In-Depth

Thwarting Next-Generation Denial-of-Service Attacks

Domain name registrar copes with DoS spike

• By Mathew Schwartz
• 10/20/2004

Denial-of-service (DoS) attacks are beginning to pack a punch. So say larger sites, especially those handling large volumes of domain-name requests.

Unlike high-profile takedowns of such sites as Amazon.com and CNN in 2000, DoS attacks are remarkable today simply because they’re so common. The growing presence of so-called zombie computers—compromised PCs on which attackers can execute arbitrary code—gives attackers an easy platform for launching DoS attacks.

For sites trying to defend against such attacks, traffic must be routed through intrusion prevention systems (IPS) able to both keep up with the load and actively detect and block increasingly sophisticated DoS attacks. As Greg Young, a research director at Gartner notes, “An IPS product must protect against denial-of-service attacks, and not become the denial-of-service attacker through poor performance.” As sites scale, so, too, must the technology for defending those sites improve.

One company often targeted by DoS attacks is eNom, the fourth-largest ICANN-accredited domain name registrar. The company actively manages over four million domain names and a half-million URL redirects; its infrastructure handles hundreds of millions of domain name requests daily, plus hosting, e-mail, and monitoring.

As a result of all this activity, eNom may end up targeted by people out to crash DNS servers, or because it hosts IP addresses under attack, or because attackers are deliberately attacking eNom. Whatever the intent, “If you can take down our DNS servers … you’re going to take out about 10 percent of the Internet,” says Jim Beaver, vice president of operations for eNom.

Unfortunately, he notes, DoS attacks have only been getting worse. On average, eNom has been experiencing DoS attacks 15 days of every month beginning in January 2004. “Historically, we had denial-of-service and pretty typical attacks—ping attacks, UDP floods, things that a normal firewall could pretty much handle. About a year ago, it started becoming such a widespread denial-of-service attack that it became hard to manage. Specifically, it seemed like the more that broadband access became prevalent for people at home, with unprotected machines or machines without patches, the more likely we were to get distributed, zombie attacks against us,” says Beaver. When home users dialed up using a 9,600-baud modem, he notes, DoS wasn’t a problem. Now, however, “the fact that you could take over 1,000 machines with broadband means you could slam hundreds of megabits of data at us pretty easily.”

Security experts say such attacks are growing as a way to extort companies, or pursue vendettas; witness Blaster targeting Microsoft and SCO.

In the past, eNom or a site it hosted might have been attacked with relatively simple mechanisms. “It used to be they would emanate from universities, and you could contact the university and shut it down.”

An early 2004 attack, however, was noticeably different. For one thing, it came predominantly from Europe, and sped up during European work hours, meaning it probably related to business-machine infections. Also, it could be retargeted, since eNom would move IP blocks around and still find itself under attack. “So it wasn’t a fire-and-forget type of attack. It could be tweaked.” That and the attack’s decentralized nature made combating it difficult, if not impossible. “No longer could we contact every ISP … [the attacks] were coming from thousands of class A and class B [networks].”

Finally, the attack used a SYN ACK flood, a devastatingly efficient DoS attack. Here’s how it works: before a TCP connection can be established, a computer sends out a single synchronize/start packet (SYN), which the receiving server then acknowledges (ACK). If a server can’t acknowledge a SYN, it may wait a minute or more before dropping the request from memory. So a SYN flood launches massive numbers of SYN requests, each with a forged source address, from multiple PCs. Before long, the server is overloaded with bogus requests, which effectively deny anyone else access to the site.

While eNom had firewalls capable of identifying and blocking UDP or ping floods—up to 100 megabits at a time—because SYN flood attacks appeared to come from such a variety of IP addresses, existing technology couldn’t block them. “Since we have such a wide array of legitimate traffic coming to us, it’s really hard to determine what is legitimate traffic and what is not,” says Beaver.

eNom, looking for a solution and doubting it was the only organization experiencing these problems, approached vendors, without success. “I was shocked that no one else was having this problem, that we could find, and that no one had a solution,” says Beaver. So eNom asked such IPS appliance vendors as NetScreen Technologies (since acquired by Juniper Networks), Radware, TippingPoint Technologies, and Top Layer Networks, if they could help. “We said, 'Can you guys handle the SYN floods?', which was really the signature at the time, and we started trying out different boxes.”

Stopping SYN attacks isn’t trivial. “When [vendors] started looking at our traffic, they started realizing what a difficult problem this was for us. The problem was, if you attenuate the bad stuff, you start attenuating the good stuff—that was the ‘interesting engineering problem,’” Beaver notes. Finding a solution took some time. “That’s how I classify how hard the problem is—it took some of the smartest people I’ve ever met six months to get their arms around it and solve it.”

Ultimately, eNom chose TippingPoint’s new UnityOne-100E IPS appliance, which it initially used in beta. “They came up with a solution that seems to work really well,” says Beaver, and “it’s been running fairly stably, fairly successfully now, for over two months.”

As befits a company offering an appliance with dedicated, ASIC-based hardware, TippingPoint argues for an all-in-one device to defend against SYN floods. “Many of the denial-of-service protection companies out there … provide detection of denial-of-service, but when it comes to enforcing or blocking or preventing that from happening, they need to rely upon other third-party products to do that,” says Andy Salo, director of product management for TippingPoint. The end result, he says, is a lag in dealing with the problem, as opposed to having a dedicated appliance able to both detect and block such attacks. The former approach “is analogous to when IDS’s first came out, they would alert on things, then they would tell the firewall to install a shunt and block certain traffic. That’s never worked.”

The UnityOne-100E IPS uses four types of filtering: “signature-based, protocol anomaly, vulnerability, and traffic anomaly,” says Salo. “We think … everything falls into these buckets, and you need these protections to really call yourself an IPS.” For example, the traffic anomaly filter can shape traffic, decreasing access for suspect addresses while maintaining site availability for authenticated ones. While that technique can handle many types of DoS attacks, it doesn’t work for SYN floods.

To handle those, the appliance also has a SYN proxy “which acts as an intermediate device and intercepts the access connection requests from clients … and validates those before it reaches the server.” Dubbed “advanced denial-of-service protection,” the appliance verifies IP addresses before passing SYN requests to a server. Once validated, traffic from an IP address can flow freely.

With technology now able to handle SYN floods, Beaver hopes more organizations will use it. For example, since he pays his ISP for the amount of bandwidth he uses, and ISPs are shuttling around a lot of “garbage” (as he puts it) from bad e-mails to SYN attacks, he wonders how much longer he should have to pay for it. “For a long time now it seems like there’s been kind of an unwritten agreement between service providers that, hey, you police your own traffic coming out of your network. In other words, you shouldn’t allow traffic out of your network if it’s not part of your IP address. If everyone does this, there shouldn’t be unroutable IPs coming into my network providers,” he says. Yet with the profusion of broadband, he thinks a lot of ISPs have simply given up.

Clamping down on bad traffic, however, could save everyone money, and increase their information security. “If I was an ISP, I could put this device on my border and it would not only protect inbound technology, but it would stop it from going out,” he says. Ideally, “you could clamp it before it even comes out of the ISP. I mean, someone had to pay for all this traffic to originate in Europe … to come out and kick my butt.”

As more companies feel the pain, Beaver thinks ISPs may get motivated to clean up their networks. “I think we just happened to be on the front end of this,” he notes.

Related Articles

Q&A: Stress Testing Your Network Against DoS Attacks
http://www.esj.com/security/article.aspx?EditorialsID=1001

Q&A: Mitigating the Denial of Service Threat
http://www.esj.com/security/article.aspx?EditorialsID=730