ad info technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Avoiding future denial-of-service attacks

Image Network World Fusion

February 23, 2000
Web posted at: 8:48 a.m. EST (1348 GMT)

(IDG) -- ISPs have a technique that could be used to choke off denial-of-service Web attacks, but it's not clear if business users will benefit from it any time soon.

By using address source filtering at edge routers, ISPs could prevent large numbers of "fake" IP packets from flooding targeted sites. In the near term, filtering is the only solution to prevent denial-of-service attacks on a large scale, says John Pescatore, a research director at Gartner Group, a Stamford, Conn., consulting firm.


While most ISPs agree filtering could nearly eliminate the assaults, they are hesitant to install the safeguard because of the heavy price and uncertainty about the longevity of the fix.

Filters, which have to be deployed on routers at the edge of the network, enable an ISP to drop packets that have unfamiliar source addresses. PSINet, for example, would examine packets coming in from a customer site and drop them if they had addresses assigned to UUNET or were otherwise unknown.

Hackers typically use fraudulent IP addresses, either lifted from unknowing Internet users or simply made up, to make it harder for investigators to discover where attacks are coming from.

Address source filtering will likely reduce the number of denial-of-service attacks by making this common first step difficult to pull off and easier to trace, says Chuck Davin, vice president and chief technical officer at PSINet.

So why aren't ISPs using filtering? The primary reason is performance will suffer, says Kelly Cooper, Internet security officer at GTE Internetworking. "Filtering at the edge of the network will take significant amount of router processing power."

PSINet's Davin likens it to putting police officers at the entry of every highway and having them check the license of every driver to make sure they are who they say they are.

  Web sites consider hacker insurance
  Asleep at the security wheel?
  Web attacks were no Pearl Harbor's network operating systems page
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

To overcome the congestion, ISPs would have to deploy more packet-handling horsepower. "The bottom line is that the responsibility is on the ISPs and Web-hosting companies to strengthen their infrastructures," Gartner's Pescatore says. "They don't want to because it would require more routers, larger switches, etc., to maintain the same performance."

While source filtering can combat denial-of-service at-tacks, it's possible hackers could change their ways and effectively sidestep the expensive fix. Some ISPs, such as PSINet and GTE Internetworking, are considering setting up filters, but none have committed to deploying the technology.

UUNET's Mark Krause, senior manager of infrastructure security, says it's not so much a cost issue as a question of getting more powerful hardware and software that can handle the load without degrading network performance.

UUNET and GTE Internetworking are working with Cisco to develop a more advanced technique for dropping invalid traffic. GTE Internetworking is already using Cisco's reverse path forwarding (RPF) protocol to compare IP traffic with routing tables to ensure the packet is coming from the correct network. But today, RPF cannot be used with customers that use more than one ISP for access, which is becoming more common. RPF is believed to be less draining on routers.

While ISPs are waiting for more-advanced filtering methods, the ISPs interviewed by Network World say business users must shoulder some of the burden. The carriers are working with customers to set up filtering and intrusion-detection software to help prevent hackers from capturing machines to launch attacks.

Authorities pursing the attackers say the servers they used belonged to users that had no idea their resources were being used to launch attacks.

Clearly something has to be done, because the stakes are so high. The attacks on Yahoo, eBay, and E*Trade earlier this month cost approximately $1.2 billion, according to The Yankee Group, a Boston consulting firm. This figure comes from estimating lost revenues, loss in market capitalization due to falling stock prices and how much money will be spent on upgrading security systems.

Ultimately the carrier that offers a solution to the problem may have a competitive advantage over rivals.

ISP report card
February 2, 2000
The turn to opitical switching
January 25, 2000
Broadband, narrow choices
January 25, 2000
Enron inks deal with Sun to further broadband Net service
January 24, 2000

Corporate vigilantes go on the offensive to hunt down hackers
(Network World Fusion)
Denial of service and the worm
(Network World Fusion)
Web attacks were no Pearl Harbor
More gov't money needed for cybersecurity
Asleep at the security wheel?
Hackers express disdain for Web
(PC World)
eToys attacks show need for strong Web defenses
(Network World Fusion)
Web sites consider hacker insurance
(PC World)

Steps for dealing with an attack
Trinoo detection tools
Matrix IQ (measures ISP performance)
Internet Security Systems home page

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top  © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.