Between 1865 and 1885, the American West was the site of numerous battles between the
U.S. Calvary and the Native Americans, between cattle ranchers and sheepherders, and between outlaws and pioneers. As each new attack and battle unfolded, each side discovered that, no matter what it did, the other side somehow always managed to thwart it. However, despite the fact that each side knew the other side was doing its best to outwit and outmaneuver it, neither side gave up. Each continued to seek innovative ways to conquer the other.
And thats precisely whats happening today in our high-tech society. Todays version of the American West is the battle between hackers and Internet Web sites. Companies build Web sites to expand their businesses, and hackers break into them or flood them with attacks that attempt to cripple them or put them out of business.
In the latest rounds of attacks, hackers attempted to block such popular Web sites as Yahoo! and eBay by using what is known as a Distributed Denial of Service (DDOS) attack. In DDOS, a large number of DDOS servers send multiple requestsup to millions of requests per minuteto a given target server. The target server soon reaches the point where it shuts down because it is unable to process the sheer volume. At this point, not only have hackers been shut out, but legitimate users who want or need to get into that site have also been shut out. This type of hack is also hard to trace because it takes advantage of the way TCP/IP packets are routed around the Internet. Normally, when you send a request to a Web server, your request is broken up into multiple packets by your ISP or any router along the way en route to the target site. When the request reaches the target site, all the packets are reassembled into a single request that the target server processes. DDOS attacks exploit this fragmenting of information by creating orphan packetsthat is, packets of data that dont have an apparent corresponding source address. Because of this, it is very hard to trace the origin of an attack, and the hackers tracks are covered. Generating the flood of packets can take advantage of many legitimate features of the TCP/IP protocol. Often, these features were designed for legitimate diagnostic purposes, but, in the hands of a malicious individual, they can flood unsuspecting servers.
Methods of Prevention
DDOS is very dangerous because it disguises itself as a valid request. There are a few things you can do to prevent a DDOS attack, although probably not as many as you might like. Here are some suggestions Ive culled from various sources on the Internet on ways you can help secure your Web site from a DDOS attack, or at least make it less vulnerable to attack:
Monitor your Web traffic. Almost all publicly-provided Internet services use the so-called well-known ports, residing on port numbers below 1024. If you get hits on ports above port 1024, you may be getting hacked.
Use commonly available intrusion detection software to analyze the packet requests you receive. You can learn a lot from the contents of the packet. Specifically, check for the following:
o If the User Datagram Protocol (UDP) contains only alphanumeric data (i.e., no spaces, carriage returns, punctuation, etc.), it may be because it has been Base64-encoded, meaning that it follows the pattern of well-known hacking attempts. You can filter out these types of requests. o If the UDP is larger than, say, 128 bytes, be suspicious. It could contain decoy information used to flood your server. The most common UDP sizes are 64 to 128 bytes. You should perform some reasonableness checking on larger UDPs. o Check to make sure that the bandwidth coming into your site doesnt exceed a maximum amount set by you. If it does, this could be a sign of a DDOS.
Find out whether or not your host vendor has created patches such as those for TCP SYN ACK to filter out well-known types of DDOS attacks. If your host vendor has created patches, apply them.
Lower the servers TCP time-out value. The lower you go, the less window of opportunity there will be for a hacker to exploit a given connection.
Do not allow anonymous FTP on your server. Anonymous FTP can be used to allow someone to start an FTP session on your system and then issue a remote command to pass through to another server where the process can be repeated, thereby creating an untraceable trail.
Using Operations Navigator with your AS/400, you can use IP Packet Security options to filter out unwanted requests, limit the allowable IP addresses that can connect to your system, and implement Network Address Translation.
There are many other things you can do, but these will get you thinking in the right direction. (In fact, if you have any other suggestions, please email them to me, and Ill try to make them available in a future article.)
A Good Defense
Like the wars and battles of the Old West, hackers keep coming up with new ways to counter your defenses. It may seem futile even to bother trying to protect your site against such a moving target. However, not to provide any defense at all would be foolish. If the Calvary hadnt built forts to retreat to, the Native Americans might have wiped them out. If cattle ranchers hadnt built fences, sheepherders might have had their flocks graze on ranchers property. No single effort won any battle, just as no single defense on your part
will protect your server. However, the combined effect of several good defenses can help you protect your most valuable asset in todays business environment: your Web site.