Preparation for Internet Attacks
Tuesday, August 25th, 2009by William Murray
Headlines this week have reported on denial of service attacks against Twitter, Facebook and several other social networking sites. These follow attacks in July against various government sites in the US and South Korea. The headlines have elicited all kinds of commentary, most of it stopping just short of concluding that the sky is falling. In all of this coverage, I have seen almost nothing about what this means to the average enterprise or what one ought to do about it.
Denial of service attacks work by exhausting finite resources. (They are different from an attack that compromises a system and then breaks it or shuts it down. ) Historically we thought of them as exhausting system resources. For example, “Syn flood” attacks against servers work by exhausting memory until the server dies. However, modern distributed denial of service (“DDoS”) attacks (“distributed” modifies “attack,” not “denial of service”) work by exhausting network band-width, usually the “last mile” to the victim.
To maximize the availability of resources in general, and information assets in particular, it helps to have some appreciation of the threat. Most of the threats to availability are natural, not man-made. They include everything from massive events like Hurricane Katrina to component failures. Historically, most of the man-made threat has been accidental, errors and omissions. This was in part because even the most malicious lacked the resources or motivation for more than the most local attacks.
The modern open network has changed that. Not only may an individual control vast stolen resources (”bot-nets”) but he can direct them against a target of choice. At first, the use of this power was by children and other amateurs and targets were somewhat random. Increasingly the power is used by professionals and victims are chosen to make money (e.g., by extortion or short selling of securities). The attack against Estonia, among the tiniest of nation states, has created fear that nation states might attempt to use the links between them to attack one another for political or military purposes.
Our fundamental strategies for ensuring availability include adequate capacity and reserves, easily deployed, avoiding single points of failure, planned response to events, and insurance. The planned responses include relations with key suppliers. Here is where the potential for denial of service attacks suggests a new tactic, pre-arrangement with one’s upstream network service providers.
Steve Gibson reports that in the first well-publicized attack against grc.com, it took him 12 hours to find the right individual at his internet service provider and ten minutes for that person to fix it. Since one will rarely have so much capacity that an attacker cannot exhaust it, assistance from one’s upstream provider is always helpful and may be essential.
Internet service providers offer multiple alternatives for mitigating denial of service attacks, from simple filtering, alternative addresses, alternative paths, to capacity for absorbing the attack. Many spell out these services in their offerings. Some of these services are separately priced. (For the few enterprises that are targets of choice for denial of service attacks, there are specialized services that offer massive capacity for absorbing attacks.)
Media coverage to the contrary notwithstanding, and at least for the time being, for the average enterprise, network-based denial of service attacks will be rare and short lived. They may be slightly more likely than regional disasters but less damaging. They should be addressed in the context of other threats to availability.
That leaves the issues of a national denial of service attack, like Estonia, a global denial of service attack, like SQL/Slammer, or “Cyber Terrorism.” The so-called attack against Estonia was really a number of loosely coordinated attacks against a very small nation state that was unusually dependent on the Internet. While somewhat effective, even it consumed only a small portion of the total capacity of even that small country. The recent coordinated attacks against the US and S. Korea were even less effective.
SQL/Slammer was a global denial of service attack which attempted to exploit a wide-spread vulnerability to organize Internet nodes against the Internet itself. It produced a noticeable, localized, and short-lived decrease in the useable capacity of the Internet. Because it was easily recognized, it was possible to put filters in place to shut it down within hours. However, one can easily visualize a more heterogeneous attack that would have been more difficult to stifle. One cannot afford to dismiss the possibility of such an attack. However, as time passes, the potential for it to be effective diminishes. The wide-spread use of restrictive policies, e.g., default deny, personal firewalls, resists the marshalling of the Internet’s nodes against itself, the capacity to be exhausted increases, and the preparation and strategies of the operators improve.
Terrorism can be defined as an attempt to achieve political ends by frightening the populous. While the death and destruction is beyond question, its effectiveness in achieving its ends has always been questionable. In modern terrorism, the means have become so separated from the ends that the terror has become and end in itself. The speculation about “Cyber Terrorism” is based upon the idea that the Internet might be such an attractive means to a terrorist as to make its use for an attack all but inevitable. To the extent that it permits a small number of people to exercise control or project power at a distance, the Internet is an attractive attack vector. It is certainly attractive as a means of demonstrating the vulnerability of a highly technologic society. However, as a means of creating terror, it is far less attractive than random death and destruction.
“Think globally, act locally.” For most of us, the proper response to any potential for “Cyber Terrorism” is to protect our own resources so that they cannot be used against our neighbors.
Recent headlines have reported on denial of service attacks against Twitter, Facebook and several other social networking sites. These follow attacks in July against various government sites in the US and South Korea. The headlines have elicited all kinds of commentary, most of it stopping just short of concluding that the sky is falling. In all of this coverage, I have seen almost nothing about what this means to the average enterprise or what one ought to do about it.
Denial of service attacks work by exhausting finite resources. (They are different from an attack that compromises a system and then breaks it or shuts it down.) Historically we thought of them as exhausting system resources. For example, “Syn flood” attacks against servers work by exhausting memory until the server dies. However, modern distributed denial of service (“DDoS”) attacks (“distributed” modifies “attack,” not “denial of service”) work by exhausting network bandwidth, usually the “last mile” to the victim.
