DoS Attacks Go For the Throat
In the past, distributed Denial of Service (DoS) attacks were generally targeted at specific servers or firewalls on a network. But a disturbing trend shows automated intruders compromising routers and router protocols, thereby endangering not only Web sites and enterprises, but the Internet at large. We explain how and why this occurs, and what you can do to avoid becoming a victim or an unwilling perpetrator.
We all yearn for the more innocent time when the acronym DOS stood for your Disk Operating System, or even the Dept. of State for the better traveled. Today, however, it is a term that brings a chill to many technologists -- Denial of Service. Initially, this was largely the realm of minor miscreants, who wanted no more than to target specific Web sites they thought would be cool to disrupt. But now a greater chill has begun to set in as a result of the selective targeting of routers.
Of late, the hacker community has taken to discussing 'router protocol attacks' in listservs, Usenet, and at conferences. Attacks against routers can have serious consequences for the Internet at large. Routers can be used for direct attacks against the routing protocols that interconnect the networks comprising the Internet, therefore causing serious service availability issues on a large scale. By dealing with such threats to their infrastructures, network managers will be protecting both their own interests and the interests of all networks to which they connect.
Crackers perceive router attacks as attractive for several reasons. Unlike computer systems, routers are generally buried within the infrastructure of an enterprise. Often, they are comparatively less protected by monitors and security policies than computers, providing a safer harbor within which the miscreant can operate. Many routers are poorly deployed, with the vendor-supplied default password the only wall between network security and ruination. Documents circulate supplying advice on procedures for breaking into a router and changing its configuration. Once compromised, the router can be used as a platform for scanning activity, 'spoofing' connections, (disguising the origin of packets,) and as a launch point for DoS attacks.
According to Laurie Vickers, a Senior Analyst at Cahners In-Stat Group, "A router is the gateway to a company. They have been the target of hackers and Script Kiddies for quite some time now, but what seems to be occurring is that the hackers are growing more sophisticated. They're finding that the front door is locked, so they go around back and see that the patio door has been left open."
Vickers asserts that router attacks can prove devastating to networks as managers try to determine "Which box will it be? Routers often integrate VPN services and/or firewalls, and these make them even juicier targets." Once the router is compromised, the entire network can be up for grabs.
A further area for concern is what Carnegie Mellon's Computer Emergency Response Team (CERT) Coordination Center refers to as the shrinkage of 'Time-To-Exploit'. In other words, once a vulnerability in a system or device has been discovered, it takes less time for to exploit it perhaps less time than it takes to author or deploy a security patch.
Further, don't look for a particular group or individual to target your systems. Tools used to initiate DoS attacks and to propagate the 'attack toolkits' (the collection of instructions used for the attack) are increasingly automated. Scripts are frequently used for scanning, exploitation, and deployment.