ad info  technology > computing
    Editions | myCNN | Video | Audio | Headline News Brief | Feedback  




Consumer group: Online privacy protections fall short

Guide to a wired Super Bowl

Debate opens on making e-commerce law consistent



More than 11,000 killed in India quake

Mideast negotiators want to continue talks after Israeli elections


4:30pm ET, 4/16










CNN Websites
Networks image

Denial-of-service threat gets engineering community's attention

Network World Fusion

July 25, 2000
Web posted at: 10:34 a.m. EDT (1434 GMT)

(IDG) -- Remember the denial-of-service attacks that brought,, eBay and other popular Web sites to their knees in February? The Internet engineering community is developing technology that promises to minimize the damage these hacker attacks cause by quickly identifying the computer systems where they originate.

The Internet Engineering Task Force (IETF) last week launched a working group to develop ICMP Traceback Messages, which would let network managers discover the path that packets take through the Internet. Nicknamed itrace, the new working group plans to submit a proposed standard for traceback messages to the IETF leadership next January.


Itrace can't prevent denial-of-service attacks. But it will be an important tool for network managers trying to isolate and stop these attacks. The itrace approach also can address denial-of-service attacks inside a far-flung corporate network built on Internet standards.

"Itrace is a pretty important initiative," says John Pescatore, research director for network security at Gartner Group, a Stamford, Conn., market research firm. "What we need are standard mechanisms that can be built into the Internet switching infrastructure. That's the only place it will work to stop distributed denial-of-service attacks."

One drawback of itrace is it identifies the machines that are sending a denial-of-service attack - not the hacker who programmed them. Therefore, itrace will not help law enforcement officials trying to catch and prosecute hackers.

Itrace also faces a deployment challenge because it becomes effective only after the technology is installed across the Internet's backbone and edge routers. In the best-case scenario, the itrace rollout will take 18 months.

Nonetheless, itrace is the most promising technology that the Internet engineering community has conceived for battling denial-of-service attacks.

  Network World Fusion home page
  Free Network World Fusion newsletters's technical development page's networking page
  Reviews & in-depth info at
  Questions about computers? Let's editors help you
  Subscribe to's free daily newsletter for network experts
  Search in 12 languages
  News Radio
  * Fusion audio primers
  * Computerworld Minute

"The ISPs don't have good tools to trace these kinds of attacks back today. That's what we're trying to do," says Steve Bellovin, a network security researcher at AT&T Labs who is heading the IETF effort. "Itrace will be quite helpful, but I don't think it's a panacea. What you really want to do is deal with the attacks and stop them from hurting you."

In a distributed denial-ofservice attack, a hacker breaks into other people's servers and programs them to flood a Web site with massive amounts of bogus traffic until the Web site crashes. In the much-publicized February attacks, it took Web site operators and their ISPs several hours to thwart the attacks and get sites back up and running.

One of the reasons it takes so long to stop a denial-of-service attack is the hacker sends the bogus traffic using fake IP addresses. Itrace would let Web site operators and ISPs track denial-of-service attacks back to their true sources within minutes.

With itrace, routers randomly generate a traceback message about a packet and send it to the packet's destination. Each traceback message provides information about the packet being traced, what time it was sent, where it came from, where it went and authentication of the packet transfer.

Network managers can piece the traceback messages together into a chain that represents a packet's path through the Internet. This capability is important because a packet takes as many as 20 hops through routers at various ISP locations as it moves through the Internet from sender to recipient.

Because the traceback messages are sent at a rate of one out of every 20,000 packets, they won't have a significant impact on the performance of the router or the Internet overall. However, with enough traceback messages from enough routers along the path, a network manager can find the source of a large amount of illegitimate traffic.

One disadvantage of itrace is it stores information in the traceback messages in compressed form, so the information is ambiguous and requires some analysis and guesswork, says Fred Baker, chair of the IETF. "Due to this ambiguity, itrace is not a silver bullet. But it gives us a clue, where right now we are often completely in the dark."

The main challenge for itrace is getting router vendors to support it and ISPs to deploy it. One question is whether ISPs will deploy it just on their border routers or on all the routers in their networks. The latter approach is better because itrace is more helpful if it is deployed on more routers.

"Nobody can compel the ISPs to deploy this," AT&T Labs' Bellovin says. "The goal is to produce a specification that has support from router vendors such as Cisco and Juniper and from the ISPs."

ISPs face the cost of upgrading their routers to support itrace, and also the cost of developing the public-key infrastructure required for traceback message authentication. Without fail-proof authentication, hackers can create bogus traceback messages to accompany their denial-of-service attacks.

Still, ISPs seem positive about the itrace approach. "The ISP industry is going to welcome any attempt to standardize tools that help customers fight against distributed denial-of-service attacks," says Mark McFadden, chief technology officer for the Commercial Internet Exchange Association.

McFadden says the ISP industry also needs tools that detect and identify denial-of-service attacks, vs. sudden, large flows of legitimate traffic.

"Itrace is one part of a solution toward distributed denial-of-service attacks," says Stefan Savage, an assistant computer science professor at the University of California at San Diego who has developed an alternative packet traceback technique. "There's a whole host of tools that you need to detect attacks, trace them back and perform countermeasures. Tracing back alone doesn't solve the problem."

The itrace working group is the IETF's first attempt at addressing denial-of-service attacks. The idea for itrace dates back to January, when a group of network security researchers from Cisco, Nortel, Lucent, UUNET and AT&T began developing a traceback methodology that would scale across the Internet.

Getting to the root of network security
July 12, 2000
Web privacy group seeks to block Toysmart sale
July 10, 2000
Cyber-crime laws emerge, but slowly
July 5, 2000
How to protect your network
July 4, 2000
Secret Service targets e-crime
June 28, 2000
Senate committee revises Internet security bill
June 22, 2000

How awareness can prevent cybercrime
Federal security policies fall short
Security, the way it should be
Filling the first line of defense
More gov't money needed for cybersecurity
The enemy within
(NetworkWorld Fusion)
Popular firewall vulnerable to denial-of-service attacks

Computer Crime and Intellectual Property Section (CCIPS)

Note: Pages will open in a new browser window
External sites are not endorsed by CNN Interactive.


Back to the top   © 2001 Cable News Network. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines.