Taking aim at denial-of-service attacks

BERKELEY, Calif.--Graduate students from Carnegie Mellon University on Monday proposed two methods aimed at greatly reducing the effects of Internet attacks.

In two papers presented at the IEEE Symposium on Security and Privacy here, the graduate students suggested simple modifications to network software that could defeat denial-of-service attacks and that could be implemented in the current protocol used by the Internet. The symposium, sponsored by the Institute of Electrical and Electronics Engineers, began Sunday and lasts through Wednesday.

Steven Bellovin, a research fellow in network security at AT&T Labs, said both proposals are credible attempts at solving for network administrators the sticky problems of denial-of-service attacks.

Denial-of-service attacks essentially come in three varieties: those that tie up the intended victim's Web server by, for example, sending in a flood of valid data; those that consume so much memory that the server essentially freezes; and those that exploit a software flaw and cause the server to freeze or crash. The two proposals address the first two types of denial-of-service attacks.

The first proposal came from Abraham Yaar, a graduate student in computer engineering at Pittsburgh's Carnegie Mellon. He suggests a method to solve attacks that are based on a flood of data from forged Internet addresses.

The proposal takes advantage of largely unused bits in the headers of network traffic--the digitized address information attached to each electronic message--to fingerprint data based on the route the information took through a network. A victim suffering from an onslaught of data could use the fingerprint, or path-identifier number, to decide whether the traffic from certain regions of the Internet should be blocked by its Internet service provider.

"Even when the total attack traffic is 170 times the legitimate traffic, 60 percent of a server's capacity is still allocated to legitimate users," Yaar said after his presentation.

Preventable deluges?
Deluging a site with valid data from thousands of computers is a type of denial-of-service attack that has been considered largely unpreventable. Less than two weeks ago, such an attack made Unix software maker SCO Group's Web site largely inaccessible for several hours. A similar attack earlier this year cut off Arab news site Al Jazeera from the Internet for several days.

Such attacks are quite common but frequently go unreported. A 2-year-old study of Internet traffic found that every week about 4,000 attacks lasting more than 10 minutes each are launched.

Adrian Perrig, an assistant professor at Carnegie Mellon and Yaar's adviser, said that analyses based on large network simulations of Yaar?s proposal are promising. "In the case that the (Internet) address is spoofed, our method wins hands down," he said.

The path-identifier number is stored in a part of network data packets that is largely unused: the 16-bit Internet Protocol (IP) identification field. The identifier is used only when network data has been fragmented, which occurs in less than 10 percent of cases, said Perrig.

One strength of the proposal is its ability to work even when only a fraction of ISPs--30 percent or more--have adopted the proposal. Moreover, the proposal shifts the onus for fixing Internet security problems from the victim to the attacker's ISP because such attacks result in traffic from parts of the Internet close to the attacker being blocked by the victim?s server.

AT&T's Bellovin said those two results are what he likes about the plan. "But I'm worried about something that doesn't work well with fragmentation," he said, pointing out that many digital subscriber line (DSL) providers used a technique for network data that increases fragmentation. Such subscribers could find their Internet connection nearly useless during an attack, if Yaar's proposal became widely used.

The puzzle method
The second presentation, also by a graduate student at Carnegie Mellon, proposes that servers use "puzzles"--problems that take a certain amount of processing time to solve--as a means of taxing any computer that tries to communicate with the server. Such a technique, which has also been suggested as a way to defeat spammers who send unsolicited mass e-mail, would help defend against denial-of-service attacks that attempt to tie up a victim server's memory with hundreds or thousands of connections.

The plan from XiaoFeng Wang asserts that such small tasks would hardly be noticed by legitimate users, while attackers would have to expend far more effort to do any damage. While others have suggested similar methods, Wang added to his proposal an auction-like transaction to further allow legitimate traffic to win out over attacks.

"Our mechanism enables each client to 'bid' for resources by tuning the difficulty of the puzzles it solves and to adapt its bidding strategy in response to apparent attacks," Wang stated in the paper that outlined his findings.

Bellovin also liked this idea but again said that certain issues need to be resolved.

"It will work up to a point," he said. "The problem is that spammers and denial-of-service attacks are not using their own machines. If they need 16 times as many computers, they can--most likely--easily get that many more."