Source
Automatically imported from: http://commons.somewhere.com:80/rre/2000/RRE.denial.of.service.at.html
Content
| | | | --- | --- | | Red Rock Eater Digest | Most Recent Article: Sat, 12 May 2001 |
[RRE]denial of service attacks
``` [The discussion of the recent denial of service attacks at Stanford announced herein will be available online to those with MediaPlayer. (Why MediaPlayer? Don't ask me.) Gene Spafford's piece is forwarded by permission, and all three pieces have been reformatted to 70 columns.
The most disturbing aspect of the recent denial of service attacks on major Web sites, in my view, was not the damage they caused, which was real enough if overhyped, or the vulnerabilities they revealed, which we knew about. Rather, it's the emerging dynamics of computer security as a public issue. These problems can all be fixed on a technical level, but that apparently won't happen until certain parties get a fire built under them. Even though anybody who broke any laws should be prosecuted, these attacks could have been a lot worse, and the benefit to society from them will probably end up outweighing the harm. But this project of getting society's attention can easily go badly wrong. Every day that the underlying technical problems are not solved, the "infrastructure protection" establishment grows bigger and stronger. This establishment observes, correctly, that a site with bad security doesn't just hurt itself. These latest attacks worked by using poorly secured sites as weapons against well- secured ones. We haven't seen the beginning of the peer pressure that sites with poor security will experience as these problems grow worse, especially university sites that refuse to create huge firewalls as a matter of principle. And if peer pressure doesn't do it, then the "infrastructure protection" establishment will be happy to take over the pressuring.
But simply pressuring individual sites is not the answer; the problem is systemic, and it starts with the architectural frailties of widely used software. I spent a half-hour the other day trying to explain to a normal, non-technical person who operates a Web site for her small business the steps that she would have to take to secure her home computer against the major categories of plausible attacks. It was ridiculous; she had no idea what I was talking about. You should have seen the look on her face when she finally grasped the concept of a virus, and then you should have seen the look on my face when I had her explain it back to me. Imagine if she had had a cable modem.
Yet this is what it means to have a community: you have a framework within which people can pursue their individual projects and engage in their various associations, and if the framework doesn't function correctly then the whole thing threatens to collapse into chaos or authoritarianism. Some anarchists think that the only purpose of such a framework is to render government inoperative, but distributed denial of service attacks make clear why there's more to it. If the Internet community cannot establish a community framework that does not enter any downward spirals in the presence of antisocial people, then a framework will be imposed -- by "government", sure, but with perfect justification and the support of a majority of normal people. We're rebuilding our whole society on top of a technology that does not work, and that's not smart.]
---
This message was forwarded through the Red Rock Eater News Service (RRE). Send any replies to the original author, listed in the From: field below. You are welcome to send the message along to others but please do not use the "redirect" option. For information about RRE, including instructions for (un)subscribing, see http://dlis.gseis.ucla.edu/people/pagre/rre.html or send a message to requests@lists.gseis.ucla.edu with Subject: info rre
---
Date: Fri, 18 Feb 2000 17:45:31 -0800 (PST)
From: ee380
STANFORD UNIVERSITY COMPUTER SYSTEMS LABORATORY COLLOQUIUM
4:15PM, Wednesday, February 23, 2000 Gates Computer Science Building, Room B03 (NEC Auditorium)
Topic: Perspectives on Distributed Denial of Service Attacks
Speakers: David Brumley, Stanford University Joel de la Garza, Securify Labs Mark Seiden, Securify Labs
About the talk:
"...still no news on who is behind the concerted DoS attacks that so crippled America's ability to buy Pokemon trading cards earlier this week." --"Need to Know", www.ntk.net
"In a case like this, there is no Interpol, no Pinkerton's, that you can turn to for help." --Wall Street Journal
"Who're you gonna call?" --Ghostbusters
Recent attacks on e-commerce sites have demonstrated the trust misplaced in today's Internet Protocols, and the codependence between the vast shopping mall that the Internet has become and government, law enforcement, and journalism.
We'll go in some detail into denial of service attacks: how they work, what happened in these cases, and how they can be prevented, detected and responded to.
Maybe we'll even show you some juicy chat sessions which took place among possible perpetrators of some of the attacks.
About the speakers:
David Brumley is the Assistant Computer Security Officer for Stanford University. He has responded to over 1000 incidents, authored such programs as the remote intrusion detector (RID) and SULinux (Stanford University Linux). David received his bachelor's degree in Mathematics from the University of Northern Colorado.
Joel de la Garza is a security consultant for Securify. He attended Stanford University where he began working for SUNsET, Stanford University's Network Security Team. He was a founding member of the Meeker Group, which worked to develop web applications for the medical device industry.
Mark Seiden is Director of Securify Labs and Practice Area Head for Physical Security (see www.securify.com). Programming since the '60s, consulting for 17 years in diverse areas of network engineering and security, clients have included major computer companies, investment banks and law firms, UN agencies, online content providers, ISPs, research projects and non-profits. A minor-league writer, he's been published in the New York Times, Wired, Sun Expert, Unix Review and (after being involved in a number of high profile activities, such as the pursuit and capture of Kevin Mitnick) was featured as one of the 50 CyberElite by Time Digital.
Contact information:
www.securify.com
FORTHCOMING LECTURES
Mar 1 David Mosberger, Walt Drummond. IA-64 Linux Kernel Internals. Mar 8 Gary Hudson. Commercial Rockets: Optimal Blending of Hardware, Software, and Meatware.
---
EE380 is the Computer Systems Laboratory Colloquium. The Colloquium meets most Wednesdays throughout the normal academic year. The class is broadcast over SITN and taped for late viewing in the Engineering Library. EE380 is now available live on the Internet! For additional information please consult the class web page http://www.stanford.edu/class/ee380
---
+----------------------------------------------------------------------------+
Date: Sat, 19 Feb 2000 12:59:48 -0500
From: Gene Spafford
Infosecurity at the White House Gene Spafford
Prolog
Last week (ca. 2/8/00), a massive distributed denial of service attack was committed against a number of Internet businesses, including e-Bay, Yahoo, Amazon.com, and others. This was accomplished by breaking into hundreds (thousands?) of poorly-secured machines around the net and installing packet generation "slave" programs. These programs respond by remote control to send packets of various types to target hosts on the network. The resulting flood effectively shut those target systems out of normal operation for periods ranging up to several hours.
The press jumped all over this as if it was something terribly new (it isn't -- experienced security researchers have known about this kind of problem for many years) and awful (it can be, but wasn't as bad as they make it out to be). One estimate in one news source speculated that over a billion dollars had been lost in lost revenue, downtime, and preventative measures. I'm skeptical of that, but it certainly is the case that a significant loss occurred.
Friday, Feb 11, I got a call from someone I know at OSTP (Office of Science and Technology Policy) inquiring if I would be available to meet with the President as part of a special meeting on Internet security. I said "yes." I was not provided with a list of attendees or an agenda. Initially, I was told it would be a meeting of security experts, major company CEOs, and some members of the Security Council, but that was subject to change.
The Meeting
I arrived at the Old Executive Office Building prior to the meeting to talk with some staff from OSTP. These are the people who have been working on the Critical Infrastructure issues for some time, along with some in the National Security Council. They really "get it" about the complexity of the problem, and about academia's role and needs, and this may be one reason why this was the first Presidential- level meeting on information security that included academic faculty.
After a few minutes, I was ushered into Dr. Neal Lane's office where we spent about 15 minutes talking. (As a scientist and polymath, I think Lane has one of the more fascinating jobs in the Executive Branch: that of Assistant to the President for Science and Technology and Director of OSTP . For instance, on his table he had some great photos of the Eros asteroid that had been taken the day before.) We then decided to walk over to the White House (next door) where we joined the other attendees who were waiting in a lobby area.
Eventually, we were all escorted upstairs to the Cabinet Room. It was a tight fit, as there were over 30 of us, staff and guests (invitee list at the end). We then spent a half hour mingling and chatting. There were a lot of people I didn't know, but that's because normally I don't get to talk to CEOs. Most notably, there were people present from several CERIAS sponsor organizations (AT&T, Veridian/Trident, Microsoft, Sun, HP, Intel, Cisco). I also (finally!) got to meet Prof. David Farber in person. We've "known" each other electronically for a long time, but this was our first in-person meeting.
After a while, some more of the government folk joined the group: Attorney General Reno; Commerce Secretary Daley; Richard Clarke, the National Coordinator for Security, Infrastructure Protection and Counter-terrorism; and others. After some more mingling, I deduced the President was about to arrive -- several Secret Service agents walked through the room giving everyone a once-over. Then, without any announcement or fanfare, the President came into the room along with John Podesta, his chief of staff.
President Clinton worked his way around the room, shaking everyone's hand and saying "hello." He has a firm handshake. In person, he looks thinner than I expected, and is not quite as tall as I expected, either.
We all then sat down at assigned places. I had the chair directly opposite the President. Normally, it is the chair of the Secretary of State. To my left was Whit Diffie of Sun, and to my right was John Podesta. I was actually surprised that I had a seat at the table instead of in the "overflow" seats around the room.
The press was then let into the room. It was quite a mass. The President made a statement, as did Peter Solvik of Cisco. The press then asked several questions (including one about oil prices that had nothing to do with the meeting). Then, they were ushered out and the meeting began.
The President asked a few individuals (Podesta, Daley, Reno, Pethia, Noonan) to make statements on behalf of a particular segment of industry of government, and then opened it up for discussion. The next hour went by pretty quickly. Throughout, the President listened carefully, and seemed really involved in the discussion. He asked several follow-up questions to things, and steered the discussion back on course a few times. He followed the issues quite well, and asked some good follow-up questions.
During the discussion, I made two short comments. The first was about how it was important that business and government get past using cost as the primary deciding factor in acquiring computer systems, because quality and safety were important. I went on to say that it was important to start holding managers and owners accountable when their systems failed because of well-known problems. I observed that if the government could set a good example in these regards, others might well follow.
My second comment was on the fact that everyone was talking about "business and government" at the meeting but that there were other players, and that academia in particular could play an important part in this whole situation in cooperation with everyone else. After all, academia is where much of the research gets done, and where the next generation of leaders, researchers, and businesspeople are coming from!
Overall, the bulk of the comments and interchange were reasoned and polite. I only remember two people making extreme comments (to which the rest of us gave polite silence or objections); I won't identify the people here, but neither were CERIAS sponsors :-). One person claimed that we were in a crisis and more restrictions should be placed on publishing vulnerability information, and the other was about how the government should fund "hackers" to do more offensive experimentation to help protect systems. My summary of the major comments and conclusions is included below.
After considerable discussion, the meeting concluded with Dick Clarke reminding everyone that the President had submitted a budget to Congress with a number of new and continuing initiatives in information security and cybercrime investigation, and it would be up to Congress to provide the follow-through on these items.
We then broke up the meeting, and the President spent a little more time shaking hands and talking with people present. Buddy (his dog) somehow got into the room and "met" several of us, too -- I got head-butt in the side of my leg as he went by. :-) The official photographer got a picture of the President shaking my hand again.
The President commented to Vint Cerf how amazed he was that the group had been so well-behaved --- we listened to each other, no one made long rambling speeches, and there was very little posturing going on. Apparently, similar groups from other areas are quite noisy and contentious.
We (the invitees) then went outside where there was a large crowd of the press. Several of us made short statements, and then broke up into groups for separate interviews. After that was done, I left and returned home to teach class on Wednesday.
My interview with the local news station didn't make it on the 6pm news, and all the print accounts seemed make a big deal of the fact that "Mudge" was at the meeting. Oh well, I thought "Spaf" was a way-cool "handle", better than "Mudge" but it doesn't go over as well with the press for some reason. I'll have to find some other way to develop a following of groupies. :-)
On Friday, I was back in DC at the White House conference center to participate in a working session with the PCAST (President's Committee of Advisors on Science & Technology) to discuss the structure and organization of the President's proposed Institute for Information Infrastructure Protection. This will have a projected budget of $50 million per year. CERIAS is already doing a significant part of what the IIIP is supposed to address (but at a smaller scale). Thus, we may have a role to play in that organization, as will (I hope) many of the other established infosec centers. The outcome of that meeting was that the participants are going to draft some "strawman" documents on the proposed IIIP organization for consideration. I am unsure whether this is significant progress or not.
Outcomes
I didn't enter the meeting with any particular expectations. However, I was pleasantly surprised at the sense of cooperation that permeated the meeting. I don't think we solved any problems, or even set an agenda of exactly what to do. There was a clear sense of resistance from the industry participants to any major changes in regulations or Internet structure. In fact, most of the companies represented did not send CEOs so that (allegedly) there would be no one there who could make a solid commitment for their firms should the President press for some action.
Nonetheless, there were issues discussed, some subsets of those present did agree to meet and pursue particular courses of action, and we were reminded about the President's info protection plan. To be fair, this is an area that has been getting attention from the Executive Branch for several years, so this whole event shouldn't be seen as a sudden reaction to specific events. Rather, from the PCCIP on, there has been concern and awareness of the importance of these issues. This was simply good timing for the President to again demonstrate his concern, and remind people of the national plan that was recently released.
I came away from the meeting with the feeling that a small, positive step had been made. Most importantly, the President had made it clear that information security is an area of national importance and that it is taken seriously by him and his administration. By having Dave Farber and myself there, he had also made a statement to the industry people present that his administration takes the academic community seriously in this area. (Whether many of the industry people got that message -- or care -- remains to be seen.)
I recall that there were about 7 major points made that no one disputed:
1) The Internet is international in scope, and most of the companies present have international operations. Thus, we must continue to think globally. US laws and policies won't be enough to address all our problems.
2) Privacy is a big concern for individuals and companies alike. Security concerns should not result in new rules or mechanisms that result in significant losses of privacy.
3) Good administration and security hygiene are critical. The problems of the previous week were caused by many sites (including, allegedly, some government sites) being compromised because they were not maintained and monitored. This, more than any perceived weakness in the Internet, led to the denial of service.
4) There is a great deal of research that yet needs to be done.
5) There are not enough trained personnel to deal with all our security needs.
6) Government needs to set a good example for everyone else, by using good security, employing standard security tools, installing patches, and otherwise practicing good infosec.
7) Rather than new structure or regulation, broadly-based cooperation and information sharing is the near-term approach best suited to solving these kinds of problems.
Let's see what happens next. I hope there is good follow-though by some of the parties in attendance, both within and outside government.
Miscellany
Rich Pethia of CERT, Alan Paller of SANS, and I have drafted a short list of near-term actions that sites can implement to help prevent a recurrence of the DDOS problems. Alan is going to coordinate input from a number of industry people, and then we will publicize this widely. It isn't an agenda for research or long-term change, but we believe it can provide a concrete set of initial steps. This may serve as a good model for future such collaborative activities.
I was asked by several people if I was nervous. Actually, no. I've been on national television many times, and I've spoken before crowds of nearly a thousand people. Actually, he should have been nervous -- I have tenure, and he clearly does not. :-)
The model we have at CERIAS with the partnership of industry and academia is exactly what is needed right now. Our challenge is to find some ways to solve our faculty needs and space shortage. In every other way, we're ideally positioned to continue to make a big difference in the coming years.
Of the 29 invited guests, there was only one woman and one member of a traditional minority. I wonder how many of the people in the room didn't even notice?
Attendees
Douglas F. Busch Vice President of Information Technology, Intel
Clarence Chandran President, Service Provider & Carrier Group, Nortel Networks
Vinton Cerf Senior Vice President, Internet & Architecture & Engineering, MCI Worldcom
Christos Costakos Chief Executive Officer, E-Trade Group, Inc.
Jim Dempsey Senior Staff Counsel, Center for Democracy and Technology
Whitfield Diffie Corporate Information Officer, Sun Microsystems
Nick Donofrio Senior Vice President and Group Executive, Technology & Manufacturing, IBM
Dave Farber University of Pennsylvania
Elliot Gerson Chief Executive Officer, Lifescape.com
Adam Grosser President, Subscriber Networks, Excite@home
Stephen Kent BBN Technologies (GTE)
David Langstaff Chairman and Chief Executive Officer, Veridan
Michael McConnell Booz-Allen
Mary Jane McKeever Senior Vice President, World Markets, AT&T
Roberto Medrano Senior Vice President, Hewlett Packard
Harris N. Miller President, Information Technology Association of America (ITAA)
Terry Milholland Chief Information Officer, EDS
Tom Noonan Internet Security Systems (ISS)
Ray Oglethorpe President, AOL Technologies, America Online
Allan Paller Chairman, SANS Institute
Rich Pethia CERT/CC, SEI at Carnegie-Mellon University
Geoff Ralston Vice President for Engineering, Yahoo!
Howard Schmidt Chief Information Security Officer, Microsoft
Peter Solvik Chief Information Officer, Cisco Systems
Gene Spafford CERIAS at Purdue University
David Starr Chief Information Officer, 3Com
Charles Wang Chief Executive Officer, Computer Associates International
Maynard Webb President, Ebay
Peiter Zatko a.k.a. "Mudge" @stake
Date: Tue, 22 Feb 2000 08:43:33 +0100
From: Gerry McGovern
---
NEW THINKING NEW THINKING NEW THINKING NEW THINKING NEW THINKING Free weekly email contributing to a philosophy for The Digital Age By Gerry McGovern Email: gerry@nua.ie Web: http://www.nua.ie
---
February 21st 2000 Published By: Nua Limited Volume 5 Number 8
---
NUA NEEDS YOU! Nua is an Internet pioneer. We are looking for people who want to work with a company that is going places. People who want to make a real difference. People who are customer-focused. People who want only the best.
Business Strategist (REF: JN0002181) http://www.nua.ie/about/jobs.html#bs
Business Program Manager (REF: JN0002182) http://www.nua.ie/about/jobs.html#bpm
Technical Project Manager (REF: JN0002183) http://www.nua.ie/about/jobs.html#tpm
Usability Engineer (REF: JN0002184) http://www.nua.ie/about/jobs.html#ue
Content Manager (REF: JN0002185) http://www.nua.ie/about/jobs.html#cm
---
NUA KNOWLEDGE NEWS http://www.nuaknowledgenews.com
---
THE CARING ECONOMY The Caring Economy, by Gerry McGovern, is published by Blackhall Publishing of 26 Eustace Street, Dublin 2, Ireland. ISBN 1-901657-61-2 Price 27.50 or US$35.95 mailto:blackhall@tinet.ie It is also available in the United States from Irish Books & Media, 1433 East Franklin Avenue, Minneapolis MN 55404-2135. Call toll-free (800) 229-3505 BUY THE BOOK FROM THE CARING ECONOMY WEBSITE http://www.thecaringeconomy.com/buy For further information please contact Mary Gorman mailto:mary@nua.ie
---
CYBER VIGILANTES
Did you know that US banks were warned well in advance that there would be attacks against large websites but that they told nobody except other members of an Internet security organisation for financial institutions? Let's spin that another way. You're in a neighbourhood and you see some of your neighbours boarding up their windows. They won't tell you why they're doing it, so you pass it off. That night a hurricane strikes. There were no warnings on the radio, TV or in the newspapers. The emergency services were totally unprepared. But this select group of neighbours knew because they happened to be members of a specialist weather monitoring organisation.
There are some profound issues at play with regard to the Internet today. Perhaps the most profound is the role of government business and citizen. A large, powerful, media savvy voice is constantly saying that government should stay out, that it doesn't understand the Internet, that the Internet should develop a voluntary code of conduct that is privately policed. Individualism, liberty and freedom of speech are the colourful and emotive flags that this 'Government-Out' constituency vigorously waves.
Let me tell you what they are really about. They are about big business who are in themselves mini-governments, who if they could engineer it, would have no laws, no regulations, nothing in the way of making as much money as possible out of the customer.
This short-sighted greed is no good for anybody. It will ultimately ruin the Internet environment as a commercial medium, as customers get tired of having their personal information ripped off, get tired of private security vigilantes snooping in their computers, get tired of returns policies that aren't worth the bits and bytes they were typed on. We can't treat the Internet as some junk yard sale, where everyone is trying to get their fingers into everyone else's pockets, without running the risk of it turning into a junk yard.
Government has flaws; we all know that. But government is our best attempt to create institutions that allow society to be managed in a civilised manner. Without government the choice is chaos or vigilantism. The current search for the hackers behind the major spate of website attacks is a mix of both. Scores of security firms are out looking for the culprits. Their driving objective has nothing to do with law and justice and everything to do with the hoped for PR announcement that their firm caught the nasty hacker. Members of these firms are posing as suspects and friends of suspects in online chat rooms and other areas, to the extent that 'suspects' are turning up all over the place at the same time confusing everybody.
Law enforcement on the Internet is becoming a farce, and that's not good for anybody. Internet business will suffer if consumer confidence in the medium declines. As much as we would all like to clean up politics and make government more accountable, today right now - it is still all we've got. I have no problem with big business per se, but I don't want it 'protecting' my privacy and I don't ever want it out 'policing' my streets.
Gerry McGovern
---
If you have enjoyed New Thinking, please consider telling somebody else about it.
---
For New thinking archives, please go to:
---
NUA PRIVACY POLICY
Nua respects absolutely the privacy of every person visiting our
website or receiving one of our email publications. Nua has created
a privacy statement in order to demonstrate our firm commitment to
your privacy, and the high value we place on your quality feedback.
For the full privacy statement:
---
MAKING FREE INFORMATION PAY
At Nua we've built our company on the principle of 'making free
information pay.' We hope you have enjoyed our newsletters and that
you find them useful. We think it's great that we
reach 150,000 of you every week and that our subscriber base
continues to grow.
Could you do us a favour? If you like our newsletters and if they
have indeed been useful to you, could you tell us about it? Could
you write to us in a paragraph or two and tell us what you like
about Nua and/or our newsletters. (Could you also please send
some brief biographical information on yourself?)
We'd like to use such quotes on our website and in marketing and
advertising material, so please specify if for whatever reason you
do not wish us to use your quote in this way.
Please send your quotes to:
Oriana Lo Iacono
---
NUA INTERNET SURVEYS
http://www.nua.ie/surveys
LOCAL IRELAND
A local heart with a global beat
---
SPONSORSHIP
While New Thinking will always remain free to the subscriber, Nua is
willing to talk to interested parties with regard to sponsorship.
Contact Mary Gorman
mailto:mary@nua.ie
COPYRIGHT
Where the work is by Gerry McGovern, you are actively encouraged to
distribute and/or re-publish an individual piece, once proper credit
and subscription details are given. Where the work is by another
author, the work may be freely distributed in its full email
format, but if it is to be published in another format, express
permission of the author must be received.
SUBSCRIBING TO NEW THINKING
Send an email to:
mailto:newthinking-request@nua.ie
with the word
subscribe
in the body of the message. An automatic acknowledgement should
be returned to you by e-mail within a few minutes.
UNSUBSCRIBING
Send an email to
mailto:newthinking-request@nua.ie
with the word
unsubscribe
in the body of the message.
(Please remember to unsubscribe using the exact email address you
subscribed with.)
TECHNICAL PROBLEMS
If you are having any technical problems, please email:
Gerry McGovern | ceo | e: mailto:gerry@nua.ie Nua/local ireland | dublin | new york | http://www.local.ie http://www.nua.ie t: +353 1 676 8996 f: +353 1 283 9988 The Caring Economy - http://www.thecaringeconomy.com ```
| | | --- | | ProcessTree Network TM For-pay Internet distributed processing. | | Advertising helps support hosting Red Rock Eater Digest @ The Commons. Advertisers are not associated with the list owner. If you have any comments about the advertising, please direct them to the Webmaster @ The Commons. |