt they were prepared for such attacks.

The price of ignorance

However, according to the CERT Coordination Center at Carnegie Melon, several new forms of denial-of-service attacks have popped up in recent months. A CERT advisory details several new attacks that get around common security measures. Luckily, the advisory also details steps that can be taken to detect and stop these attacks.

This is the key point: Sites such as CERT and the SANS Institute provide detailed information on protecting systems from attack, but current evidence suggests that many administrators ignore this information.

Also, just because you don't have a big, high-profile site doesn't mean you can ignore security. Most of these attacks involve multiple systems that have been taken over by attackers. Personal experience has taught me that forgotten test systems can be found and used to attack other Web sites.

Being in charge of site security isn't an enviable position, but it's potentially the most important job for dot.coms. Not only is it a 24x7 job to monitor systems and take proper safety measures, it's also a constant learning process. Security school is in session and it never gets out. What worked yesterday is guaranteed not to work tomorrow.

And if you think you don't need to practice good security on your systems with Internet access, well, to quote Stewart Smalley: "Denial ain't just a river in Egypt."

• Related stories

• Alerts

Sign up for an e-mail alert

ZDNet Australia Alerts is an e-mail alert service which provides personalised news, features and reviews to readers’ inbox on an hourly, daily and weekly basis.

Alert:

E-mail: *

Frequency: *

Hourly Daily Weekly

Add alert

Be the first to comment on this article!

Add your opinion

All fields are required

Subject:
Comments:
Full name:
E-mail address:

Your e-mail will not be displayed

Posting options:

Display all details Do not display details

Security Code:

You must read and type the 6 chars within 0..9 and A..F

 

• Just In

• Most Popular

• Most Discussed

Login

E-mail Password (forgot?)

Login Remember

Sign up and win a iPhone3GS!

Reader Services

Popular Topics

Essentials