Helping to Defeat DDoS Attacks

• 03/08/2000

Unless you run a high profile Web site, it is unlikely you will be the target of a DDoS attack, but the attacks should still be a concern. Since DDoS attacks are commonly launched by remote agents on host machines, most IT managers’ main concern should be ensuring that their machines are not hosting these agents, says Bill Pollak, a spokesman for Carnegie Mellon University’s Cert research unit.

In addition to being a good citizen, it is in the self-interest of administrators to block these agents: DDoS attacks hog computer power, slowing the network for legitimate use.

In an attack, agents -- such as TFN and Trin00 -- flood a target machine by sending out a series of pings or other data requests that overload a machine. Since these are relatively simple systems, with a variety of tactics, the character of the agents can change rapidly. This makes it difficult to reliably identity and deter the programs.

Whether Windows NT is more susceptible to intrusions or malicious software is a matter of debate. Chris Rouland, director of Internet Security Systems Inc.'s (ISS, www.iss.net) X-force security research unit, says, "Out of the box, Unix is less secure than Windows." But Pollak says Windows does have security features built into the operating system. These features, however, are disabled in a normal install. "A user without much system administration experience should learn about these security features that Microsoft and other security organizations, including the CERT/CC, recommend," he advocates.

E-commerce sites are particularly vulnerable to security risks. "It’s difficult enough to get an e-commerce project running, let alone secure it," Rouland says, suggesting that security on these systems is often an afterthought. Frequently the resources allocated to security are insufficient.

Cert, which published an advisory on DDoS attacks this past December, offers advisories when it learns of a new threat to computer security. Administrators interested in network security can read current advisories at their Web site.

ISS also maintains a research team dubbed the X-force, which offers advisories on current developments in network security. Unlike CERT, they focus specifically on how businesses can secure their networks. Advisories are available at www.xforce.iss.net.

Several organizations offer solutions for preventing DDoS attacks. These solutions usually cover two basic steps: intrusion detection to tell when a system has been breached and system scanning to identify and disable malicious programs.

In the realm of intrusion detection, ISS offers RealSecure, which scans for vulnerabilities and intrusions. "Windows machines are much more complex, but we’ve identified most of the gaps," Rouland says.

Axent Technologies Inc. (www.axent.com) offers NetRecon -- which scans systems for vulnerabilities -- and IntruderAlert -- which detects intrusions on the network. "If someone is probing the network with a port sweep it will terminate the application" says Scott Gordon, director of intrusion detection systems at Axent. For system scanning, NetRecon can also detect and disable rogue applications.

The FBI also offers system scanning utilities to identify the applications allegedly used in the attack on Yahoo. These are available at www.fbi.gov/nipc/trinoo.htm. These are useful tools for individual problems, but Rouland asserts that they are reactive, rather than proactive tools.

Trusted Systems Solutions Inc. (TSS, www.tss.com) offers a different tool for monitoring undesirable applications on the network. Consisting of a scripting language, it works with and alongside NT’s security APIs to monitor applications, network use, and user behavior. "AdvancedChecker 2.0 gives you the full power of NT to help you out," says Steve Sutton, president of TSS.

Since attackers thrive on defeating security measures, network security and malicious tools are constantly evolving. No security product can maintain complete security, but taking action will reduce the chances of an attack.