In the wake of the attacks by the hacker collective Anonymous on Sony and on Livejournal, more attention has been focused on just what such attacks mean and how to defend against them.
Most attacks on the Web come as distributed denial of service attacks, or DDoS. The most common form is making too many requests of a server for it to handle at once. By flooding a server with data packets, one can essentially shut it down, making it inaccessible to other users. To set one up requires a large number of computers, and a simple way to do it is to send out a piece of software -- usually a virus or Trojan -- to unsuspecting users whose computers mount the attack without them knowing. Such a network is called a botnet. Another method is to enlist the help of others voluntarily. The Low Orbit Ion Cannon is a piece of software that can target a web site but it has to be run by a user helping mount a DDoS. (LOIC was originally a stress-testing tool for system administrators).
Such attacks are not too difficult to defend against, says Alex Behar, director of security products at Radware. That's because any attack that depends on simply sending lots of data can be stopped if certain Internet addresses are blacklisted, or if the target can remove some of the packets from the stream of data. By having in place a piece of hardware or software that takes some packets out, the server is convinced that there is a congestion problem, and it reduces the amount of data sent in and out. That can defeat the DDoS.
A good example of the success of some defenses can be seen in the attacks mounted against Sony's sites by Anonymous. The sites basically stayed up and running and few users noticed any disruptions for more than a few hours.
The real issue is when attacks are more sophisticated, he said. A DDoS doesn't have to be a flood of data. Sometimes it can be a set of computers making requests that take a long time to fill. For example, a large group of computers on dial-up connections could tie up a server that waits for answers. Or the requests could be ones that simply take longer to execute, like complicated searches. ("Longer" in this case can mean only a second, sometimes less).
Many DDoS attacks tend to come from Asia, Behar says, but that is only because the Internet connections are faster than in the U.S. (South Korea has some of the fastest connections to people's homes). A sample of the attacks on Livejournal, for example, showed they were coming from Southeast Asia. But since a DDoS is often mounted by software running in the background, all that tells anyone is that there happened to be lots of infected machines there.
And while the attack that Anonymous mounted against Sony wasn't very complex, that doesn't mean the group can't apply a lot more know-how, Behar says. In the wake of cutting off its services to Wikileaks, Anonymous mounted a series of very strong attacks against PayPal and MasterCard. Neither site went down, but defending against the attacks wasn't easy for either company. "There are people there with a lot of knowledge," Behar said.
Those types of attacks require better defenses, Behar said. In some cases, one can look at the packets that come in and then have a human being check for patterns that look wrong. One area of research involves systems that use a "challenge-response" method. A small bit of code is sent from the target computer to each one that makes a request. That code has to be run by a browser. It can be as simple as performing an addition of two numbers, though most security researchers use something much more sophisticated to prevent it from being faked. If the code comes back with the right answer, then that means there was a web browser on the other end, and the request is legitimate. If no answer comes back, then the computer is sending data without the browser, which probably indicates a botnet's request.
But this method has its limitations. While it will tell you whether or not the packet is coming from a browser, that only works with desktop computers. A smartphone accessing Facebook, for instance, is sending a legitimate request. But it isn't using a web browser to do it.
To get around that Behar and other researchers in the field have been speaking to companies such as Twitter to discuss how to change the application programming interface that connects to mobile devices and make them more secure. Facebook, Behar notes, is in a similar situation. With the increasing number of mobile applications that connect to the web, developing such techniques will only become more important, he says.
Another issue that comes up is whether to retaliate against the attackers. Behar notes that doing so is not legal in most countries, and it wouldn't be very effective in any case because the owners of the computers mounting a DDoS usually don't know what is happening. Educating users to do more frequent virus scans would help, he says.
One tactic that was used years ago was to simply send the computer launching an attack a note -- a bit of text -- that told the user what the problem was. But with modern firewalls that tactic doesn't work as well, since they block that kind of traffic. Better is for users to notice when their computer is running slowly or showing lots of incoming and outgoing traffic at odd times of day when the browser isn't running.
Behar notes that DDoS attacks are common, but while high-profile ones such as Sony get a lot of publicity, most aren't noticed beyond the security professionals who have to deal with them. While he said he couldn't name clients, he noted that in one week several large companies were under attack