In Denial

By eweek  |  Posted 2001-07-09

If service providers dont move faster to prevent distributed denial-of-service attacks, hackers and script kiddies can grab their suntan lotion and head for the beach this summer because there will still be ample opportunity to bring sites to a screeching halt once the season is over.

To an I-manager, a DDOS attack — a flood of junk traffic blasted at a site — is about as frustrating a security concern as there is in this business. And for a very good reason: There really isnt much you can do about it.

Denial-of-service attacks are launched at a rate of more than 4,000 per week, according to a recent study by the University of California at San Diego, and researchers say thats a conservative estimate. But solutions to DDOS are hard to come by.

Sure, you can throttle back your Internet bandwidth but then youre limiting legitimate traffic as well, possibly frustrating customers. You can also blow open the pipe so wide that any and all traffic can get through. But this presents two problems: One, your friendly service provider is going to charge you more for that increased bandwidth; and two, eventually, youre going to get hit by an attack so large even that wont help.

Theres a new crop of network devices we wrote about last week ["Mob Stoppers," July 2, page 46] from Arbor Networks, Asta Networks, Captus Networks and Mazu Networks, each of which promises to detect and stop DDOS attacks without dropping legitimate traffic, but those products have yet to be proven.

Of course, we could all just ask hackers to stop. Nicely. Assuming that doesnt work, were stuck.

Or maybe not. Many industry watchers feel the responsibility for stopping DDOS should be squarely on Internet service providers (ISPs) shoulders, since theyre at the core of the network and have better insight with which to prevent these attacks.

"The issue of DOS is something that [wont be solved] unless the ISPs, network operators and backbone providers work collectively," says Sunil Misra, managing principal at Unisyss worldwide security practice. "And there is no movement right now to make that happen."

Thats a crying shame. The main obstacle is that this would require all of these ISPs to work together to put a stop to DDOS. Says Steve Bellovin, a researcher at AT&T Labs and noted DDOS expert, "Theres not a whole lot an individual ISP can do." However, working together, ISPs can come up with anti-address spoofing strategies and find out exactly where these attacks are coming from.

But I dont think any single ISP should be let off the hook, either. Call up your service provider and ask what theyre doing about DDOS. If they dont have a strategy, or at the very least arent considering solutions from the vendors mentioned above, then they dont have your best interests in mind.

Rocket Fuel