InformationWeek
Defining The Business Value Of Technology
February 14, 2000
 Printer ready |
Companies map defense strategies after hackers deny service at several popular web sites
By Matthew G. Nelson and Beth Bacheldor
| Related links: |
|
|
| And from our sister publications: |
|
|
 Send Us Your Feedback |
he risks of doing business on the Internet came into sharp focus last week following attacks that shut down or restricted access to several popular consumer sites.Security experts and law-enforcement officials say the "distributed denial-of-service" attacks, which targeted sites such as Amazon.com, Buy.com, CNN.com, eBay, E-Trade, and others, are hard to prevent. They also say it will be difficult to track down the person or group responsible.
Not only did the attacks prevent at least seven major Web sites-including five of the 10 most-popular sites- from serving their customers, they also slowed down the entire Internet, according to Keynote Systems, a firm that measures Internet and Web-site performance. "We monitor the top 40 Web sites, and during the period of these attacks, the average download of these sites jumped from 4.8 seconds to 8 seconds," says Matthew Parks, product marketing manager for Keynote Systems. "There was actually a 60% degradation in the performance of these sites during the attacks, even though they hadn't been attacked."
The high-profile attacks prompted a high-level response: Attorney General Janet Reno said the FBI has launched a full-scale investigation. "These cyber-attacks have caused millions of Internet users to be denied services," she said. "At this time, we're not aware of the motives behind these attacks."
FBI officials said such attacks could easily be launched by using software freely available on the Internet. In response, the agency has posted software on the Web that can help IT managers determine if their Web sites are under attack.
The disruption caused many IT managers and Web-site operators to analyze their systems' security to reduce the likelihood of being attacked or of having their systems used to harm other Web sites. In a distributed denial-of-service attack, a malicious hacker or group of hackers surreptitiously gains access to dozens or hundreds of computers connected to the Internet and plants software code in those systems. Once a signal is sent, those computers start sending signals to the targeted Web site. The huge amount of traffic directed at a site can clog and overload access links, Internet routers, and Web-site servers, slowing access time or shutting down a site altogether.
"Essentially what happened with the Yahoo site is that at 10:15 p.m. Pacific time, on Monday, Yahoo dropped to zero availability. None of our measurement computers worldwide were able to access that site," Parks says. "This raised alarms and red flags."
Once Web sites realized they were under attack, they responded quickly. "At 7 p.m. Wednesday, internally we recognized we were being hit by a denial-of-service attack," says Edna Johnson, a spokeswoman for CNN.com in Atlanta. "From 7 to 8:45 p.m., we were seriously affected, but we were not down or crashed. We were serving content; admittedly it was very inconsistent. It was like slogging through molasses. By 8:45 p.m., our Internet service providers were working with us and put in blocks that began shielding us."
Some sites were getting as much as a gigabit of traffic each second. For many companies, working with their ISPs to reduce the traffic heading for the Web site was the key to restoring a site to normal operation. Web-site managers may also look to their ISPs to prevent such attacks in the future.and B"It sounds like an ISP problem," says Stuart McClure, president and CEO of Rampart Security Group, a computer security consulting firm. "I spoke to Yahoo, and they said the pipes into the servers were the problem, not the servers themselves. They should definitely be pointing a finger at the providers to provide some filters and some fixes for this."
Says John Pescatore, research director for network security with Gartner Group, "The ISPs need to step up to the plate in doing a better job to defend against these kinds of attacks."
One defense mechanism, known as throttling, could block traffic before systems become overwhelmed. Throttle controls go into effect when specified thresholds are surpassed. "If I'm receiving more than 10 connection requests a minute from a specific IP address, I'm going to block them or only accept one out of 10," Pescatore says.
However, that tactic may not work if hackers disguise the source of the attack by using different IP addresses for each message. Still, many Web-site managers immediately turned to their ISPs for reassurance and strategies.
"We're aware of the risks," says David Grant, chief technology officer at Autobytel.com Inc., a leading auto-sales Web site. "We monitor all of our traffic and our bandwidth, and we have paging alerts. We have precautions in place. But if someone threw a gigabit per second at us, they'd clog us, too."
Grant called his ISP to ask what it was doing to prevent a possible denial of service attack. The call prompted a face-to-face meeting that lasted more than six hours. Grant says he asked his ISP: "What are you going to do for me? How would something like this affect our service-level agreement? What prosecutorial actions might be taken, and at whose expense? If you find this person, will he or she go to jail? Will there be a civil suit?"
At least one ISP says it monitors Internet traffic to prevent such attacks. "If we see an unusual amount of traffic coming from one or a few locations, we look at it as a potential symptom of a problem and contact the customer to see if the pattern is expected,'' says Rose Klimovich, director of global IP network services at AT&T. "If it isn't, we turn on filters in the network routers needed to handle the problem."
Another ISP, GlobalCenter Inc., says it's not the huge backbone pipes to the router, but the router itself that becomes overwhelmed by heavy traffic. To address the problems encountered last week, the company early last week activated settings in its Cisco Systems routers that let the ISP set volume thresholds for certain messages.
"The traffic flooded the router, making it near impossible for the device to process regular traffic," says Laurie Priddy, VP of systems and applications at GlobalCenter. "We experienced a truly extraordinary increase in traffic volume that I'm not sure anyone could anticipate was possible."
PSI Networks Inc. is testing new Cisco router software that it's tentatively planning to deploy on the hundreds of routers in its network. "With the software, the routers will use filters to look at each packet and drop all packets whose source address doesn't match the IP address of the originating site," says president Ted Davis. "We'll install the code as soon as it's fully tested."
The attacks on so many high-profile Web sites has E-businesses that weren't hit breathing a sigh of relief-and planning for the future. "Whether we are slowed or shut down by a denial-of-service attack is one thing that I'm concerned about," says Thomas Shipley, CEO of Tshipley Inc., a provider of high-end business products in Orlando, Fla. "As we grow bigger, I'm sure that something will happen in the future. That's why you cover yourself with security."
To protect Web sites, experts recommend assessing vulnerabilities and putting in place a plan of action with a company's ISP to deal with attacks quickly when they happen.
A key defense in preventing distributed denial-of-service attacks is to protect computers from becoming the unwitting hosts used to launch the assaults. If hackers hadn't gotten access to other systems to launch the attack, the assaults would have been less damaging and easier to track. That makes Internet security everyone's responsibility.
However, denial-of-service attacks are difficult to guard against, and security threats will continue to be present online in one form or another. That will force many E-businesses to deal with the harsh mathematics of risk vs. reward.
"The most important thing to take home from this event is that while we're not going to find a silver bullet, there will be ways to mitigate these attacks. Because of that, it just becomes another factor to weigh when you are analyzing your business decisions," says Elias Levy, chief technology officer at SecurityFocus.com, a security information portal in San Mateo, Calif. "It all boils down to risk management, and big businesses already know how to deal with that."
--with additional reporting by Diane Rezendes khirallah, Marianne McGee, Jennifer Mateyaschuk, Chris Murphy, and Bob Wallace
Back to This Week's Issue
Send Us Your Feedback
Top of the Page
