the Internet, E-commerce and Business
|
What is DDoS and How It is Hurting the Internet, E-commerce and Business |
LOS ANGELES -- The Computer Emergency Response Team (CERT), the Internet's leading security watchdog, warns that Distributed Denial of Service (DDoS) attacks pose a major threat to e-commerce and e-business in the future. The threat continues to escalate. A recently published study at the University of California at San Diego says that at least 4,000 DDoS attacks occur each week and the number is rising.
Denial of Service (DoS) attacks occur when a computer network is overwhelmed by streams of seemingly normal service requests (literally made by sending data packets) such that legitimate users cannot gain access to network resources - thus, they are denied service. Typical Distributed Denial of Service (DDoS) attacks involve the use of multiple unwitting "zombie" computers sending requests to the victim site. This is more effective in creating an overwhelming mass of requests to deny service (e.g., a thousand computers sending millions of requests). But importantly, the attack is more difficult to stop because the origin of the attack is very complex and hard to identify, especially as the data packets sent to the victim will often have "spoofed" (forged) source addresses.
The most infamous of the DDoS attacks occurred in February 2000, when a four-hour attack on popular sites such as Amazon, CNN, Yahoo! and eBay caused an estimated $1.2 billion in economic impact and millions of dollars in lost revenue, according to The Yankee Group. In January of this year, Microsoft's vast site was shut down for hours by a DDoS attack, causing the giant untold sums in lost revenue and tarnishing its reputation. Recently, the Web sites of the FBI and even CERT have fallen victim to DDoS attacks.
If a Microsoft or an eBay or the FBI cannot stop DDoS attacks, less tech-savvy businesses are especially vulnerable, and the potential costs can be devastating. In estimating the costs of computer security breaches in hypothetical situations, Forrester Research looked at the impact to an auto manufacturer from losing a week's worth of tires due to cyber techniques, such as DDoS attacks, and estimated a loss of $21 million. A SANS Institute article, What Does a Computer Security Breach Really Cost?, offered the example of PC wholesaler Ingram Micro, which had to shut down its main data center for eight hours in December of 1998 due to an electrical short at a loss of $3.2 million. This was not a security breach, but it "mimicked what could happen with a Distributed Denial of Service (DDOS) attack or a major intrusion." Launching a harmful DDoS attack is relatively easy.
In May, the site of Gibson Research Corporation, maker of the Shield's UP! Internet connection security for the Windows operating system, was shut down and harassed by multiple DDoS attacks throughout the month by a 13-year-old hacker known as "Wicked." CEO Steve Gibson has since posted an open letter to hackers offering "unconditional surrender," acknowledging that there is nothing that can be done "to defend against a real, professional, Internet Denial of Service attack."
"Nothing more than the whim of a 13-year old hacker is required to knock any user, site, or server right off the Internet," Gibson posted on his site, underscoring the fact that the Internet today is too vulnerable for mission critical applications and that DDoS attacks have the potential to cause great economic impact, especially if they result in eroding consumer confidence in e-business.
Many Windows and MacOS-based systems contain operating systems and browsers that have security vulnerabilities that can be exploited by hackers. The hacker planning a DDoS attack identifies and infiltrates numerous computers and networks with these vulnerabilities, planting and hiding DDoS attack tools in them - turning them into "zombies," as mentioned earlier, because they lie asleep until wakened - until it is time to trigger a coordinated flood attack, all of which is controlled remotely.
A DDoS attack system requires coordination of different systems: handlers, zombies, and the victim. To generate a flood of network traffic to the victim's site, the attacker issues commands to "handler" computers, which in turn each send commands to a troop of zombie computers. One hacker can get 10,000 zombie machines together and aim them at one or more Web sites.
There is no end in sight to this threat, because at present there is no deployed and fully automated solution to combat the DDoS problem.
Some tools, manual procedures and administrative processes, while helpful, do not provide a complete reliable solution. For example, ISPs are advised to implement "ingress filtering," which is supposed to filter existing packets that do not have source addresses within their purview in an effort to reduce packet source forgery (though few ISPs do this because there's no direct subscriber benefit). Intrusion detection tools try to identify if hackers have infiltrated computers; however, these tools that fight "zombie infestation" rely on known intrusion and attack signatures and therefore share the same weakness as virus detection tools: they're always playing catch up with sophisticated attackers who are a technology step or two ahead of them. Some products try to address the problem at the site or ISP level through the use of "smart filtering," whereby they seek to analyze packet traffic and stop those coming from an attacker. This approach is, again, much like virus scanning software: defenses are always trying to keep up with, and are always a little behind, the attackers. To help blunt these attacks, security vendors are embedding stronger intelligence into networking filters and other network devices, but these efforts are proving to be limited in their success, as DDoS attack tools become more sophisticated and their schemes more complex. Cs3, Inc., a company funded by the Department of Defense's Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP), believes that real solutions to DDoS must address fundamental problems with the Internet infrastructure that provide the platform for DDoS and other attacks. Cs3 advocates and has developed Path Enhanced Internet Protocol (PEIP) - an IP enhancement that plugs basic holes and vulnerabilities in the infrastructure by eliminating source forgery. With PEIP, a packet carries its own path information that is not controlled by the sender. The company's patent-pending MANAnetTM technologies place singular focus on ways to make the public infrastructure more secure and robust - not with site-level concerns such as virus protection, intrusion detection, and password policies.
MANAnet enables routers to use the PEIP substrate to provide "fair service" based upon the true source of the packet, thereby thwarting DDoS attackers, and providing legitimate customers their fair share of network resources. With MANAnet's technologies, "cooperative neighborhoods" are used to provide enhanced collective security and reliability. The MANAnet Firewall helps sites to fine tune the defense to their specific requirements, and thereby plays an important role in the DDoS defense as well." Under its MANAnet brand, Cs3 also has developed the Reverse FirewallTM, an outgoing, automated DDoS defense solution for Internet Service Providers, universities and other infrastructure owners, which defeats DoS attacks launched from within a network. Unlike a traditional firewall, which filters incoming traffic, the MANAnet Reverse Firewall limits the rates of unexpected outgoing packets from a vulnerable network, protecting both the outside and legitimate users of the network from DDoS attacks originating inside. # # # Founded in 1991, incorporated in 1998, Cs3, Inc. is a pioneer in infrastructure-level DDoS security solutions, constructing the building blocks for a more secure and robust, mission-critical Internet. Privately held, Cs3 has been awarded development funding by the Defense Advanced Research Projects Agency (DARPA) and the California Technology Investment Partnership (CALTIP). For more information on Cs3 and its MANAnet DDoS Defense solution, please visit www.Cs3-inc.com. Company contact: Cs3, Inc., Ms. Deborah Taylor, 5777 W. Century Blvd., Ste. 1185, Los Angeles CA, 90045-5600. Phone: (310) 337-3013; Fax: (310) 337-3012.
Infrastructure-level Approach to DDos Defense
About Cs3