[W3C] The World Wide Web Security FAQ


This information is provided by Lincoln Stein (lstein@cshl.org) and John Stewart (jns@digitalisland.net). The World Wide Web Consortium (W3C) hosts this document as a service to the Web Community; however, it does not endorse its contents. For further information, please contact Lincoln Stein or John Stewart directly.


^Up to Table of Contents
<<Back to Protecting Confidential Documents at Your Site Forward to Bibliography>>

8. Securing against Denial of Service attacks


Q1: What is a Denial of Service attack?

Denial of Service (DoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DoS attacks will target the computer's network bandwidth or connectivity. Bandwidth attacks flood the network with such a high volume of traffic, that all available network resources are consumed and legitimate user requests can not get through. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed, and the computer can no longer process legitimate user requests. The high-profile attacks of the week of February 6th, 2000 were primarily bandwidth attacks, and all of the targets were high-profile internet web sites. A complete description of Denial of Service attacks is available from CERT on http://www.cert.org/tech_tips/denial_of_service.html.

Q2: What is a Distributed Denial of Service attack?

A Distributed Denial of Service (DDoS) attack uses many computers to launch a coordinated DoS attack against one or more targets. Using client/server technology, the perpetrator is able to multiply the effectiveness of the Denial of Service significantly by harnessing the resources of multiple unwitting accomplice computers which serve as attack platforms. Typically a DDoS master program is installed on one computer using a stolen account. The master program, at a designated time, then communicates to any number of "agent" programs, installed on computers anywhere on the internet. The agents, when they receive the command, initiate the attack. Using client/server technology, the master program can initiate hundreds or even thousands of agent programs within seconds.

Q3: How is a DDoS executed against a website?

A website DDoS is executed by flooding one or more of the site's web servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. DDoS attacks typically take advantage of several computers which simultaneously launch hundreds of thousands of requests at the target website. In order not to be traced, the perpetrators will break into unsecured computers on the internet, hide rogue DDoS programs on them, and then use them as unwitting accomplices to anonymously launch the attack.

Q4: Is there a quick and easy way to secure against a DDoS attack?

No. From a simplistic perspective, the best solution is to secure computers from being hijacked and used as attack platforms. This cuts the problem off before it can ever manifest. Thus many experts suggest that we "pull together as a community" to secure our internet computers from becoming unwitting accomplices to such malicious intruders. Unfortunately, for every business that has the knowledge, budget, and inclination to make such changes, there are many more which lack such resources.

Plus, the attackers are most likely going to use non-commercial computers as attack platforms, because they are usually easier to break into. University systems are a favorite, because they are often understaffed or the systems are set to minimum security levels to allow students to explore the systems as part of their education. Further, this is not just a national problem. Any internet server in the world could be used as an attack platform.

Still, the simplest and most effective solution for preventing DDoS is through a global cooperative effort to secure the internet. The first step in the process, therefore, is concerned with scanning your internet computers to make sure they are not being used as unwitting DDoS attack platforms. This is not just good internet citizenry, however, because this also serves to document and verify that your internet computers are not suspect when DDoS attacks occur.

Q5: Can the U.S. Government make a difference?

Certainly. The government could impose many types of restrictions on the internet that could greatly limit such types of attacks, at least from U.S.-based computers. Getting on the web could require the equivalent of a "Driver's License", having a website could require the equivalent of a "Commercial Permit", and all ISP's could be tightly regulated, much as the public utilities (Water, Power, etc.) are today. However the government is treading a fine line between limiting criminal activity and limiting economic growth, education, freedom of information, and general personal freedoms. For the time being, the U.S. government appears to be looking for approaches that are consistent with a non-intrusive approach.

For example, President Clinton proposed that we develop an information security "cyber-corps" of recent college grads to fight DDoS and other cybercrimes. While this is a sensible proposal, will there be a rush of computer science grads who will want to join such a group? Computer science students are by and large interested in science, not in law enforcement, so if Clinton's proposal goes through, it will be interesting to see if the government can attract the best of the best to join the "cyberpolice".

It should be noted, however, that in all likelihood a more intrusive government role is inevitable if uncontrollable attacks continue. If the government tries to be both helpful and non-intrusive, they may be simply ignored by commercial ventures. For example, during the week of February 6, 2000, a report from Federal Computer Week revealed "that only 2,600 individuals had downloaded a free security tool from the FBI's Web page. That tool, which detects denial-of-service code, has been available since December."

Step by Step

Q6: How do I check my servers to see if they are active DDoS hosts?