What is a denial of service attack?
Day of the zombie
What harm do these attacks do?
What can be done to prevent dos attacks?
What is a denial of service attack?
When an internet site is heavily used, the response can become frustratingly sluggish, as anyone will know who tried to watch live eclipse pictures on the Web last summer. A denial of service attack is essentially an extreme, and malign, instance of heavy usage. The attacker bombards the target site with a large volume of automatically generated access requests, simulating the effect of a zillion users trying to sign on simultaneously. Meanwhile, bona fide users cannot get on to the site at all, or experience such slow service that they give up trying.
Day of the zombie
‘DOS’ used to stand for a not-very-sophisticated operating system. Now it means ‘denial of service’, an equally unsophisticated form of cyber-vandalism.
How does DOS work?
As security breaches go, there’s nothing very cunning about DOS attacks.Because these are public websites, the attacker doesn’t have to crack any security safeguards. It’s really a question of using the site as it was intended to be used, only a lot more intensively.
The only thing that’s at all clever about DOS is that attackers mask their identity by hijacking other people’s computers, also via the internet, and making it appear that the traffic is originating from these intermediate computers. (And even that’s not all that clever, since the hackers use “Distributed Denial of Service” programs written by other people.)
In the case of the recent wave of attacks, computers belonging to several US universities were hijacked in this way, leading to accusations of lax security. But even a humble home PC could be used, provided it was permanently linked to the Internet; many already are in the US, and soon ours will be too.
A computer hijacked for the purposes of a DOS attack is sometimes called a ‘zombie’. While the zombie is fairly easily identified, it can be far harder to track down the user responsible for originating the attack.
What harm does DOS do?
Unlike some forms of hacking, DOS doesn’t directly threaten the integrity of data, or the ownership of property. For the owner of the attacked site, this blunt instrument is nonetheless damaging because it effectively puts you out of business for a few hours. And that could have wider implications for customer loyalty. The Web makes it easier than ever for customers to take their business elsewhere: one on-line bookshop is as convenient as another.
The recent attacks apparently represented a setback to on-line consumer confidence: one poll www.gallup.com/poll/releases/pr000223.asp suggested up to half of internet users might be less likely to shop on the web as a result of the recent wave of attacks. (It’s a little hard to see the logic behind their thinking, except insofar as 24-hour availability is one of the touted advantages of e-commerce.)
It’s also been suggested that the panic generated by a DOS attack could decoy attention from a more serious hack attack.
What can be done to prevent DOS attacks?
It’s difficult to deal with a DOS attempt without at least some degradation of service: although firewalls can detect and block attacks, any form of filtering of traffic is likely to constitute a bottleneck. But by using both technology and humans to monitor incoming traffic and continually watch for anomalous patterns, you can at least ensure that an attack will be spotted as early as possible. The sooner a DOS attack is detected, the sooner the owners of the computers being used in the attack can be located and notified, and the sooner they can shut down the offending program.
The most effective way of pre-empting attacks is for the Internet community to ensure that their computers don’t become tools for the cyber-vandals. Since they want to generate a lot of traffic in a short timespan, attackers rely on being able to install their Distributed Denial of Service tools on other people’s computers without the owners realising it. The tools are then kicked off simultaneously to provide the requisite flow of traffic. Appropriate security procedures and tools should ensure that alien software installed on your computer is detected in time to prevent your computer from becoming a ‘zombie’.
So if your company has a website, or any computers that are connected to the Internet other than via a dial-up link, it’s worth asking what the IT specialists are doing to protect you against becoming either a victim or an instrument of DOS attacks.
Companies with products addressing DOS attacks
Internet Security Systems: www.iss.net – includes enterprise threat management product RealSecure
PGP: www.pgp.com – includes CyberCop Scanner, which can police a network to prevent installation of unauthorised software such as Distributed Denial of Service programs.
Check Point: www.checkpoint.com – Cyber Attack Defense System which automatically contacts third parties like Internet Service Providers in the event of a suspected DOS attack
ArrowPoint: www.arrowpoint.com – Web switches designed to identify and block invalid traffic to a site.
For general advice on cybercrime from PricewaterhouseCoopers, see ‘Cybercrime: is your company at risk?’ www.pwcglobal.com
For technical discussion of denial of service see the CERT software engineering centre, Carnegie Mellon university: ‘Denial of Service’ www.cert.org/tech_tips/denial_of_service.html
For the FBI’s position on Cybercrime including denial of service, see www.fbi.gov/pressrm/congress/congress00/cyber021600.htm
For more detail from the US government about recent DOS attacks, see www.nipc.gov/