Deluging a site with valid data from thousands of computers is a type of denial-of-service attack that has been considered largely unpreventable. Less than two weeks ago, such an attack made Unix software maker SCO Group's Web site largely inaccessible for several hours. A similar attack earlier this year cut off Arab news site Al Jazeera from the Internet for several days. Such attacks are quite common but frequently go unreported. A 2-year-old study of Internet traffic found that every week about 4,000 attacks lasting more than 10 minutes each are launched. Adrian Perrig, an assistant professor at Carnegie Mellon and Yaar's adviser, said that analyses based on large network simulations of Yaar's proposal are promising. "In the case that the (Internet) address is spoofed, our method wins hands down," he said. The PI number is stored in a part of network data packets that is largely unused: the 16-bit IP identification field. The identifier is used only when network data has been fragmented, which occurs in less than 10 percent of cases, said Perrig. One strength of the proposal is its ability to work even when only a fraction of ISPs -- 30 percent or more -- have adopted the proposal. Moreover, the proposal shifts the onus for fixing Internet security problems from the victim to the attacker's ISP because such attacks result in traffic from parts of the Internet close to the attacker being blocked by the victim's server. AT&T's Bellovin said those two results are what he likes about the plan. "But I'm worried about something that doesn't work well with fragmentation," he said, pointing out that many digital subscriber line (DSL) providers used a technique for network data that increases fragmentation. Such subscribers could find their Internet connection nearly useless during an attack, if Yaar's proposal became widely used. Second proposal
The second presentation, also by a graduate student at Carnegie Mellon, proposes that servers use "puzzles" -- problems that take a certain amount of processing time to solve -- as a means of taxing any computer that tries to communicate with the server. Such a technique, which has also been suggested as a way to defeat spammers who send unsolicited mass email, would help defend against DoS attacks that attempt to tie up a victim server's memory with hundreds or thousands of connections. The plan from XiaoFeng Wang asserts that such small tasks would hardly be noticed by legitimate users, while attackers would have to expend far more effort to do any damage. While others have suggested similar methods, Wang added to his proposal an auction-like transaction to further allow legitimate traffic to win out over attacks. "Our mechanism enables each client to 'bid' for resources by tuning the difficulty of the puzzles it solves and to adapt its bidding strategy in response to apparent attacks," Wang stated in the paper that outlined his findings. Bellovin also liked this idea but again said that certain issues need to be resolved. "It will work up to a point," he said. "The problem is that spammers and denial-of-service attacks are not using their own machines. If they need 16 times as many computers, they can -- most likely -- easily get that many more."
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
