Web attacks raise security awareness

Remember Space Invaders? Three lone ships drone across the screen, to be obliterated in five seconds of Atari magic. Moments later, the entire invader fleet descends to annihilate your pitiful collection of pixels. Game Over.

That's how executives at some of the internet's biggest-name companies felt last week. eBay and Amazon were cornered by denial of service attacks, as thousands of fake requests for information swamped their websites and took them off the air.

Events kicked off on Tuesday of last week, with an attack on Yahoo, taking the portal offline for three hours. This was swiftly followed by suspiciously similar attacks on eBay and Buy.com, the latter in its first hours of operation after going public.

Next day, Amazon, CNN, ZDNet and online broker Datek all reported assaults, with ZDNet down for two hours. Users also reported problems accessing AOL and Microsoft sites, but those companies did not admit to concerted attack.

Some victims withstood the onslaught better than others. While Yahoo and ZDNet both went dark for several hours, Amazon remained online, albeit with degraded service.

"We were hit in a similar way to several other major internet sites, but normal service was restored within an hour," said a spokesman.

Watch out - here comes denial of service
Denial of service first slimed into public awareness in 1996, when a hacker bombarded computers run by Public Access Networks, a small New York company, with requests to send information. In December 1999, a group calling itself the 'electrohippies' shut down the web servers of the World Trade Organisation.

While dedicated security experts can prevent many virus attacks and hacker intrusions, there is no surefire way of preventing this class of interference. So why didn't Amazon suffer the same fate as Yahoo?

One answer is that Amazon had deployed every tool available to minimise the effects of a possible attack. Filters that can distinguish between genuine and 'spoof' requests were not installed at Yahoo until several hours after the attack commenced.

These tools are expensive but, in light of all this, surely a worthwhile investment. The nominal bill for last week's events will top $1.2bn (£754m), according to Matthew Kovar, a senior analyst with researcher Yankee Group. This includes $1bn wiped off share values, $100m revenue losses and $200m for necessary security infrastructure upgrades.

"The resulting brand image, partnership, and future customer damage will result in further significant damage to all of these companies," he says.

Security software in demand
Unsurprisingly, demand for security software has gone through the roof. Network ICE reported a 50 per cent leap in sales of its anti-hacker software, while publicly traded stock of security consultancies surged. Watchguard Technologies shot up more than 60 per cent over the week, while Axent Technologies and RSA Security both saw rises of around 25 per cent.

The FBI, now responsible for tracking down the attackers, is urging businesses to check their security measures in the light of the attacks. "Companies must take ecommerce security more seriously," said Ron Dick, chief of computer investigations at the FBI's National Infrastructure Protection Centre. It is essential to keep up to date with software patches, he added.

"For front-end systems, you should have firewalls, routers and load-balancing systems to reduce the impact," says John Pescatore, research analyst with GartnerGroup.

Protection is also a responsibility of carriers and ISPs, say analysts, and users must pressure service providers to shield them. "It's time for ISPs to step up to the plate," says Pescatore. "They should provide intrusion detection systems and throttling controls to limit the effect of an attack."

Dummy servers immobile against attack
But the problem with many ISPs is that they use dummy servers which cannot distinguish between genuine user requests and spammed packets from distributed computers. But with more sophisticated hardware and filtering systems, service-denial waves could be detected at the ISP stage.

The Yankee Group agrees carriers need to work with hosting companies to better deal with attacks that occur over their backbones. "These companies should be legally and financially responsible for the consequences of not acting," said Kovar.

Yankee advises deployment of comprehensive security systems that include firewalls, hardened operating systems, security assessment and intrusion detection systems. "This may require a paradigm shift among corporations, starting at chief executive level," says Kovar. "Ebusinesses have prioritised web performance. They must change that to having a secure internet presence."

HOW YOU CAN COMBAT DENIAL OF SERVICE

• Establish alternative channels. If your web channel is crippled, customers should be able to contact you by telephone or in person.
• Distribute your infrastructure across multiple networks and data centres. This way, if you are under attack, at least some customers will still be able to access the site.
• Pressure ISPs to become good corporate citizens. In an attack, the source IP address is often falsified. If ISPs implement anti-spoof filters, this is harder for hackers to do.
• Ensure your company uses complete and up-to-date security patches to reduce the chances that your website will be used as a launch pad for denial of service attacks on other sites.