Fighting the flood

If your company counts on the Web for any form of commerce, I'll bet your marketing department is still breathing down your neck asking if you're safe from distributed denial-of-service (DDOS) attacks. Well, you can tell them that while there's no foolproof solution, there are steps you can take to prevent becoming a victim of -- or an unwitting co-conspirator in -- such attacks.

DDOS attacks involve three layers -- the victim Web site, the Internet service providers (ISP) and the "zombie" machines that unwittingly launch the attacks. The organizations involved at each layer hold some culpability.

The Zombie Layer

To launch the attacks, crackers broke into hundreds of servers, most of them at universities, and installed .exe Trojan horse programs.

University servers make dangerous Internet neighbors. They are notoriously the least-protected machines connected to the Internet, making them the favorite launch points of hackers even before the days of Kevin Mitnick.

Here's how to prevent your servers from being used as zombies in future DDOS attacks:

  • Create and enforce security policies that follow best security practices, says Jeff Johnson, president of Meta Security Practices Group in Washington.

    "Each of the machines used in the (recent denial-of-service) attacks weren't even taking reasonable security measures," says Johnson.

  • Scan regularly (at least once a month) for Trojans and vulnerabilities, says Jerry Zepp, chief security officer at, a business hosting firm and Internet provider in Atlanta.

    He says his favorite scanner is available for free at .

  • Raise user awareness. Since Trojans are often downloaded in .exe mail attachments, remind users not to open them, emphasizes Zepp.

  • Close unused UDP, TCP and FTP ports, which can serve as avenues for attack.

  • And, for goodness' sake, install some firewalls.

    Ken van Wyk, CIO at the security services firm Para-Protect Inc. in Alexandria, Va., spent eight years working in academia. "I do not know of a single university that is running a firewall on its campus network," he says. "In the business world, that would be unacceptable."

    The ISP LayerInternet service providers need to do the following:

  • Monitor for severe variances in traffic going to business clients, then alert those clients and block traffic if it reaches suspicious levels, says Johnson.

  • Put filters on the routers monitoring traffic from other providers to detect spoofed IP addresses and block unusually large traffic loads, adds Zepp.

  • Sharpen response time, adds Brian Koref, senior security engineer at Conxion Corp., a business Internet provider in San Jose.

    ISPs need a clear path of communication to the security administrator at upstream Internet providers in an effort to trace the attacker's IP address to its origin during an attack.

    Good news: About 23 ISPs (Comstar included) have joined Reston, Va.-based's Internet security alliance ( ), whose members pledge to work together to defend against DDOS attacks.

    The Victim Web Site LayerTo defend your Web site, Meta's Johnson says you should create a contingency plan that can put you back online in 10 or 15 minutes instead of two hours. This should include ways to quickly determine if you're under attack and identify who's responsible for countermeasures.

    Web sites also need fail-over servers and Internet connections to take over from those overwhelmed by an attack, Johnson adds.

    But Koref says it isn't easy to build a fail-over system that won't route the attack along with legitimate traffic. (Some companies establish connections with multiple Internet service providers so they can route traffic away from the ISP being attacked.)

    Instead, Koref suggests addressing these vulnerabilities at the server by limiting the number of connections to a box and limiting the amount of time a TCP session remains unfulfilled. (The traffic used in a denial-of-service attack opens sessions with the server but doesn't complete them, leaving the server idle and unable to accept other traffic.)

    One way to do this is to click the properties tab "SYN defender" for a CheckPoint firewall. This will automatically reset SYN packet connections if they go unanswered for more than a few seconds.

    Build up your outer wall of defensive routers. Most e-commerce businesses have one or two routers between their Web servers and the Web. Johnson recommends fronting each of these routers with four or more inexpensive routers to reduce the choke point if packet snowstorms hit.

    Between all these routers and the Web server, install multiple intrusion-detection systems, says Johnson.

    And as Zepp says so eloquently: "If you are going to conduct business on the Internet, you must assume that you will be DOSed off the network at some point in time."

    Which leads me to my last word on this subject: policy.

    Nothing will happen without a solid, enforced security policy. Every organization, whether it's a potential victim, an ISP or an unwitting co-conspirator, is toast without one.

  • Related:

    Copyright © 2000 IDG Communications, Inc.

    Shop Tech Products at Amazon