DDoS Attackers Raising the Bar
Distributed denial-of-service attackswhich by some estimates total more than 4,000 a weekare likely to get much worse as the perpetrators hone their skills and new weaknesses in popular platforms are discovered and exploited.
As vendors such as Asta Networks Inc. and Mazu Networks Inc. prepare to launch their anti-DDoS solutions in the coming weeks, attackers across the Internet are fine-tuning their tools and creating sophisticated assaults designed to elude even the best defenses.
In addition, those malicious programmers could get a big assist this fall when Microsoft Corp. releases Windows XP, which some security experts say provides attackers with a made-to-order launching pad for their DDoS assaults.
The operating system will include support for "raw sockets," a Unix-style function that lets users write raw IP packets and send them to any host they choose.
The functionality also gives users the ability to spoof the IP address of the originating machine, something not possible with out-of-the-box Windows 9x installations. This, combined with the fact that XP will largely be deployed by security-challenged home users, has experts fearing the worst.
"This is a vastly powerful tool for mass destruction," said security expert Steve Gibson, of Gibson Research Corp., in Laguna Hills, Calif., whose Web site was hit by several DDoS attacks last month. "No home software has any need for [raw sockets]."
However, officials of the Redmond, Wash., software company and some security specialists say that the feature has been in Unix and its open-source descendants for years and that it has always been possible to spoof IP addresses on Windows 9x with plug-ins.
Meanwhile, Asta, of Seattle, this week will release its Vantage System, a distributed network of hardware sensors capable of detecting and responding to all known flood-based DDoS attacks, as well as previously unknown ones. The sensors are hardened appliances that communicate through a central "coordinator" via encrypted channels.
When one of the sensors detects an attack, it automatically forwards the data to the coordinator, which analyzes it and presents a detailed picture of the attack to network engineers. The coordinator also notifies the other sensors.
Mazu, based in Cambridge, Mass., plans to release its anti-DDoS solution next week. Details were not available.
But software cant prevent DDoS attacks, a fact not lost on administrators.
"The best we can hope for is to detect the attack and automate some of the notification and other processes," said Jeff Ogden, associate director for high-performance networking at Merit Network Inc., an Ann Arbor, Mich., ISP (Internet service provider). "Even if we stop the flood, the hacker is still out there banging on the door. These sophisticated attacks take a fair bit of analysis."
Malicious hackers have also beefed up their repertoire of DDoS attacks to include assaults involving "pulsing zombies" that send waves of traffic instead of steady streams; low-bandwidth attacks that consume less than 100 percent of the victims bandwidth, thereby eluding alarms; and reflector attacks that bounce traffic off random hosts to mask their point of origin.
The attack that took down Gibsons site last month began as a flood of fragmented User Datagram Protocol and Internet Control Message Protocol packets aimed at his ISPs router. But once the ISP implemented filters to stop the flood, the attack morphed into assaults on the T-1 interfaces of the router and on his firewall.
"These guys are coming up with lots of different kinds of attacks, so theres no one software package that can prevent them all," Gibson said.
And the attacks are only going to get worse, thanks to the growing menu of DDoS tools and attack scripts available on the Internet.