Preparing for DDoS attacks
By Laura B. Smith
Not everyone despaired over the Distributed Denial of Service (DDoS) attacks that hit some of the Web's biggest e-commerce sites in February. Security consultants and developers of security tools seized the opportunity to spotlight their solutions.
Simple DoS attacks are not new. During one, a hacker floods a system with packets of useless requests, making the system so busy it denies access to legitimate users. What's new are the hacker tools that enable DDoS attacks, in which a hacker uses dozens or hundreds of machines to worsen the attack. The hacker uses client software on one PC to install "zombie" or "back door" programs on other servers, which then flood a target system with useless packets. Zombie programs, including TFN (Tribal Flood Network), Trin00, TFN2K (Tribal Flood Network 2K) and Stacheldraht (Barbed Wire), arrived last fall destined for Solaris, Linux and Windows NT servers.
Until recently, most security packages designed to thwart such attacks were aimed at the Unix environment. Now, however, hundreds of programs are being designed for Windows NT, ranging from Internet Security Systems' (ISS) award-winning SAFEsuite software to BindView Corp.'s free and downloadable Zombie Zapper. Some programs scan the addresses of outgoing messages, intercepting wayward messages before they swamp a potential victim. Others allow administrators to block fake messages from entering a system, or stop the echo functions that help create the constant data flood in a DoS attack.
While the programs for NT are good news, the task of evaluating them can easily overwhelm an IS staff, according to Aberdeen Group, a consultancy in Boston. Adding pressure are unresolved issues of liability when one's computers have been compromised because of lax security. To organize efforts and provide a modicum of legal defense, leading security practitioners suggest these guidelines:
- Perform a security audit or risk assessment of critical systems using system- and network-based vulnerability tools.
- Identify and empower an Incident Response Team. Establish an Emergency Response and Escalation Plan.
- Install Intrusion Detection and Response systems.
- Examine legal liability exposure.
If systems are under attack:
- Alert your Incident Response Team.
- Contact your ISP; often, hosts can shut down your access line, stopping the attack.
- Notify CERT/CC.
- Notify law enforcement authorities at the FBI and the National Infrastructure Protection Center (NIPC).
- Monitor systems during the attack using network and host-based intrusion detection systems.
- Enable detailed firewall logging.
- Collect forensics to prosecute hackers later.
Laura B. Smith is a contributing editor based in Swampscott, Mass.
