ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

We can prevent those distributed denial of service attacks with 'egress filtering'


March 1, 2000
Web posted at: 8:31 a.m. EST (1331 GMT)

(IDG) -- The attacks that hobbled Web sites Yahoo, Etrade, and CNN earlier this month sounded a warning: Secure your computers or be subjected to similar attacks in the near future.

The Web attacks, technically known as distributed denial of service, or DDoS, attacks, were launched primarily from Solaris and Linux machines that had been compromised. The choice of machines was due to the fact that DDoS tools were originally developed by hackers with backgrounds in Unix. But these same tools have already been ported, so they will compromise Windows clients and NT servers. Windows-based DDoS attacks will inevitably come. If your system is used to attack other systems, you run the risk of a lawsuit.

Ironically, DDoS attacks are so technically crude that they can be almost entirely prevented by a simple change in most networks. Systems that spread the DDoS attack failed to have "egress filtering" turned on. I'll describe what this means after a brief introduction to the way February's DDoS attacks worked.

Step 1. During several months last year, hackers placed versions of DDoS tools on Internet sites for anyone to download. These tools have names such as Trinoo, TFN (Tribe Flood Network), and Stacheldraht (German for barbed wire). If you want to see what you're up against, go here and here.


Step 2. Using DDoS tools, the hacker created a three-tier architecture in several weeks. Tools on his workstation found servers with security weaknesses and planted software there. The servers, known as masters, talked to demon software planted on other machines, known as zombies.

Step 3. Once hundreds of zombie computers were ready, the attacker sent data packets to the masters. These instructed the zombies to flood the targeted victims. Each zombie, on a high-speed Internet connection, might send many thousands of packets. The address of the originating computer was spoofed, or falsified. This made packets arriving at the victim's Web site appear to be coming from many machines rather than a specific set of identifiable machines. The attacker is difficult to locate, because zombies are hard to find. The fact that the IP address of each packet was spoofed gives the Internet community a way to prevent such attacks. Every ISP can prevent incoming packets with false IP addresses from being passed on (this is called ingress filtering). And every corporation with an Internet connection can ensure that spoofed packets don't leave the corporate network. (This is called egress filtering. Check here for details.)

  FBI targets suspects in hackers case
  Avoiding future denial-of-service attacks
  Denial-of-service aftermath
  Reviews & in-depth info at
  Year 2000 World
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for IT leaders
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

Either fix involves a simple change to a configuration file for a router. It imposes no performance penalty, because the system only checks that the address prefix of each packet is valid. The Internet Society provides a paper called Request for Comments 2267 that describes these procedures and other steps to take (see here).

In addition, firewalls are essential protection for any system with a high-speed connection to the Internet. WatchGuard Technologies, which I wrote about in several columns last fall, offers five firewall appliances scaled for small to large businesses. WatchGuard provides an excellent white paper on the latest attacks (see here, particularly the Resources section).

Steve Steinke, editor at, belittled my warnings in a January 2000 editorial that said unless a PC "is configured to be a server, there's nothing a hacker can do to it except for some sort of denial of service attack, which would obviously call for an intervention by the ISP."

Todd Hooper, vice president of WatchGuard, after reading this said, "He seems to think he can call his ISP for a magic fix. The reality is, with distributed DoS [denial of service] tools like TFN and Trinoo, the ISP is powerless."

Once a DDoS attack has started, an ISP may find itself powerless. But ingress and egress filtering can eliminate the fertile ground from which DDoS attacks spring. It won't end all attacks, but it's so central that I urge you to take these steps today.

Technology - Avoiding future denial-of-service attacks
February 23, 2000
ISP report card
February 2, 2000
The turn to opitical switching
January 25, 2000
Broadband, narrow choices
January 25, 2000
Enron inks deal with Sun to further broadband Net service
January 24, 2000

Windows PCs become tools for DoS attacks
FBI targets suspects in hackers case
(The Industry Standard)
Avoiding future denial-of-service attacks
(Network World)
Users feel aftershocks of Web attacks
(PC World)
More government money needed for cybersecurity
Denial-of-service aftermath
Are government servers responsible for DoS attacks?
A primer: Denial-of-service attacks
(PC World)


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.