From Mainframes to Network Security: A World of Difference

I don’t know why it’s so slow,” my systems manager told me. “It’s not because of the system load. There’s barely anything running right now.”

“What does the network traffic level look like?” I asked.

“Nothing on the LAN that I can see,” he replied.

“See if you can log in via the Internet connection,” I said. “Maybe we’re having problems with the connection or something.”

He dialed into his ISP and tried to get a browser to connect to our homepage. The domain name system found it. Thennothing. Just sat there until it timed out.

“So, what is it?” I asked.

“I dunno,” he answered. “I’ll check the firewall to make sure it’s up and running.”

Well, it was runningbut real slow. I mean R-E-A-L S-L-O-W. The systems administrator put a protocol analyzer on the Internet side of the connection and found it was completely overloaded with traffic.

“Well, we’re either very popular today or someone is trying to DoS us,” he said.

DoS us? Huh? Apparently, DoS is short for denial of service. It’s a type of network attack that hackers and script kiddies launch from time to time. It’s like when your grandson clogs the toilet with a roll of toilet paper. The toilet is full, and you are denied service until it is unclogged. The solution is to get rid of the attack. But all the source addresses for the attacking packets change on every arriving packet, so there’s no way to know who was actually sending the traffic as all the source addresses were bogus (or “spoofed,” as it was explained to me).

I know I should know all of this. I used to be a mainframe guy and worked with the big boxes for all our credit card processing. I also ran the mainframe security tools and facilities, so I thought I understood security issues. So far, I’d been holding my own. I know how to write security policies; I’ve gotten the budget sorted out. But I suddenly found myself in hot water. I had no clue about how to deal with an Internet attack.

Security used to be structured, orderly, purposeful. This Internet security stuff, however, is illogical. Why attack our site? We don’t kill whales, we don’t discriminate, and we aren’t politically extravagant. Actually, we’re pretty boring, as companies go. So why would someone want to clog up access to our website? It doesn’t make sense.

I was obviously out of my league with this one, so I called a friend who is the CSO at a large telco. He’s one of those guys who remains true to his technical roots, so I figured if anyone would know what to do, he would.

“Most DoS attacks don’t last longer than 20 to 40 minutes,” he tells me. “If it goes on longer than that, you’ll need to get your network connection vendor to block traffic as best you can.”

As best you can? Geez. What kind of answer is that? Some-times, he says, you can contact the network vendor that owns the connection to the offending source and have them filter against your site’s address to kill the traffic. But that can take a lot of time. Sometimes, you just give the system address being attacked a new IP address and “null route” the traffic to the old address, he explains. But sometimes, browsers can’t find your site for a couple of days….

I ask him how we find the person doing this, and he laughs. Most are never found, he says. If they are, they’re usually tracked down by professionals. We were probably a practice attack for some hacker, he surmises. You don’t have to have a reason to be attacked, he adds. You’re just a good practice site.

I suppose hackers need practice too. I just wish they would put up their own practice site and leave mine alone.

The attack eventually went away as predicted. I’ve spent time looking into denial-of-service attacks since then and have been appalled to see that the number is increasing drasticallyfrom a few a month in 1998 to more than 5,000 a month now. It’s obvious that this won’t be my last attack.

The biggest eye-opener was my total lack of understanding of the Internet security issues for which I am responsible: DoS attacks, DDoS attacks, website defacements, hacker “gangs,” practice sites, server vulnerabilities, SYN attacks, user extortion, e-mail scams. The list goes on and on.

It’s clear. I have a great deal to learn about security even though I’ve been in the technical security business a long time. I guess I’m not in Kansas anymore.