Canadian police search ISP for hacker. FBI site struck by Web attack. Leading Web sites fall prey. Web sites asked to be on alert. These are just a few of the headlines that have appeared in the press during the last few months. They refer to denial of service (DoS) attacks, which are characterised by an attempt by attackers to prevent legitimate users accessing a service.
Lauren Weinstein, co-founder of The People for Internet Responsibility (PFIR,), explains how DoS works. "It is basically easy to understand. Imagine a small firm with two phone lines. Now you have 10 000 people at pay phones scattered around the world all trying to call that company at once, and hanging up as soon as there is an answer. Few, if any, customer calls will get through. Finding the perpetrators will be problematic at best."
DoS attacks came under the spotlight in a recently published White Paper by two Ernest & Young managers, Patrick Heim and Ken Williams. The paper provides a practical analysis of the risk of DoS attacks with possible solutions.
Reasons for attack
Heim and Williams say the attackers` motivation is unclear. "These flooding attacks are not focused on penetrating or gaining unauthorised access to systems, they simply seek to cause the systems to stop responding and prevent legitimate users from conducting business."
The sources of these attacks are also unclear. Heim and Williams suggest that the attacks can be the work of hackers wanting some "amusement and self-aggrandisement in the hacker community". It could also be "hacktivists" conducting these attacks, "wanting to pressure computer users into taking security seriously by demonstrating the broad-reaching effects of having unsecured hosts on the Internet".
Another suggestion is that the attacks can be the work of competitors, investors or other malicious organisations wishing to influence the market valuation of publicly traded Internet firms for their own gain by demonstrating security vulnerabilities.
Safeguarding against attack
The white paper states that the defences against DoS attacks are complicated and range from procedural considerations such as incident response planning, to highly technical solutions involving network-based intrusion detection and response.
"The effective long-term defence is to deploy comprehensive security measures that address this issue from a policy, procedure and technical perspective. Additionally, the response must be distributed, meaning that parties outside the target company must co-ordinate efforts to prevent these attacks."
An appropriate defence solution must include three components, according to Heim and Williams. The first, preventative, should implement controls to limit the effectiveness of DoS attacks. "This includes deploying security measures on your own systems to prevent them from being used as part of these attacks. It is also necessary to deploy an intrusion detection system with a rule-base that is continually updated."
Secondly, detective and forensic skills should be applied. "Implement technical and procedural measures to capture the relevant information about the nature of the attack at a technical level. It is important that employees understand what information is to be captured, and how it may be manipulated without tainting or destroying the evidence."
Finally, respond. "Implement technical and procedural measures to respond to and minimise the impact of attacks."
Heim and Williams advise that each of these solutions must exist at a technical as well as a policy and procedure level. "Policies without technology enablers are ineffective, and technical enablers without adequate policy foundations are equally ineffective."
The PFIR`s Weinstein adds that in the long run, major alterations will be needed to the fundamental structure of the Internet. "For now, it might be advisable for everyone to remember that the Internet, for all its wonders, is in many ways very fragile. We must not allow ourselves to get into a position where being cut off from a site for a few hours puts people or property at risk.
"It`s time to get past the `dotcom` hype and start considering carefully the realities, and limits, of the technology on which we`re trying to base so much, so very fast." She warns: "If we continue to plough ahead without heeding these lessons, it will be at our extreme peril."
Share