| About InfoWorld : Advertise : Subscribe : Contact Us : Awards : Events : Store |
 |
||||
|
||||
 |
||||
 |
|
|||
 |
||||
|
|
|
||
|
|||||||||||||||||||||||||||||||||||||||||
 COLUMN
A packet bounce attack MY MOST RECENT columns have dealt with major security holes in Windows XP and Microsoft's Web server. And I cited free utilities by security expert Steve Gibson that can help you avoid these problems.
The assault, which Gibson calls a packet bounce attack, takes advantage of "service ports," a group of IP services identified by the numbers 1 through 1023, as opposed to "client ports," services numbering 1024 and up. The Web site of Gibson Research, www.grc.com, was shut down on Jan. 11 by an overwhelming flood of IP data. Millions of bogus packets were streaming in using mechanisms such as the Border Gateway Protocol (port 179), Telnet (23), Domain Name Service (53), SSH (Secure Shell; 22), and HTTP (80). Because only Gibson's domain and two others that he knows of so far have been hit, it suggests that malicious perps are testing a new weapon before rolling it out against other victims. Shockingly, "these flooding packets were coming from the Internet's core routers," Gibson says. "Our own ISP's routers were 'attacking' us, as were the routers of other large ISPs, a few of the main DNS root servers, and many of the Web servers belonging to Yahoo.com." It's important to note that none of these servers were compromised. Yahoo executives did not respond to a request for comment, but there's no indication its servers weren't operating properly. The author of the attack had falsified the source of the initial packets so they seemed to come from grc.com's own IP address. Each server receiving such a packet, therefore, sent multiple packets in turn back to grc.com, believing that a connection was being requested. None of the servers was overwhelmed or experienced DDoS (distributed denial of service) itself, so the exploit didn't trigger any alarms. The end result, however, was devastating. Gibson says his domain was subjected to more than 1 billion packets during the course of the offensive. Security consultant David Dittrich says a similar assault, which he calls a reflector attack, crippled Register.com in January 2001, but "there may be a new [D]DoS program 'in the wild' to implement this attack." More on this is at www.staff.washington.edu/dittrich/misc/ddos/grc-syn.txt. Gibson's solution? When your server is acting as a server, it never needs to receive packets on ports lower than 1024. Configure your router to filter these out. When your server acts as a client -- sending e-mail via SMTP to a remote port 25, for example -- you create rules to allow such traffic. Details on the attack and Gibson's fix are available at www.grc.com/dos/packetbounce.htm. Send tips to brian@brianlivingston.com. He regrets that he cannot answer individual questions. Go to www.iwsubscribe.com/newsletters to get his Window Manager column and E-Business Secrets e-zine free via e-mail.  RELATED SUBJECTS  SecurityMORE > SPONSORED WHITE PAPERS 
SPONSORED LINKS
|
|||||||||||||||||||||||||||||||||||||||||
|
||||||||||
|
||||||||||
