Subscribe to NetFlash Daily - Free breaking news
Search:
Hit enter to start the search
Search help/advanced search
Home
News NetFlash: Daily News Internat'l News This Week News This Week Features Research Buyer's Guides Reviews Technology overviews Opinions/forums Columnists Careers Free newsletters Subscriptions Seminars/Events Reprints/Links Vendor White Papers Product Showcase Site Map Contact Us






News
  

eToys attacks show need for strong Web defenses

By ELLEN MESSMER
Network World, 12/20/99

Network-based attacks against eToys last week and the emergence of a particularly destructive method for launching such raids are fresh reminders of the need for e-commerce sites to keep their defenses sharp.

Online retailer eToys has taken legal steps to prevent a Swiss art group from using the domain name etoy.com. Last week, that move prompted an Internet activist group to launch what are known as denial-of-service attacks on the toy seller's Web site with the intent of bringing it down.

Denial-of-service attacks involve the flooding of a Web site with bogus requests that wind up blocking legitimate ones. Denial-of-service attacks can be launched using any of dozens of programs available in hacker chat forums and on the Web, including new tools that enable attackers to bombard Web sites with traffic generated by thousands of machines.

Activist group RTMark attempted to justify its attack on eToys' Web site by citing the eToys vs. etoy case as the victory of corporate greed over art and freedom of expression. Declaring a war of revenge against eToys, RTMark sought to rally the public to use a denial-of-service tool called FloodNet to saturate the eToys.com site with network ping floods.

RTMark also engaged the help of the Electronic Disturbance Theater - a hacker group claiming to attack sites only on behalf of social causes - to help cripple eToys or deface its Web pages.

"We're going to make an example of them," claimed Ray Thomas, a San Francisco-based accountant and RTMark's spokesman, describing how the group wants to "destroy" eToys. The group's Web site made available information, such as eToys' IP address, that would give attackers helpful ammunition to shoot eToys down.

Over at eToys, which has kept a great network-availability record during the holiday season, the e-commerce site showed only slight signs of problems. It slipped from 100% availability to 98% once the RTMark call for attack came, according to Internet online measurement service, Service Metrics.

Ken Ross, a spokesman for eToys, says the online toy store considers the technical defenses it is using against the protest group's sabotage to be "proprietary."

Security professionals have a number of recommendations for coping with such attacks, which are identified by strange names such as SYN Floods, LAND attack, Ping bomb, Ping O'Death, Fraggle, Smurf and WinNuke.

Security experts and e-commerce industry watchers believe denial-of-service attacks happen more often than they are reported. Most companies prefer not to acknowledge such attacks, often begging not to be identified in stories.

According to Paul Proctor, chief technology officer of CyberSafe's Centrax division, there are three categories of denial-of-service attacks.

One method involves flooding the line with ping traffic, or any "garbage to keep the router busy," Proctor says.

Using another method, an attacker can send malformed packets that give routers, firewalls or switches a kind of network indigestion.

Attackers also can scare off Web visitors by making them think something is wrong or dangerous about the site.

The discovery earlier this month of a new, more dangerous kind of denial-of-service tool on the 'Net has security pros sounding the alarm.

The new type of tool, which includes variations called Tribal Flood Network and Trin00, enables attackers to invade Web sites with bogus messages sent from many machines simultaneously. Until now, denial-of-service tools have limited attackers to launching a single ping flood, which wasn't usually enough to fill up the T-1 or T-3 bandwidth typically available at an e-commerce site, says Chris Klaus, chief technology officer at Internet Security Systems.

But Unix-based Tribal Flood Network and Trin00 overcome that barrier by allowing a single user, by means of the appropriate client software, to launch a coordinated attack on a target from thousands of compromised machines in which the necessary server software has been installed.

"I call these compromised machines 'zombies' because of the intended use of them in denial-of-service attacks," Claus says. Attackers can remotely install Tribal Flood Network and Trin00 on unsuspecting hosts by exploiting buffer-overflow vulnerabilities or one of a handful of other vulnerabilities.

Claus says thousands of these ping-launching zombie machines have already been identified, many in university and government networks that are unprotected by firewalls.

This new type of ping flooding capability means that a single attacker at his desktop could masquerade as a huge group sending out disabling pings.

What if your site gets hit by a distributed denial-of-service attack? According to a recent CERT Coordination Center advisory, the target of an attack may not be able to rely on Internet connectivity for communications. CERT suggests that firms have alternatives to the Internet for data communications.

CERT also recommends that if you discover one of these distributed attack tools installed on your servers, realize that it might provide information useful in locating or disabling other parts of the distributed attack network. "We encourage you to identify and contact other sites involved," CERT says.

Send to colleague

Contact Senior Editor Ellen Messmer

Other recent articles by Messmer

RTMark
Group leading an online "sit-in" against eToys.

Security Alert: DoS
Recent bulletins of Denial of Service attacks and vulnerabilities.

Web security FAQ
Making your server more secure.

Hacking group reveals 'Net protocol security glitch
Internet Control Message Protocol Router Discovery Protocol as a potential route for DoS attacks. InfoWorld, 8/12/99.

Attacked by smurf
Gibbs on this ICMP-based attack. Network World, 2/22/99.

Serb supporters sock it to NATO and U.S. computers
Network World, 4/5/99.

Hactivists' cyberdisobedience is anything but civil
Scwhartau's view. Network World, 9/13/99.

Denial of service and the worm
Dan Blum: "Worms and viruses are not only disruptive and destructive, they're also denial-of-service attacks." Network World, 6/28/99.

Striking back
Corporate vigilantes go on the offensive to hunt down hackers. Network World, 1/11/99.

Review and buyer's guide: Intrusion detection
Network World, 10/4/99.

Hot firewalls finding new niches
Review and buyer's guide for firewalls that can fight DoS attacks. Network World, 7/19/99.

Feedback
Tell us your thoughts on this article or the issues it raises.


Survey
PDAs are everywhere. How is your company's IT department responding to this growing need? Tell us in this
short survey


Get free newsletters on key networking technologies.
Sign up!

Advertisement:



How's your vendor doing? Get stock prices and background info on scores of networking vendors.
Click!

Send this article to a colleague

Recipient's name:

Recipient's e-mail:
Your name:

Your e-mail:
Comments:


Feedback

Tell us your thoughts on this article or the issues raised in it. We'll cc: the author and editors on all comments.

Comments:

Name:
E-mail address:

Can we post your comments in an online forum on the topic?
Yes No

What did you think of this article?
Very useful Somewhat useful Not at all useful

Would you want to see:
More articles on this topic
Fewer articles on this topic

Thank you! When you click Submit, you'll be taken back to this article.




  Copyright, 1995-2000 Network World, Inc. All rights reserved.