Protect and survive: network monitoring tools, rather than traditional security measures of firewalls and IDSs , provide the strongest protection against 'denial of service' attacks - intrusion detection systems - Monitoring Network Performance

Telecommunications International, August, 2002 by Jonathan Casey

The issue of network security has never been far from the top of the organisational agenda. However, it is pushed to the forefront when high-profile security attacks occur, such as the denial of service attack suffered by the Computer Emergency Response Team (CERT) last year. This made it clear that determined hackers can damage even the experts, and highlighted the fact that service providers and enterprises that depend on internet connections must take more stringent measures to protect themselves.

The notion that companies need to implement a full security policy is of course nothing new -- experts have been espousing the benefits of firewalls and intrusion detection systems (IDS) for years. However, as the CERT attack shows, anyone can get stung.

The CERT co-ordination centre is a hub of knowledge on internet security vulnerabilities and gives advice and training to improve network security. Last year the organisation was knocked offline for two days by a denial of service attack preventing anyone from accessing the CERT website. A spokesperson for CERT explained that connection to the internet had been totally saturated by the attack. The irony here is that the group was most probably targeted for attack in the first place because of its status as a champion for internet security issues.

CERT is by no means alone in becoming the victim of a serious security threat. Since February 2000, when the first series of massive denial of service attacks took place, malicious attacks on systems and networks have been a regular occurrence. Several high-visibility Internet e- commerce sites have been incapacitated by these attacks, including Yahoo, eBay and E*trade, and only last month, security watchers warned of a possible hack attack on the Microsoft SQL server port; and Oracle discovered two security holes in its 9i database.

Denial of service attacks

So what exactly happens inside the network when it undergoes a denial of service (DoS) attack? Firstly, the hacker identifies vulnerability in one computer system, which can be exploited for maximum disruption. This hub can be used as a base for attacking other systems within the network that can be compromised. With one single command the intruder can instruct the 'master' machine to launch a flood attack against the target systems. By inundating these systems with false packets of data, they are caused to shut down, thereby denying service to legitimate users. To stall an effective response to the attack, hackers often conceal their location by forging or 'spoofing' the IP source address of each packet they send.

Obviously the loss of service -- and time taken for normal service to resume -- results in massive monetary losses for the targeted organisation. According to independent research organisation, the Standish Group, it is estimated that unplanned system downtime will cost organisations [euro]40 bn this year. Add to this the negative impact downtime will have on a company's brand reputation, and the implications are enormous.

The growth of e-business has driven more and more organisations to open their networks to wider audiences over the internet - including home and mobile workers, business partners, suppliers, and customers - in order to stay competitive. However, such open networks expose the organisations to intrusions. As hacker tools become more sophisticated and the amount of technical knowledge required to enter a network falls, organisations are exposed to a rapidly growing number of potential attackers. Thus the need for enhanced intrusion detection tools is clear. As Charles Kolodgy, research manager at IDC, states, "Today's business-critical networks require robust infrastructure protection which addresses both evolving business demands and ever increasingly sophisticated internal and external threats."

According to research published by the University of California's Cooperative Association for Internet Data Analysis (CAIDA), denial of service intrusian attacks are even more powerful and prevalent than previously estimated, with over 4,000 websites inundated with bogus traffic every week. What's even more worrying is that it's not only the big name sites such as Amazon and Hotmail that are targets for such attacks - small ISPs and home users with always-on Internet connections are falling foul of security attacks too. For example, ISP Cloud Nine was forced to close down last year following repeated DoS attacks. CAIDA's study reveals that the majority of attacks against commercial targets have the power to significantly hamper network service and are fast enough to get through existing defence mechanisms.

During CAIDA's research period (three weeks for each of the 5,000 target organisations), nearly half the recorded DoS attacks reached the rate of 500 bogus packets per second - enough to overwhelm a standard server. When you learn that some attacks exceeded this rate by over 1,000 times it's apparent that there is an inconsistency between the existing security measures most companies have in place and the possibility of an attack. With hackers hiding themselves more effectively than ever, it is even more difficult for network operators to protect their systems from the exposure that increased internet traffic flows bring.