Attack of the Packet Monkeys

By Seth Ross

Contents

1. FEATURE: Attack of the Packet Monkeys
   
2. TIPS: Defense-in-Depth Against DDoS
   
3. TOOLS: Network Security -- Personal Firewalls
   
4. TOOLS: Filesystem Security -- Encryption Plus for Folders
   
5. TOOLS: Physical Security -- Anti-theft Devices
   

Imagine your phone rings. No one there. Then it rings again and again, every 30 seconds. No one there each time. Pretty soon you stop picking up the phone. Then a friend tries to call but can't get through. It's a denial-of-service attack, conceptually similar to those that struck major Internet sites last week including Yahoo!, eBay, Amazon.com, CNN, and Buy.com.

I'm starting this issue right where I left off last time ... musing about Distributed Denial-of-Service (DDoS) attacks. For a high-level description of DDoS, see last month's newsletter.[1] In short: the attacker first compromises a number of Internet servers and plants a Trojan horse program. The owners of these "zombie" systems typically don't even know that their computers are now owned by someone else. At the bad guy's behest, the zombies flood the target system with a variety of weird packets and requests (Yahoo apparently received as much as a gigabit of attack traffic per second, bandwidth equivalent to 30,000 dialup modems). This effectively blacks out the victimized systems, denying all legitimate use.

Before we crack open this topic in depth, I'd like to make note of a couple of points regarding terminology:

• A DDoS attack is not a "hack". A hack is "an incredibly good, and perhaps very time-consuming, piece of work that produces exactly what is needed."[2] Remember, hackers are good guys who fix things. Reporters love to mangle language by attributing DDoS attacks to "hackers" when they really mean to say "criminals" or "attackers". I prefer the usage "packet monkey" to describe these bottom-feeders. Denial-of-service attacks represent the lowest form of computer criminal activity, analogous to child molesters in the strata of real world criminals. While the topology of DDoS attacks is complex, the attackers themselves are using downloaded tools written by others -- no creativity required. As Marcus Ranum points out: "I've always been bemused by the whole denial of service thing. It seems so pointless. It's just vandalism; not even as cool as virus writing, and virus writing is very uncool."[3]
• A DDoS attack is not a "crack" in the sense that the enemy actually breaks in or gains access to the victim systems. It does not violate confidentiality -- so don't worry that the credit card you provided to Amazon.com last week has been stolen. Nor does it violate integrity -- the web sites attacked by the packet monkeys have not had their pages altered or defaced.

It's highly unlikely that the culprits behind the latest attacks will ever be caught. Why? Although they're not criminal geniuses, they were smart enough to use stealthy tools. I don't envy the task of the FBI investigators who have to pour over gigabytes worth of logs and only to find millions of spoofed source IP addresses.

The victims of these attacks have NOT been random selected. They form a pattern: publicly-traded ecommerce companies (Buy.com was attacked the day it went public). Investigators are almost certainly looking at trading activity in stocks in these companies. If they aren't, they should be.

The attacks are likely to continue, given the pattern thus far. Nothing indicates this week's attacks are a one-off. We all need to prepare ourselves for more disruption. As more and more critical systems are made available via the Internet, there's a temptation to faze out traditional systems. No one should ever rely on the availability of any given web site at any given time for anything critical.

How can you protect yourself against Distributed Denial-of-Service attacks? In a strict sense, you can't. DDoS traffic looks just like regular traffic, except there's a lot more of it. Distinguishing between the two is what's known in computer science as a "hard problem".

If you're responsible for the security of an Internet Service Provider or an ecommerce site and have a substantial budget and/or corporate commitment to information security, there are steps you can take but they're neither cheap nor easy.[4]

Most of us aren't network engineers at the type of large site that's been hit by DDoS. The best way for the Internet community to prevent these kinds of attacks is to deprive the attackers of their zombie hosts. What we really need now is an all-out push by businesses and individuals to secure each and every computer on the Internet against the "well-known vulnerabilities" that enabled last week's attacks. We all need to implement defense-in-depth.

Defense-in-depth is an age-old approach to security -- successive rings of defenses discourage attackers and increase their workload. The basic idea is to set up redundant security safeguards. If one fails, another is in place. Think of a medieval castle. If attackers get through the moat, they still must scale the outer walls. Once past the outer walls, they face defenders in the inner ramparts. Once past the ramparts, they must still reach a keep with only one entry point -- 30 feet above the ground. And defenders have kicked out the ladder.

The same principles can be applied to computer security. The outermost ring of most systems is composed of network security measures like firewalls. An attacker who gets through this perimeter must still deal with account security, at least on systems that support user accounts and meaningful user authentication. At the core of system security is filesystem security -- files are protected by either user permissions or access control lists, or by filesystem encryption. Finally, there's physical security to consider since the most thorough way to defeat system security is to steal the machine. The next three sections will consider each of these in turn with recommendations for tools that can provide deep defense in each area.