|Editions | myCNN | Video | Audio | Headline News Brief | Feedback||
Avoiding future denial-of-service attacks
(IDG) -- ISPs have a technique that could be used to choke off denial-of-service Web attacks, but it's not clear if business users will benefit from it any time soon.
By using address source filtering at edge routers, ISPs could prevent large numbers of "fake" IP packets from flooding targeted sites. In the near term, filtering is the only solution to prevent denial-of-service attacks on a large scale, says John Pescatore, a research director at Gartner Group, a Stamford, Conn., consulting firm.
While most ISPs agree filtering could nearly eliminate the assaults, they are hesitant to install the safeguard because of the heavy price and uncertainty about the longevity of the fix.
Filters, which have to be deployed on routers at the edge of the network, enable an ISP to drop packets that have unfamiliar source addresses. PSINet, for example, would examine packets coming in from a customer site and drop them if they had addresses assigned to UUNET or were otherwise unknown.
Hackers typically use fraudulent IP addresses, either lifted from unknowing Internet users or simply made up, to make it harder for investigators to discover where attacks are coming from.
Address source filtering will likely reduce the number of denial-of-service attacks by making this common first step difficult to pull off and easier to trace, says Chuck Davin, vice president and chief technical officer at PSINet.
So why aren't ISPs using filtering? The primary reason is performance will suffer, says Kelly Cooper, Internet security officer at GTE Internetworking. "Filtering at the edge of the network will take significant amount of router processing power."
PSINet's Davin likens it to putting police officers at the entry of every highway and having them check the license of every driver to make sure they are who they say they are.
To overcome the congestion, ISPs would have to deploy more packet-handling horsepower. "The bottom line is that the responsibility is on the ISPs and Web-hosting companies to strengthen their infrastructures," Gartner's Pescatore says. "They don't want to because it would require more routers, larger switches, etc., to maintain the same performance."
While source filtering can combat denial-of-service at-tacks, it's possible hackers could change their ways and effectively sidestep the expensive fix. Some ISPs, such as PSINet and GTE Internetworking, are considering setting up filters, but none have committed to deploying the technology.
UUNET's Mark Krause, senior manager of infrastructure security, says it's not so much a cost issue as a question of getting more powerful hardware and software that can handle the load without degrading network performance.
UUNET and GTE Internetworking are working with Cisco to develop a more advanced technique for dropping invalid traffic. GTE Internetworking is already using Cisco's reverse path forwarding (RPF) protocol to compare IP traffic with routing tables to ensure the packet is coming from the correct network. But today, RPF cannot be used with customers that use more than one ISP for access, which is becoming more common. RPF is believed to be less draining on routers.
While ISPs are waiting for more-advanced filtering methods, the ISPs interviewed by Network World say business users must shoulder some of the burden. The carriers are working with customers to set up filtering and intrusion-detection software to help prevent hackers from capturing machines to launch attacks.
Authorities pursing the attackers say the servers they used belonged to users that had no idea their resources were being used to launch attacks.
Clearly something has to be done, because the stakes are so high. The attacks on Yahoo, eBay, Amazon.com and E*Trade earlier this month cost approximately $1.2 billion, according to The Yankee Group, a Boston consulting firm. This figure comes from estimating lost revenues, loss in market capitalization due to falling stock prices and how much money will be spent on upgrading security systems.
Ultimately the carrier that offers a solution to the problem may have a competitive advantage over rivals.
ISP report card
RELATED IDG.net STORIES:
Corporate vigilantes go on the offensive to hunt down hackers
Steps for dealing with an attack
|Back to the top||
© 2001 Cable News Network. All Rights Reserved.|
Terms under which this service is provided to you.
Read our privacy guidelines.