 |
|
 | technology > computing |
![[CNN Money]](http://i.cnn.net/cnn/images/main/fn.logo.newsnet.gif){kind=logo}
![[SI.com]](http://i.cnn.net/cnn/images/main/si.logo.gif){kind=logo}
( | |
 |
|
| |
| |
EDITIONS: | |
MULTIMEDIA: | |
E-MAIL: |
Subscribe to one of our news e-mail lists. Enter your address: |
DISCUSSION: |
CNN WEB SITES: |
 |
TIME INC. SITES: |
CNN NETWORKS: |
|
SITE INFO: |
WEB SERVICES: |
Avoiding future denial-of-service attacks
(IDG) -- ISPs have a technique that could be used to choke off denial-of-service Web attacks, but it's not clear if business users will benefit from it any time soon.
By using address source filtering at edge routers, ISPs could prevent large numbers of "fake" IP packets from flooding targeted sites. In the near term, filtering is the only solution to prevent denial-of-service attacks on a large scale, says John Pescatore, a research director at Gartner Group, a Stamford, Conn., consulting firm.
 | RESOURCES | |
|
| ||
While most ISPs agree filtering could nearly eliminate the assaults, they are hesitant to install the safeguard because of the heavy price and uncertainty about the longevity of the fix.
Filters, which have to be deployed on routers at the edge of the network, enable an ISP to drop packets that have unfamiliar source addresses. PSINet, for example, would examine packets coming in from a customer site and drop them if they had addresses assigned to UUNET or were otherwise unknown.
Hackers typically use fraudulent IP addresses, either lifted from unknowing Internet users or simply made up, to make it harder for investigators to discover where attacks are coming from.
Address source filtering will likely reduce the number of denial-of-service attacks by making this common first step difficult to pull off and easier to trace, says Chuck Davin, vice president and chief technical officer at PSINet.
So why aren't ISPs using filtering? The primary reason is performance will suffer, says Kelly Cooper, Internet security officer at GTE Internetworking. "Filtering at the edge of the network will take significant amount of router processing power."
PSINet's Davin likens it to putting police officers at the entry of every highway and having them check the license of every driver to make sure they are who they say they are.
| MORE COMPUTING INTELLIGENCE |
IDG.net home page
|
| Web sites consider hacker insurance |
| Asleep at the security wheel? |
| Web attacks were no Pearl Harbor |
| IDG.net's network operating systems page |
| Reviews & in-depth info at IDG.net |
| E-BusinessWorld |
| Year 2000 World |
| Questions about computers? Let IDG.net's editors help you |
| Subscribe to IDG.net's free daily newsletter for network experts |
|
Search IDG.net in 12 languages |
| News Radio |
Fusion audio primers
|
|
Computerworld Minute
|
To overcome the congestion, ISPs would have to deploy more packet-handling horsepower. "The bottom line is that the responsibility is on the ISPs and Web-hosting companies to strengthen their infrastructures," Gartner's Pescatore says. "They don't want to because it would require more routers, larger switches, etc., to maintain the same performance."
While source filtering can combat denial-of-service at-tacks, it's possible hackers could change their ways and effectively sidestep the expensive fix. Some ISPs, such as PSINet and GTE Internetworking, are considering setting up filters, but none have committed to deploying the technology.
UUNET's Mark Krause, senior manager of infrastructure security, says it's not so much a cost issue as a question of getting more powerful hardware and software that can handle the load without degrading network performance.
UUNET and GTE Internetworking are working with Cisco to develop a more advanced technique for dropping invalid traffic. GTE Internetworking is already using Cisco's reverse path forwarding (RPF) protocol to compare IP traffic with routing tables to ensure the packet is coming from the correct network. But today, RPF cannot be used with customers that use more than one ISP for access, which is becoming more common. RPF is believed to be less draining on routers.
While ISPs are waiting for more-advanced filtering methods, the ISPs interviewed by Network World say business users must shoulder some of the burden. The carriers are working with customers to set up filtering and intrusion-detection software to help prevent hackers from capturing machines to launch attacks.
Authorities pursing the attackers say the servers they used belonged to users that had no idea their resources were being used to launch attacks.
Clearly something has to be done, because the stakes are so high. The attacks on Yahoo, eBay, Amazon.com and E*Trade earlier this month cost approximately $1.2 billion, according to The Yankee Group, a Boston consulting firm. This figure comes from estimating lost revenues, loss in market capitalization due to falling stock prices and how much money will be spent on upgrading security systems.
Ultimately the carrier that offers a solution to the problem may have a competitive advantage over rivals.
RELATED STORIES:
ISP report card
February 2, 2000
The turn to opitical switching
January 25, 2000
Broadband, narrow choices
January 25, 2000
Enron inks deal with Sun to further broadband Net service
January 24, 2000
RELATED IDG.net STORIES:
Corporate vigilantes go on the offensive to hunt down hackers
(Network World Fusion)
Denial of service and the worm
(Network World Fusion)
Web attacks were no Pearl Harbor
(IDG.net)
More gov't money needed for cybersecurity
(FCW.com)
Asleep at the security wheel?
(FCW.com)
Hackers express disdain for Web
(PC World)
eToys attacks show need for strong Web defenses
(Network World Fusion)
Web sites consider hacker insurance
(PC World)
RELATED SITES:
Steps for dealing with an attack
Trinoo detection tools
Matrix IQ (measures ISP performance)
Internet Security Systems home page
Note: Pages will open in a new browser windowExternal sites are not endorsed by CNN Interactive.