COMPUTER security experts are attempting to work out how to stop the kind of
cyber attacks that shut down half a dozen major-league websites last week.
The “denial of service” (DoS) attacks against some of the biggest commercial
sites on the Web, including Yahoo, Amazon, CNN and eBay, flooded the targets
with huge amounts of useless traffic, slowing their computers to the point where
legitimate users couldn’t get through.
“We are committed in every way possible to tracking those who are
responsible,” said US Attorney General Janet Reno, announcing an FBI
investigation. Strategies to stop future attacks range from standardising the
way Internet service providers track and report intrusions, to reconfiguring
Internet protocols to make it easier to trace attacks.
Advertisement
Last week’s DoS attacks involved hackers breaking into a number of
machines—perhaps dozens—connected to the Internet, and secretly
installing a program in each. A few of those are “master programs” that will
issue orders to the other “slave programs”. Then, perhaps weeks or months later,
the attacker issues a command to the master programs, which in turn command
slaves to bombard the target websites with “packets” of data.
“The attacks are difficult to trace. They can go through several different
providers. And when you trace them back, they’re an innocent party,” says Ira
Richer, executive director of the Internet Operators Group, an industry
association in Reston, Virginia.
But security experts have been aware of the threat for months. In November
1999, the Computer Emergency Response Team at Carnegie Mellon University in
Pittsburgh suggested that IT administrators plug holes to prevent their
computers being used to launch attacks. It reported that some hacking groups had
been planting “distributed DoS” launching programs since June 1999. So it wasn’t
so much a case of “if” but “when” these attacks would be launched.
But what can be done to prevent such attacks? The Internet Engineering Task
Force (IETF), which publishes standards for computers on the Net, has issued
guidelines that will allow automated intrusion detection systems to communicate
with one another. So when an attack is detected, the targets can share
information about what’s happening—and act.
But as more home users who are unfamiliar with IT security get high-bandwidth
ADSL or cable modem connections, the number of computers which can be harnessed
for an attack will probably increase, says David O’Brien, a security expert at
the University of California at Davis.
At a security meeting held at AT&T Labs in New Jersey last week, a new
way of tracking information across the Net was suggested, says AT&T
researcher Steve Bellovin. Every computer that routes packets of information on
the Net would insert an identification packet about once every 20 000 packets.
These would work like tracer bullets, allowing investigators to quickly
determine where an attack is coming from. Bellovin says researchers will propose
the idea to the IETF, and it could be in place in six months.
But Lawrence Lessig of Harvard Law School, warns that attempts to make
Internet traffic more traceable could compromise the anonymity and privacy of
law-abiding citizens. “It’s got to be discussed as a trade-off,” he says.