Attack of the Packet Monkeys
By Seth Ross
- FEATURE: Attack of the Packet Monkeys
- TIPS: Defense-in-Depth Against DDoS
- TOOLS: Network Security -- Personal Firewalls
- TOOLS: Filesystem Security -- Encryption Plus for Folders
- TOOLS: Physical Security -- Anti-theft Devices
Imagine your phone rings. No one there. Then it rings again and
again, every 30 seconds. No one there each time. Pretty soon you
stop picking up the phone. Then a friend tries to call but can't
get through. It's a denial-of-service attack, conceptually similar
to those that struck major Internet sites last week including Yahoo!,
eBay, Amazon.com, CNN, and Buy.com.
I'm starting this issue right where I left off last time ... musing
about Distributed Denial-of-Service (DDoS) attacks. For a high-level
description of DDoS, see last month's newsletter. In short: the
attacker first compromises a number of Internet servers and plants
a Trojan horse program. The owners of these "zombie" systems typically
don't even know that their computers are now owned by someone else.
At the bad guy's behest, the zombies flood the target system with
a variety of weird packets and requests (Yahoo apparently received
as much as a gigabit of attack traffic per second, bandwidth equivalent
to 30,000 dialup modems). This effectively blacks out the victimized
systems, denying all legitimate use.
Before we crack open this topic in depth, I'd like to make note
of a couple of points regarding terminology:
- A DDoS attack is not a "hack". A hack is "an incredibly good,
and perhaps very time-consuming, piece of work that produces exactly
what is needed." Remember, hackers are good guys who fix things.
Reporters love to mangle language by attributing DDoS attacks
to "hackers" when they really mean to say "criminals" or "attackers".
I prefer the usage "packet monkey" to describe these bottom-feeders.
Denial-of-service attacks represent the lowest form of computer
criminal activity, analogous to child molesters in the strata
of real world criminals. While the topology of DDoS attacks is
complex, the attackers themselves are using downloaded tools written
by others -- no creativity required. As Marcus Ranum points out:
"I've always been bemused by the whole denial of service thing.
It seems so pointless. It's just vandalism; not even as cool as
virus writing, and virus writing is very uncool."
- A DDoS attack is not a "crack" in the sense that the enemy actually
breaks in or gains access to the victim systems. It does not violate
confidentiality -- so don't worry that the credit card you provided
to Amazon.com last week has been stolen. Nor does it violate integrity
-- the web sites attacked by the packet monkeys have not had their
pages altered or defaced.
It's highly unlikely that the culprits behind the latest attacks
will ever be caught. Why? Although they're not criminal geniuses,
they were smart enough to use stealthy tools. I don't envy the task
of the FBI investigators who have to pour over gigabytes worth of
logs and only to find millions of spoofed source IP addresses.
The victims of these attacks have NOT been random selected. They
form a pattern: publicly-traded ecommerce companies (Buy.com was
attacked the day it went public). Investigators are almost certainly
looking at trading activity in stocks in these companies. If they
aren't, they should be.
The attacks are likely to continue, given the pattern thus far.
Nothing indicates this week's attacks are a one-off. We all need
to prepare ourselves for more disruption. As more and more critical
systems are made available via the Internet, there's a temptation
to faze out traditional systems. No one should ever rely on the
availability of any given web site at any given time for anything
How can you protect yourself against Distributed Denial-of-Service
attacks? In a strict sense, you can't. DDoS traffic looks just like
regular traffic, except there's a lot more of it. Distinguishing
between the two is what's known in computer science as a "hard problem".
If you're responsible for the security of an Internet Service
Provider or an ecommerce site and have a substantial budget and/or
corporate commitment to information security, there are steps you
can take but they're neither cheap nor easy.
Most of us aren't network engineers at the type of large site
that's been hit by DDoS. The best way for the Internet community
to prevent these kinds of attacks is to deprive the attackers of
their zombie hosts. What we really need now is an all-out push by
businesses and individuals to secure each and every computer on
the Internet against the "well-known vulnerabilities" that enabled
last week's attacks. We all need to implement defense-in-depth.
Defense-in-depth is an age-old approach to security -- successive
rings of defenses discourage attackers and increase their workload.
The basic idea is to set up redundant security safeguards. If one
fails, another is in place. Think of a medieval castle. If attackers
get through the moat, they still must scale the outer walls. Once
past the outer walls, they face defenders in the inner ramparts.
Once past the ramparts, they must still reach a keep with only one
entry point -- 30 feet above the ground. And defenders have kicked
out the ladder.
The same principles can be applied to computer security. The outermost
ring of most systems is composed of network security measures like
firewalls. An attacker who gets through this perimeter must still
deal with account security, at least on systems that support user
accounts and meaningful user authentication. At the core of system
security is filesystem security -- files are protected by either
user permissions or access control lists, or by filesystem encryption.
Finally, there's physical security to consider since the most thorough
way to defeat system security is to steal the machine. The next
three sections will consider each of these in turn with recommendations
for tools that can provide deep defense in each area.