________________________________________________________________________________ -- Hacker Havoc Reveals Risks -- DoS: Defense Is the Best Offense -- Doing Away with DoS -------------------------------------------------------------------------------- Wired News Hacker Havoc Reveals Risks by Joanna Glasner 3:00 a.m. 10.Feb.2000 PST The string of recent attacks on major Web sites is drawing attention to the fact that few Net companies have financial safeguards to withstand prolonged service disruptions. Although insurance companies have recently begun offering policies protecting Web sites against lost traffic, few companies have signed up. Many of the largest sites, in fact, don't have any policies addressing such problems. That could change, however, as this week's spate of so-called denial-of-service attacks makes Web sites more aware of security risks. "We're getting a lot of calls after the famous Yahoo problem," said Emily Freeman, senior vice president at the insurance firm Marsh Inc., which offers a policy called Net Secure that covers losses from denial-of-service attacks, computer viruses, and other security breaches. Yahoo was the first major Web property to fall victim to the recent slew of hacker attacks which rendered Yahoo's site inaccessible for about three hours Monday. Successive attacks have hit Amazon.com, eBay, Buy.com, ZDNet, CNN, eTrade, and others. "There are some pretty big losses mounting up," said John Wurzler, CEO of J.S. Wurzler Underwriting Managers, which sells insurance covering security breaches to Web sites. Wurzler said it's tough to calculate how much money companies lose as a result of their sites being out of service. Losses include traffic that goes to other sites when users discover that their hopeful destination is inaccessible. Sometimes they don't come back. He estimates a company like Buy.com loses close to $100,000 in revenue alone for every hour it is shut down. Several companies affected by this week's attacks were either unavailable or declined to comment on how they are insured for such losses. ZDNet officials said the company does not have insurance for security breaches but is looking into it. In recent filings with the Securities and Exchange Commission, several other companies touched on security issues in required risk disclosure statements. In a January securities filing, Yahoo noted that its computer systems are vulnerable to attack and that "we do not carry sufficient business interruption insurance to compensate us for losses that may occur as a result." Buy.com disclosed that it does not have a formal disaster recovery plan in effect and might not have enough insurance to cover large-scale site shutdowns. Wurzler said most Web sites buy insurance policies in the $1 million to $3 million range, for which they typically shell out between $15,000 and $30,000 annually. A few sites are taking out much bigger policies, however. Marsh's largest policy, for a client that the company did not disclose, offers maximum compensation of $100 million. Freeman expects the practice of insuring Web sites will eventually become as mainstream as insuring traditional storeowners. Web sites in addition to Yahoo have admitted in their federal securities filings that they need an additional financial safety net. A filing made by Amazon.com Monday for a debt offering revealed an example of corporate exposure in the event of a catastrophe. "We maintain substantially all of our computer and communications hardware at a single leased facility in Seattle, Washington... . We do not have backup systems or a formal disaster recovery plan, and we may not have sufficient business interruption insurance to compensate us for losses from a major interruption." http://www.wired.com/news/business/0,1367,34229,00.html -------------------------------------------------------------------------------- Wired News DoS: Defense Is the Best Offense by Chris Oakes 3:00 a.m. 10.Feb.2000 PST The Net is under attack, and the electronic pathways to e-commerce Web sites are clogging up like old pipes. Is there really no defense? Security experts agree that attacks that blocked access to Yahoo, eBay, and other popular Web sites during the last three days are indefensible as they occur. "In most cases, there's little that can be done," said Elias Levy, chief technology officer for Security Focus.com. Levy said the Net's administrative and security professionals like himself have convened several times during the last six months to dream up solutions for the very types of attacks that sent some of the Web's biggest names scrambling this week. Meetings of the North American Network Operators Group and security conferences such as last month's RSA Security Conference have focused on how to defend a denial-of-service attack. "We all came out pretty much empty-handed," Levy said. "The reason being that packets are sent with random addresses and can change. So trying to filter them can be difficult." "There is no magic bullet," agreed Gary Grossman, director of security research and development for Exodus, one of the Web hosting companies serving sites affected by this week's attacks. "We did apply some perimeter filters as the attack was going on, and were able to stop that traffic from reaching our customers. But it's not something that's automatic." The situation was still variable late Wednesday, Grossman said. But that doesn't mean there aren't changes in technology and policy that can't at least mitigate the impact of future attacks. Experts say the best way is to take away the launch pads from which the flood originates in denial-of-service attacks. "Unfortunately, the best solution is to prevent [your own systems] from being used in an attack," said Peter Shipley, chief security architect for security firm KPMG. "It's difficult to filter against an attack -- but it's very easy to stop your own site from being used to stage one." Denial-of-service attacks commandeer random computers that have high-bandwidth connections to the Net. From those computers, a flood of data is unleashed and aimed at a single Web target. "They had to have had access to many computers," said Matthew Parks, product marketing manager at Web monitor Keynote Systems, which was watching the attacks' effects on Net traffic over the last two days. "Especially since Yahoo, eBay, or Amazon are sites who have been scaled to handle millions and millions and millions of customers, they had to generate quite a lot of traffic." Attackers instruct the computers to send out a high volume of data packets destined for a targeted Web site. Multiple "staging" sites mean all the more data to flood Yahoo or any other domain. There is a distinguishing feature of the data that can help administrators red-flag it when their own computers are being used to generate it. Packets, like letters in the mail, have a return address on them. But denial-of-service attacks use packets' faked return addresses to keep them from being traced and stopped. If administrators implemented filters in their computers that would refuse to send packets that didn't have the proper return address, experts like Levy and Shipley say it would go a long way to thwarting such massive attacks. "As a whole [Internet community], we need to apply filters to routers, so when packets go out onto the Net, any packets that have fake addresses are stopped," Levy said. Web hosting companies agreed that the ultimate solution lay beyond their own network borders. "The place where the fix needs to be applied is at the access side where the source addresses are being spoofed -- and also at all of the various insecure hosts that are owned by the bad guys and are being used as distribution points," said Paul Vixie of AboveNet. The company provides hosting services to eBay, one of the victimized sites in this week's attacks. Exodus' Grossman said if all ISPs limited the source addresses of packets allowed out of their network, "we'd have a lot less of these kinds of problems." "Like lots of different kinds of attacks, these things have a lifetime," Grossman said. "We're early in the lifetime in the sense that the attack is out there and the community is trying to figure out effective ways of dealing." Security companies, meanwhile, were using the news to trumpet their own purported fixes. "We have a product that actually pinpoints these transaction bottlenecks before they result in disaster," said Cynthia Sterling, spokeswoman for ProactiveNet. The company's ProactiveNet Watch and ProctiveNet eBiz products use a "base-lining" capability that alerts administrators to abnormalities and identifies the source of the trouble as application or networking problems. But Grossman said such solutions don't solve denial-of-service attacks. "I don't think it was that kind of problem. We're talking about distributed denial-of-service attacks here. They don't have anything to with the content on our customers' servers." http://www.wired.com/news/technology/0,1282,34230,00.html -------------------------------------------------------------------------------- Wired News Doing Away with DoS by Michelle Finley 3:00 a.m. 10.Feb.2000 PST Denial-of-service attacks only just came into the limelight, but they're far from new. At Rutgers University in New Jersey, they've been fending them off for a while. The good news is that low-grade DoS assaults have given the university's information technology staff a head start in planning and implementing protection programs. But they're increasingly concerned that university networks could be exploited by hackers carrying out a DoS attack on someone else. During the past year, a university official's own informal network status-tracking has turned up frequent instances of low-key but suspicious activity on Rutgers' servers. Some of these attacks had little effect on the network, but others slowed access to the Internet gateway and caused internal systems to turn sluggish. "I have no doubt that people have been trying to do this to all our servers ... just taking a list of IP numbers and finding out whether there is a vulnerable computer on the network. They can then flood that computer with queries so that it will completely gum up the network, or try to hijack it to use it in their attacks on other systems," said Wise Young, director of Rutgers' Center for Collaborative Neuroscience in Piscataway, New Jersey. Trouble was first brought to Young's attention last year, when Rutgers computer monitors told him to shut down an open SMTP node on one of the Mac servers. That led to new protections on the server and monitoring activity within the network. To prevent attacks, Rutgers' entire network is routinely scanned for unusual or suspicious network activity. A Web-based monitoring system checks its major routers. A slowdown in server activity means Rutgers should look for evidence of DoS, Young said. He said it's difficult to tell exactly how many times his lab has been subject to DoS attacks because until recently Rutgers seldom paid attention to the issue. But lately officials there have been watching, and suspicious signs of what appeared to be small-scale DoS attacks have become a more frequent occurrence at the center. In response, Young and his staff have increased their vigilance substantially -- no small feat in a system that's supposed to be kept as open as possible. Rutger's Neuroscience Center was designed from the ground up for collaboration between university labs and over 60 others around the world. Every part of the laboratory is specialized for open communication and sharing of visual, audio, and numerical data, as well as real-time remote personal interactions. Even the laboratory instruments are designed to allow multiple users to use devices such as a $375,000 confocal microscope from a distance via networked connections. Young realized that the openness of his lab was an invitation to hackers and even just-plain-bored computer science students. He has now set the servers in the laboratory to notify him by email if there is any unauthorized use of the systems in the center, and regularly runs programs to evaluate activity on the servers and network. Rutgers' computer services group also is focused on preventing its computers from being used as a vehicle for transmitting DoS attacks. Young believes that university networks are the perfect targets because of their large numbers of powerful networked computers and a commitment to open access. IT staff has identified and monitors all computers at the university that can be accessed by an outsider and used to send out signals to other computers. All SMTP nodes, for example, are carefully protected and screened. The university refused to comment further on specifics of their DoS protection plan, citing security issues. "People are running scared," said a faculty member who requested anonymity. "They don't want to draw attention to themselves. They don't want to become a target." http://www.wired.com/news/technology/0,1282,34249,00.html ________________________________________________________________________________ no copyright 2000 rolux.org - no commercial use without permission. is a moderated mailing list for the advancement of minor criticism. more information: mail to: majordomo@rolux.org, subject line: , message body: info. further questions: mail to: rolux-owner@rolux.org. archive: http://www.rolux.org