The February distributed denial of service (DDoS) attacks on major U.S. sites such as Yahoo! and eBay were more than a wake-up call to the power of DDoS to bring anyone down – they demonstrated that being a small target doesn’t make a company safe from attacks.
As the dust settles from the barrage of attacks, fingers of blame are being directed not only at the perpetrators, but also at the companies that had their systems hacked to be unwittingly used against others.
“There are potentially some serious legal liability issues for companies that don’t take the necessary steps to make sure they are following best practices for protecting their networks,” said John Alsop, president and CEO of BorderWare Technologies in Mississauga.
“The real source of the problem is the many, many poorly secured Internet servers that are everywhere on the Internet. For every well-run site, there are hundreds or thousands of poorly-run sites, and in general the owners of those systems have simply not taken proper measures to secure them such as putting them behind a firewall. In some cases this has been a deliberate decision. In other cases it’s lack of awareness or lack of budget.”
Given how easily hackers can find unprotected sites using automated search tools, any company anywhere is vulnerable to being used.
“I suspect in the future, we may well see legal action being taken, particularly south of the border where they’re a lot more litigious than they are up here, where a company that is a victim of one of these attacks may go after the network service provider or another organization, saying they did not exercise due care in securing their systems,” Alsop said.
Nick Jones, e-commerce evangelist for Chapters Online, said the book e-tailer does the best it can to protect customer security and to prevent its own network from being hacked, but when it comes to being the target of the DDoS attack itself, there’s not much a Web site can do.
“In the case of denial of service, imagine a store, and someone’s hired 5000 people to show up and stand in the doorway. Customers can’t get in, and there’s not much you can do about that except wait those things out,” said Jones.
Mike Rothman, executive vice-president of SHYM Technology in Needham, Mass., is an expert on digital certificates. He said hack attacks, such as the one suffered by Real Names the same week as the big DDoS attacks, in which customer credit card information may have been compromised, could be prevented by the use of digital certificates.
“When you’re looking at some of these specific hacks out there, there’s not a lot you’re going to do from an applications perspective if people start flooding your network in a distributed denial of service attack. But when folks are looking at other attacks…such as brute force dictionary attacks on your applications, using a stronger level of cryptography in the form of a digital certificate is going to provide a greater level of security,” Rothman said.
A dictionary attack is one in which the hacker simply tries every possible password until one works.
Even using digital certificates to determine requests are coming from legitimate sources to block DDoS attacks is ineffective, Rothman said.
“That assumes a level of correlation, whether it’s IP addresses or something like that, and that ends up being more resource intensive than trying to filter out the IP addresses on the router.
“When you’re talking about flooding attacks, there isn’t much you can do through stronger authentication.”
But BorderWare’s Alsop said there is a way to prevent DDoS attacks; it just has to happen at the service provider level.
“The network service providers themselves can take steps. There are already well-known techniques that they should have been using that would have mitigated a lot of these problems,” Alsop said.
While it is difficult for the target site to determine what are legitimate requests and what are DDoS requests designed to shut the site down, service providers can filter at the packet level, he explained.
“When a packet goes across the Internet, it has a return address. However, that can be set by the person who originates the data to any value they like. In the case of these attacks, they were just putting in bogus return addresses,” because allowing the actual return address would result in them being traced rather quickly, Alsop said.
Service providers have the ability to detect bogus return addresses, and could drop or discard those packets.
“Packets are sort of like mail,” Alsop said. “Imagine if you’re Canada Post, and you pick mail from a drop box in downtown Toronto and all of the return addresses on the mail in that box say Germany. You would say, ‘That’s strange. Why is someone sending mail from downtown Toronto with a return address of Germany?’ That’s what happens with these packets on the network. They know these packets are coming from a certain place physically, but they have a return address that isn’t valid for that particular network connection.”
Alsop contended that if all service providers – not just some, because that won’t be sufficient – implemented checking techniques, many DDoS attacks would be prevented.
“People may not have done it up until now because it was perceived as a theoretical threat instead of a real-world threat. That’s changed, obviously,” he said, adding that the slight performance degradation from the added filtering would probably mean the expense of upgrading network gear on the service provider backbone.