The Computer Emergency Response Team (CERT) released a study that highlights recent trends in Denial of Service (DoS) attacks. CERT said that an influx of DoS tools began appearing on the Internet in June 1999. The team uses this timeframe as the starting point of its study, but it's careful to point out that DoS tools existed before that timeframe, some still in use now.
CERT points out that all systems connected to the Internet face a real threat from DoS attacks for two basic reasons: The Internet has limited resources, and security across the Internet is highly interdependent. DoS attacks have evolved over time from software that attacks systems on a one-to-one basis, to software that attacks on a one-to-many basis, to software that attacks on a many-to-many basis. However, the most common type of DoS attack reported to the team are those that consume the bandwidth between one attacking system and a particular endpoint by sending steady flood of packets. In many cases, those packets contain spoofed IP addresses or originate from a cracked system of an unsuspecting user.
The paper highlights the release of several rather infamous DoS tools as significant events since June 1999 and points out that security vulnerabilities in users' systems caused the insurgence of such tools. Intruders penetrate vulnerable systems either manually or by automated software, and the intruder subsequently installs the DoS tools to further penetrate or attack other systems. Intruders also use anti-forensics techniques to help hide the tools.
At one time, intruders ran one piece of software to scan for vulnerable systems, another piece of software to breach the security of any discovered vulnerable systems, and probably still other pieces of software to perform yet other intrusions or attacks. Today, computer engineer design many DoS tools to be self-contained and completely self-reliant, making them easier to employ than ever before.
Because of the increasing number of attacks against Windows-based systems, CERT published a technical paper in July 2001 that offers many tips to home users. CERT advises that Windows users run a personal firewall and be aware that virtual private network (VPN) technology can sometimes let intruders bypass personal firewalls. Be sure to read the study for details.
One of the most disturbing trends CERT sees is an increase in the use of routers as staging grounds for DoS attacks and other intrusion-related activity. According to the study, "reports indicate routers are being used by intruders as platforms for scanning activity, as proxy points for obfuscating connections to IRC networks, and as launch points for packet flooding DoS attacks." The team attributes the trends to the notions that intruders prefer routers because, as parts of the core network, routers can help intruders defend themselves against rival intruders. Also, users typically monitor routers less stringently than a server or workstation.
CERT expressed an extreme concern that intruders would use routers for direct DoS attacks against the routing protocols that move traffic around the Internet. The team considers this threat not only real, but imminent. If an intruder launched such a DoS attack, the impact would be high. Administrators should carefully monitor their routers. "Routing protocol attacks are being actively discussed in some intruder circles and have become agenda items at public conferences such as DefCon and Black Hat Briefings," the paper states.
CERT points out that full disclosure helps continually narrow the time gap between vulnerability release and exploitation, and patch release and application. However, CERT notes a trend toward nondisclosure within groups of intruders who seek to keep an advantage over rivals. The study points out that at the core, DoS attacks haven't changed significantly in recent years; what has changed is the technology intruders use in such attacks—-it's quickly becoming more sophisticated. Although CERT notes that vendors have made concerted efforts to raise security awareness, vulnerability life cycles still span 2 to 3 years, leaving plenty of vulnerable systems on the Internet.
In closing, the study stresses that in the near-term, trends in DoS tool evolution will certainly continue, but the tools will become aimed more at protocol specific attacks. CERT encourages network operators to carefully assess the trends and evaluate any changes that might be necessary to help address the trends in attack-related technology.
