Tool traces denial of service sources

Help is on the way to combat the denial of service attacks that wreaked havoc on a number of popular websites last February, including Amazon.com, CNN.com and eBay.

In denial of service attacks a hacker floods a network with bogus traffic until the network becomes overwhelmed and crashes. Such attacks are hard to combat because the hackers use fake IP addresses, making it difficult to find the source.

The Internet Engineering Task Force (IETF) is working on technology that will minimise the problem of denial of service attacks by making it possible to quickly trace the source of the attack. The organisation last week formed a working group to develop ICMP Traceback Messages, which would allow network administrators to trace the path packets take through the internet.

Codenamed itrace, the technology differs from existing tracing tools such as Traceroute in that the current technology generally only traces forward but itrace would be able to trace backwards as well.

"The ISPs don't have good tools to trace these kinds of attacks back today. That's what we're trying to do," said Steve Bellovin, a network security researcher at AT&T Labs and chairman of the IETF's ICMP Traceback working group.

Itrace would enable network managers to trace the attacks to their source within minutes.

With the technology, routers would randomly generate messages about packets and send the messages to the packets' destinations.

A packet is the unit of data that is routed between an origin and a destination on the internet.

The messages would indicate where the packet came from, where it went, when it was sent and its authentication. Network managers could then take the messages and piece them together to trace the packet's path back to its origin.

Because the routers would only generate a message for one of every 20,000 packets, the performance of the routers and the internet overall would not be significantly affected. However, the denial of service attacks are done with such huge amounts of traffic, the network managers would get enough messages to trace their route back.

Itrace does have some drawbacks, however. The information in the traceback messages is in compressed form so it requires some analysis and guesswork. "Due to this ambiguity, itrace is not a silver bullet," said IETF chairman Fred Baker. "But it gives us a clue, where right now we are often completely in the dark."

Another problem is that itrace can only identify the computers that are sending the attacks, not the programmer. Consequently, the technology may not help law enforcement agencies catch the perpetrators.

Also, the technology only becomes effective if it is deployed across the internet's backbone and edge routers. It is unclear whether ISPs will be willing to make the investment necessary to implement itrace on all its routers.

"Nobody can compel the ISPs to deploy this but the goal is to produce a specification that has support from router vendors such as Cisco and Juniper and from the ISPs," said Bellovin.

Even if ISPs do agree to deploy the technology, it will be sometime before it becomes widespread enough to function effectively. The IETF working group hopes to have a standard to submit to the IETF by January, meaning that it will be at least 18 months before the technology is ready to be launched.