What government can do to prevent denial-of-service attacks
- By Shawn McCarthy
- Oct 04, 2001
Shawn P. McCarthy
The United States has other kinds of attacks to worry about these days, but ongoing attacks against government Web servers continue to be a top concern.
It's vital for citizens to continue to communicate with their government agencies online. We must not allow such valuable services to be shut down by a bunch of hacker-wannabes with too much time on their hands and little expertise other than how to launch distributed denial-of-service attacks.
In a time of crisis, the situation becomes doubly chaotic. Government should defend itself on a broader scale against these troublesome attacks.
It might mean changing the way IP addresses are assigned to government servers, or creating new rules for the way data is routed through government networks.
Distributed denial-of-service attacks flood a Web server with so many data requests that it can't keep up with legitimate traffic. Such attacks usually come from dozens or hundreds of other servers worldwide that have been taken over and programmed to automatically send thousands of bogus requests. These so-called zombie machines respond to a remote command or at a scheduled time.
The main reason service-denial attacks succeed is that the Internet works hard to deliver any data packet with a viable 'to' address. Someone can spoof the 'from' address in a packet and dump it anywhere on the Net to reach its target.
Such an attack is hard to shut down. It requires hunting upstream to identify the point of origin and go after the perpetrator. I've written about ways to battle worms and flood attacks [GCN, Aug. 13, Page 29
and March 6, 2000, Page 34
]. But single-site solutions are more reactive than proactive.
The government has many interconnected networks and Web sites that live in many places, including on contractors' servers. It's nearly impossible to establish a set of rules for how disparate machines should deal with service-denial attempts.
Can that change? It might have to, because government networks definitely need better security. We must take away hackers' ability to spoof packets, at least on government networks.
Here are some ideas for the .gov
domain to make things safer.Establish egress filtering on every federal Web server to prevent it being used to launch zombie attacks on other servers.
Pass legislation requiring U.S. Internet service providers to set up egress filtering, too. This is a controversial step, but the time has come for radical measures.
Invest in low-cost, simple tracing software to find the data traffic's origination. One $20 product is McAfee Visual Trace, downloadable from mcafeestore.beyond.com/Product/0,1057,3-18-sn107799,00.html.
Keep bad packets out by pressuring your Internet service provider to trace them when you point out a specific pattern. If you get no cooperation, change providers.
Specify a set of IP addresses for use only by government servers. Do special filtering and monitoring of packets targeted to this set of numbers.
Finally, think about whether all .gov sites should use a single, tightly regulated and internally managed provider.
What if all queries to federal servers went through a set of massive routers'a government version of the MAE West and MAE East Internet hubs? Visit www.mae.net.
These are my ideas for changing the rules to defeat service-denial attacks. I'd like to hear GCN readers' views.
Shawn P. McCarthy designs products for a Web search engine provider. E-mail him at firstname.lastname@example.org.
Shawn McCarthy, a former writer for GCN, is senior analyst and program manager for government IT opportunities at IDC.