Return-Path: <sentto-279987-3492-1004129656-fc=all.net@returns.onelist.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Fri, 26 Oct 2001 13:58:09 -0700 (PDT) Received: (qmail 13328 invoked by uid 510); 26 Oct 2001 20:53:40 -0000 Received: from n8.groups.yahoo.com (216.115.96.58) by 204.181.12.215 with SMTP; 26 Oct 2001 20:53:40 -0000 X-eGroups-Return: sentto-279987-3492-1004129656-fc=all.net@returns.onelist.com Received: from [10.1.4.55] by n8.groups.yahoo.com with NNFMP; 26 Oct 2001 20:54:17 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 26 Oct 2001 20:54:16 -0000 Received: (qmail 41690 invoked from network); 26 Oct 2001 20:54:15 -0000 Received: from unknown (10.1.10.142) by l9.egroups.com with QMQP; 26 Oct 2001 20:54:15 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3 with SMTP; 26 Oct 2001 20:54:15 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id f9QKsNk22896 for iwar@onelist.com; Fri, 26 Oct 2001 13:54:23 -0700 Message-Id: <200110262054.f9QKsNk22896@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Fri, 26 Oct 2001 13:54:23 -0700 (PDT) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:What.government.can.do.to.prevent.denial-of-service.attacks.] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit What government can do to prevent denial-of-service attacks. By Shawn P. McCarthy, Government Computer News, 10/26/2001 www.gcn.com The United States has other kinds of attacks to worry about these days, but ongoing attacks against government Web servers continue to be a top concern. It's vital for citizens to continue to communicate with their government agencies online. We must not allow, such valuable services to be shut down by a bunch of hacker-wannabes with too much time on their hands and little expertise other than how to launch distributed denial-of-service attacks. It might mean changing the way IF addresses are assigned to government servers, or creating new rules for the way data is routed through government networks. In a time of crisis, the situation becomes doubly chaotic. Government should defend itself on a broader scale against these troublesome attacks. Distributed denial-of-service attacks flood a Web server with so many data requests that it can't keep up with legitimate traffic. Such attacks usually come from dozens or hundreds of other servers worldwide that have been taken over and programmed to automatically send thousands of bogus requests. These so-called zombie machines respond to a remote command or at a scheduled time. The main reason service-denial attacks succeed is that the Internet works hard to deliver any data packet with a viable "to" address. Someone can spoof the "from" address in a packet and dump it anywhere on the Net to reach its target. The government has many interconnected networks and Web sites that live in many places, including on contractors' servers. It's nearly impossible to establish a set of rules for ho disparate machines should de with service-denial attempts. SUCH AN ATTACK is hard to shut down. It requires hunting upstream to identify the point of origin and go after the perpetrator. I've written about ways to battle worms and flood attacks [GCN Aug. 13, Page 29 and March 6, 2000, Page 34]. But single-site solutions are more reactive than proactive. Can that change? It might have to, because government networks definitely need better security. We must take away hackers' ability to spoof packets, at least on government networks. Here are some ideas for the .gov domain to make things safer. * Establish egress filtering on every federal Web server to prevent it being used to launch zombie attacks on other servers. * Pass legislation requiring U.S. Internet service providers to set up egress filtering, too. This is a controversial step, but the time has come for radical measures. * Invest in low-cost, simple tracing software to find the data traffic's origination. One $20 product is McAfee Visual Trace, downloadable from mcafeestore.beyond.com/Product/0,1057,3-18-sn107799,00.html. * Keep bad packets out by pressuring your Internet service provider to trace them when you point out a specific pattern. If you get no cooperation, change providers. * Specify a set of IP addresses for use only by government servers. Do special filtering and monitoring of packets targeted to this set of numbers. * Finally, think about whether all .gov sites should use a single, tightly regulated and internally managed provider. These are my ideas for changing the rules to defeat service-denial attacks. I'd like to hear GCN readers' views. What if all queries to federal servers went through a set of massive routers-a government version of the MAE West and MAE East Internet hubs? Visit www.mae.net. Shawn P. McCarthy designs products for a Web search engine provider. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Pinpoint the right security solution for your company- Learn how to add 128- bit encryption and to authenticate your web site with VeriSign's FREE guide! http://us.click.yahoo.com/yQix2C/33_CAA/yigFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:57 PST