[iwar] [fc:DoS.Attacks:.Easier.To.Launch,.Harder.to.Fight]

From: Fred Cohen (fc@all.net)
Date: 2001-11-08 05:03:20


Return-Path: <sentto-279987-3811-1005224592-fc=all.net@returns.groups.yahoo.com>
Delivered-To: fc@all.net
Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 08 Nov 2001 05:04:08 -0800 (PST)
Received: (qmail 16371 invoked by uid 510); 8 Nov 2001 13:02:10 -0000
Received: from n16.groups.yahoo.com (216.115.96.66) by 204.181.12.215 with SMTP; 8 Nov 2001 13:02:10 -0000
X-eGroups-Return: sentto-279987-3811-1005224592-fc=all.net@returns.groups.yahoo.com
Received: from [10.1.4.56] by n16.groups.yahoo.com with NNFMP; 08 Nov 2001 13:02:55 -0000
X-Sender: fc@red.all.net
X-Apparently-To: iwar@onelist.com
Received: (EGP: mail-8_0_0_1); 8 Nov 2001 13:03:12 -0000
Received: (qmail 57633 invoked from network); 8 Nov 2001 13:03:12 -0000
Received: from unknown (216.115.97.171) by m12.grp.snv.yahoo.com with QMQP; 8 Nov 2001 13:03:12 -0000
Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 8 Nov 2001 13:03:09 -0000
Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fA8D3Kp15470 for iwar@onelist.com; Thu, 8 Nov 2001 05:03:20 -0800
Message-Id: <200111081303.fA8D3Kp15470@red.all.net>
To: iwar@onelist.com (Information Warfare Mailing List)
Organization: I'm not allowed to say
X-Mailer: don't even ask
X-Mailer: ELM [version 2.5 PL3]
From: Fred Cohen <fc@all.net>
X-Yahoo-Profile: fcallnet
Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com
Delivered-To: mailing list iwar@yahoogroups.com
Precedence: bulk
List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com>
Date: Thu, 8 Nov 2001 05:03:20 -0800 (PST)
Reply-To: iwar@yahoogroups.com
Subject: [iwar] [fc:DoS.Attacks:.Easier.To.Launch,.Harder.to.Fight]
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 8bit

DoS Attacks: Easier To Launch, Harder to Fight 
By Jay Lyman, NewsFactor Network, 11/7/2001
<a href="http://www.osopinion.com/perl/printer/14593/">http://www.osopinion.com/perl/printer/14593/>

Experts are warning that crippling denial of service (DoS) attacks have
become easier to launch, with automated tools and newer methods that tie
up more computer and Internet resources than ever. 
And while security experts are producing counterattack tools and
bolstering preparedness for the high-tech logjam offensives, there is
concern that defenders may not be able to keep up as they have less time
to react.  Please note that this material is copyright protected.
Therefore, it is illegal to display or reproduce this article for any
commercial purpose, including use as marketing or public relations
literature. To obtain legal reprints of this article, please call a
sales representative at +1 (818) 528-1100 or visit
<a href="http://www.newsfactor.com/reprints.shtml">http://www.newsfactor.com/reprints.shtml>.

Last week, the Internet service of The New York Times was paralyzed for
more than two hours after company computers "started receiving a huge
amount of electronic transmissions that flooded the machinery that
protects the paper from hacker attacks," according to an e-mail from a
Times systems administrator. 
"A well-executed DoS attack just can't be defended against,"
SecurityFocus incident analyst Ryan Russell told NewsFactor Network. 
More Machines 
A recent report from the CERT Internet security center at Carnegie
Mellon University indicated that denial of service attacks are getting
easier to create and are having greater impact. 
"The bar is being raised on what level of resources can be used for a
DoS attack," CERT team leader for artifact analysis Kevin Houle told
NewsFactor. 
He said that while "garden variety" DoS attacks that use a single source
to launch a flood of data packets continue to occur, a continuing trend
is the use of several computers, known as "zombies," that are taken over
by attackers. 
"Essentially, with a single point of attack, there is a finite amount of
traffic that can be produced, whereas a collection of several thousand
attack points can generate much higher amounts of traffic," Houle said.
"It is an escalation in terms of impact, and it has been a steady
progression." 
Perpetrator Protocol 
Houle, who co-authored the CERT report on DoS trends, said attackers
also are using new technologies and methods to stifle Web sites and
Internet traffic. 
"There is a move toward the use of legitimate protocols rather than the
invention of new ones for attack modes," Houle said. "We've seen a trend
toward the use of IRC-type (Internet Relay Chat) servers and networks as
a central handler for DoS attacks." 
Houle said the trend is troubling, as it makes DoS attacks easier to
produce with a larger impact on legitimate, mainstream networks and
protocols. 
Common Victims 
CERT reported that while more random, "blind targeting" attacks still
occur, there is also a trend toward "selective targeting" of
Windows-based systems, networks and users. However, Houle said, a total
DoS meltdown on the Web is unlikely because of the different software
and systems in use. 
"The thing that really limits any complete saturation of the Internet is
the diverse array of software out there on the Internet," he said. 
Time Running Out 
Perhaps the more troubling trend is the increased use of automated
attack tools. Houle said DoS attackers are relying more on the automated
tools, which lower the level of technical knowledge necessary to launch
a successful attack. 
"There's a large collection of attack tools out there; when a
vulnerability is discovered, it's relatively easy for attackers to build
tool kits," he said, referring to recent virus outbreaks of the Code Red
II and Nimda computer worms. "It's that high degree of automation that
allowed them to propagate quickly." 
Houle said the time between the discovery of a security hole and
exploitation continues to shrink. 
"It used to be several weeks or months, and now it's a matter of days,"
Houle said. "It's something we don't like to see, but the fact is that
automation is something we do see." 
DoS Defense 
Houle encouraged Internet administrators and users to review the
security of their routing and networking, adding that there are tools
and discussions in the security community about countering DoS attack
technology. 
Most DoS defense tools center on identifying an attack and alerting IT
managers, but there are advances -- such as a "reverse firewall" that
monitors outgoing traffic, as opposed to incoming -- to stem an attack
before it starts. 
Still, most experts agree that DoS victims are in a reaction mode, and
that the technology to automatically repel or thwart a denial of service
attack is still years away. 
"Vendors continue to produce technology products that contain
exploitable security vulnerabilities," the CERT report said. "Consumers
continue to deploy technology products that contain security
vulnerabilities, are misconfigured such that compromise is possible or
are simply insecurely managed. 
"The end result is that there are still plenty of vulnerable systems on
the Internet that can be used as launch points for DoS attacks," the
report concluded. 
© Copyright 1999-2001 NewsFactor Network. All rights reserved. This
material may not be published, broadcast, rewritten or redistributed in
any form without written permission. Please click here for legal
restrictions and terms of use applicable to this site. Use of this site
signifies your agreement to the terms of use. If you would like to
reprint content from the NewsFactor Network, click here for pricing
information. Privacy Policy.

------------------
http://all.net/ 

Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/ 



This archive was generated by hypermail 2.1.2 : 2001-12-31 20:59:59 PST