Q&A: Mitigating the Denial of Service Threat

Security consultant details ways to protect yourself

Denial of service attacks made big headlines in 2000 with high-profile takedowns of companies including Amazon and CNN. Unfortunately, such attacks are still a threat. The recent Blaster worm included code for causing a denial of service of Microsoft’s Windows Update Web, which Windows users would have needed to guard against the worm and repair damage. Of course, the worm’s author incorrectly wrote the Web site name. Still, what would have been the damage caused by a worm that strongly discouraged attempts to correct the very system flaw it exploited?

According to security firm Symantec, such blended threats are on the rise. While recent, well-known worms haven’t caused information damage, per se—they don’t delete files or wreck the Windows registry—it would be trivial to add such functionality into worms, warns computer security expert Joe Magee, the former CSO and currently security consultant for Top Layer Networks. Security Strategies spoke with Magee about the dangers of denial of service attacks and what companies can do to protect against them.

What’s the state of denial of service (DoS) attacks today?

It is as much of a problem as it was in February 2000, and it's arguably worse.

Why is that?

There are now corporations putting stateful appliances in their network—any TCP/IP connection, if you connect to a Web connection, you're connecting via SYN—for synchronization packet. You send a SYN, then the server [or device] sends a SYN-ACK--acknowledgement packet, then you send an ACK. This is known as the TCP three-way handshake. So if I sent you a SYN, and I was pretending I was another company (say I was spoofing the IP address), your machine would send a layer-layer packet over to the company, which would say I wasn’t talking to you; it would probably just trash the message.

So where’s the difficulty?

When you are a stateful device—most firewalls are stateful today—and you ensure that the three-way handshake is complete, there’s a potential problem. They monitor for a number of reasons, for instance to understand why the state is open, when it’s closed. [Yet] when you're maintaining state, you're looking at every single session that's going through your network. And while doing this, you're taking up a ton of resources. [Hence] firewalls, intrusion devices … and a number of other inline devices can suffer or be defeated by overwhelming the network with state packets. Not only can you take out a server, but the firewall in front of it, which could allow you to knock out a whole class of servers.

If this attack is possible, why haven’t we seen it?

We haven't really seen widespread DoS attacks targeted at a particular company. The New York Times got hit [in 2001]. It affected production for two hours—whoop dee do. But at the same time, we've seen worms come out like the recent Blaster, [where] the author set up an attack against Windows.com. Of course they wrote the server name incorrectly.

What’s at risk from these sorts of attacks?

I've seen a lot of types of hardware built on TCP/IP protocols, from the kiosks at airports to the people mover—the unmanned trams that get people from one part of the airport to another; that basically manages that the device is runs on TCP/IP. I can practically guarantee that there's a default username and password, it's a small company that doesn't think about security. I don't believe in cyber-terrorism—a TCP packet has never killed a human being—but I do believe in cyber-warfare; if you can turn out the lights, a whole bunch of people could get attacked.

Can you mitigate SYN attacks?

There are commercially available products that work very well for arresting this kind of attack. TopLayer has one. But there are a couple of things you can do now. First, watch for internal address classes—worms [use those] because it's very efficient to do an attack; it looks harmless. Yet an internal address should never be coming from the Internet, so if you look for those internal-type addresses, you can prevent a lot of attacks that could otherwise do a lot of damage. Shutting off pinging can help too. Of course, no one can stop a targeted attack. But you can minimize the risk to a certain level, as far as denial of service goes, and mitigate the risk and make it to a point where you'll be able to survive, even recover.

How can companies protect against denial-of-service attacks hard-coded into worms?

It's completely difficult to stop. I don't wish they'd not made the spelling error, but it would be interesting to see how Microsoft would have combated [Blaster], because we're dealing with a fundamental problem in the TCP/IP protocol.

So the threat is the attack will knock you off the Internet?

That scenario can always happen, especially with ICMP [Internet Control Message Protocol] floods [and] ping floods. But there are many kinds of attacks, like SYN flood. That kind of attack could take out your resources before it took out your Internet connection. We're talking about using only 10 percent of the network bandwidth, while taking up the server’s entire resources, because SYN attacks can be very small in size.

Is SYN is the primary denial of service threat?

The other big thing we haven't seen much of is BGP [Border Gateway Patrol]. BGP is used at every major ISP for redundancy. I'm predicting we'll see attacks focused on spoofing BGP routes. If you have two routers talking BGP to each other—I'm alive, you're alive, there’s a high availability link—if the BGP routes were not set up appropriately, it would be extremely easy to spoof messages to those routers saying I can't find this route. If you send the messages back and forth to each other, it could cause both routers to think they'd failed.

How serious is the DoS threat today?

People should be worried about it. There's nothing to stop me from taking anyone's server offline with just a cable modem today, and I can prove that. Even a 56K modem connection can take out a server.

So security professionals need to be aware of future attacks?

As Johannes Ullrich, who runs the Internet Storm Center for SANS, says, it's the whole time-to-market thing. The first one isn't the best, it's first to market and has a lot of bugs and such. That's a classic example—they overlooked one dot and didn't hit Microsoft. But if they did, it would have been very difficult to get that Blaster update to end users. So the blended threat is really coming back. Code Red/Nimbda is a great example of a worm that moves itself around through the code it uses to propagate.

What kinds of denial of service attacks will we see in the future?

There are certain types of worms that are meant to propagate with mass speed, a great example of that is SQL Slammer. That worm propagated rapidly. There were tons of them—in 30 minutes it had 70,000 hosts compromised. The number it spread to was in the multi-millions. But we still have not seen a worm that really caused damage. We've seen denial of service activity, which is intermittent damage, not typically to a host. We haven't seen a worm that tries attacking other hosts it propagated to. What we've seen has targeted hosts.

What happens when worms attack hosts to which they’ve propagated?

I could easily see a worm where the worm compromises one machine, it then starts spreading out to a Class C network with 250 addresses, at random. Once it spreads to that Class C, it then begins deleting data on those hosts, and it maybe changes the boot.ini record so when the machine reboots, it's toast. We haven’t seen that sort of thing. For example, if SQL Slammer deleted database information after it scanned, after it propagated to five or six hosts, today it would be the worst worm in history. I really see not only the blended threats containing denial-of-service code continuing, being a real threat. We haven't seen it much yet.

Why don’t we see more blended attacks?

We're seeing more blended threats, and … the subculture status of these virus writers seems like they're focused on being able to control the number of hosts. For example, Mafia Boy targeted [just some] firms—eTrade, Amazon, [and] CNN.com. But if I was a hacker, which I'm not, if I wanted to take a Web site offline, that's what I would do. Of course, that is a sustained attack. Instead of causing damage to the machine, it just holds you offline. I think many people might be afraid of getting caught.

What will help in the future?

Well, IPv6—they haven't really improved the trace back [capability], though all traffic is encrypted, that's supposed to help, but then again, if they're encrypted it’s [tough to] inspect them.