February's Denial of Service Attacks

Greetings,

Now that the hype has passed since early February’s Denial of Service (DoS) attacks on such high-profile Web sites as eBay, Yahoo, and Amazon, it’s time to do a postmortem on what happened and the actions that were taken. I’m part of a team that manages a similarly high-profile Web site, and I admit, I didn’t do much out of my ordinary routine when the first few reports came in. After all, it’s irresistible for the media to use the word "hacker" alongside such big-name companies.

Nevertheless, the names of other high-profile Web sites came rolling in one after another in rapid-fire succession. As the news spread and these Web sites were hit, those that were public companies saw the price of their stock drop. At the same time, prices of security companies that focus on the Internet rose. Funny how it works that way.

DoS attacks are certainly nothing new. I needed to know more about what was happening, so I called one of my security friends who was happy to give me the gory methods of these attacks. Ironically, my friend has been very busy the past few weeks answering questions about this series of attacks. The IT community had been warned before January 1 about the possibility of a large, full-scale, distributed DoS attack. Sometimes, it takes media events like these to get the decision makers to spend money to secure Web sites and other networked assets. Would limitless security budgets have prevented a distributed DoS attack? Probably not. But CEOs and CIOs want to make sure they aren’t next in the headlines.

So, what’s a Web site administrator to do? The problem is, you can’t do much at the OS level to prevent DoS attacks. Imagine you’re the administrator of a Web site under attack. When the attack commences, calls might come in that some portion of your Web site is slow. You turn to your workstation and confirm that, indeed, the site is slow. Now that the attack is under way, the site won’t respond at all. Before too long, employees in other offices start griping about your Web site. You’re being bombarded from multiple points on the Internet by traffic that contains packets with faked headers that can never return to the source.

To make the situation more difficult, when the attack begins, your customers begin judging your company by the response time and how long it takes to return to service. Stopping these attacks requires the coordination of your ISP, your local networking folks, and your security officer.

I’ll talk more about this topic from time to time. I’ll talk about some of the technologies and methodologies in place to monitor and prevent attacks on Web sites today. Until next time.