NEWS AT SEI
This article was originally published in News at SEI on: March 1, 2000
The work of the SEI's CERT Coordination Center (CERT/CC) became a focal point of worldwide media attention in the wake of recent denial of service attacks on some of the Internet's largest and most recognizable electronic commerce sites. These attacks, known as distributed denial of service (DDoS) attacks, are not a new phenomenon. The CERT/CC has been tracking DDoS attacks since 1998, and has published guidance about how to deal with them. The recent DDoS attacks nevertheless caused considerable damage, underscoring the importance of the SEI's continuing efforts to disseminate information about preventing, detecting, and recovering from attack.
The Threat of DDoS Attacks
Distributed systems based on the client/server model have become increasingly common. In a DDoS attack, an intruder compromises several machines individually to install software that will be used to launch a coordinated attack on a target machine. In this type of attack, the compromised machines become agents used by the intruder to carry out the attack. For the victim, the impact can be extensive. In a denial of service attack using distributed technology, the attacked system observes simultaneous attacks from all the nodes at once—flooding the network normally used to communicate and trace the attacks and preventing any legitimate traffic from traversing the network.
For so-called "e-commerce" sites, which operate solely on the Web, even a short term loss of service can be costly. Government and Department of Defense sites are at risk as well because they depend increasingly on networked systems and commercially supported networking products.
Coordinated attacks across national boundaries have occurred. The tools and attacks demonstrate that a network that optimizes its technology for speed and reliability at the expense of security may experience neither speed nor reliability, as intruders abuse the network or deny its services. The intruder technology is evolving, and future tools may be more difficult to defeat.
Countering the DDoS Threat
The CERT/CC constantly monitors trends and watches for new attack techniques and tools. The CERT/CC saw distributed denial of service tools as early as 1998. By fall 1999, it was evident that steps needed to be taken to deal with the increasingly sophisticated intruder tools that were being developed. On November 2 - 4, 1999, the CERT/CC invited 30 experts from around the world to address the problem of network attack tools that use distributed systems in increasingly sophisticated ways. During the resulting Distributed-Systems Intruder Tools (DSIT) Workshop, participants discussed a large number of approaches to preventing, detecting, and responding to distributed attacks.
The workshop effectively provided a venue for experts around the world to share experiences, gain a common understanding, and creatively brainstorm possible responses and solutions to this category of attack before the dissemination of the attack tools-and the attacks themselves-became widespread. The outcome of the workshop was a paper, Results of the Distributed-Systems Intruder Tools Workshop.1 This paper explains the threat posed by these intruder tools and provides guidance to managers, network administrators, Internet service providers, and incident response teams for safeguarding systems from this type of malicious activity:
For managers, planning and coordination before an attack are critical to ensuring adequate response when the attack is in progress. Since the attack methodology is complex and there is no single-point solution or "silver bullet," management must realize that resolution and restoration of systems may be time-consuming. Management needs to be aware that systems may be subject at any time to distributed attacks that are extremely difficult to trace or defend against.
Incident response teams (IRTs) should first make sure they follow the standard operating procedures that they have established. Examples of such procedures can be found the in SEI document, Handbook for Computer Security Incident Response Teams (CSIRTs).2 The best step IRTs can take is to raise awareness within their constituencies.
The report also provides guidance to network administrators and Internet service providers on actions they can take immediately, in the near term, and in the long term. These actions are focused on protecting systems from attack, detecting attacks, and reacting to attacks.
The CERT/CC continues to collaborate with the participants who attended the workshop and with an additional group of security experts to address the ongoing problem.
The tremendous interconnectedness and interdependency among computer systems on the Internet is not likely to disappear anytime soon. As a result, the security of each system on the Internet depends on the security of all other systems on the network. Recent attacks such as the latest DDoS attacks clearly demonstrate this interdependency. Any computer system can be a victim of a DDoS attack, and there is little system owners can do beyond depending upon others to protect their systems from being used as a launch site in a DDoS attack. To address these and other security problems on the Internet, the entire Internet community must continue to work together.