QuickStudy: Denying Network Service

Computerworld - At least once each month, Terra Lycos SA's high-profile Internet media products, such as Lycos Mail, Tripod and Angelfire, come under a denial-of-service (DOS) attack. As host to more than 300 distinct Web sites and 40.3 million users, the international hosting and Internet media company makes an obvious target, explains Tim Wright, chief technology officer and CIO at Terra Lycos' U.S. headquarters in Waltham, Mass.

The attacks aren't the traffic-clogging distributed denial-of-service (DDOS) attacks that used remote-controlled servers to flood Amazon, Yahoo, eBay and others with debilitating levels of traffic in early 2000.

Oldie but Baddie

The DOS attacks Wright sees are much older than that. They're called syn flood, a type of attack that has been around as long as TCP. Syn floods fake the initial connection synchronization (syn) requests. The target responds with an acknowledgement (ack), for which it will receive no response. The target server holds the session open for a given length of time and then times out. A high-volume succession of these fake sessions prevents the machine from opening legitimate connections.

There's really no protection against syn floods, because they take advantage of the inherent purpose of routing protocols—to route TCP session connection requests. "The worst kind of attacks are where the protocol says it's normal," Wright explains.

Now, syn floods are getting a whole lot nastier. A new form of syn, called a distributed reflection denial-of-service (DRDOS) attack, knocked Laguna Hills, Calif.-based Gibson Research Corp. (GRC) off the Web for four hours in January.

A DRDOS attack is the inverse of a syn flood, says Steve Gibson, president of GRC. Gibson coined the term for the new attack method after his experience in January.

That's when attackers sprayed GRC.com's IP across core Internet routers and connected TCP devices, making them believe that GRC.com was trying to initiate a connection. Being the obedient devices that they are, they responded en masse to GRC.-com with their ack replies. GRC.com's server, knowing that it didn't initiate the TCP session requests, simply dropped the acks. Thinking their ack requests were lost in cyberspace, the devices tried again—up to four times—magnifying the attack.

Gibson says he's aware of many companies that have come under such DRDOS attacks. "Web hosting sites and other major sites are the biggest targets," he says. "You upset some script kiddie—they especially don't like spammers—and they'll punish somebody."

Filtering doesn't help because it slows all traffic, say Wright and Gibson. In a DRDOS attack, the ack packets come from everywhere, so there's no way to filter.

The only way to deal with such an attack is to take the target machine off the Web and wait it out, or ask your Internet service provider to "null route" (drop incoming syn or ack packets to the affected machine), Gibson explains. That way, the attackers can't block traffic to other machines on that network segment. But then, he adds, "the attacker's still won. They've shut your site down."

The Distributed Reflection DOS Attack Source: Gibson Research Corp., Laguna Hills, Calif.

What Can You Do? Syn flood remedies: Shorten how long a server will wait before timing out. Block traffic coming from the spoofed IP address. Use egress filtering to prevent your network from being used as a spoofed IP address. DRDOS remedies: At the time of the flood, ask your upstream service provider to “null route” packets coming at the IP. Unfortunately, this means dropping all packets coming into that IP address, which still results in a denial of service. Use traffic pattern analysis and network sniffers to help detect these attacks faster.

See additional Computerworld QuickStudies