InfoWorld
Lead with Knowledge
HOME/ SITEMAP
SUBJECT INDEXES
ABOUT US
WHITE PAPERS

Learn to secure your PCs from new and unknown hacker attacks.

Free IDC White Paper - Discover Secure File Sharing for the Enterpriseattacks.

SEARCH:  
Home  //  Community //  Opinions //  Article
Print Article    Email Article
Window Manager
Brian Livingston
A packet bounce attack

MY MOST RECENT columns have dealt with major security holes in Windows XP and Microsoft's Web server. And I cited free utilities by security expert Steve Gibson that can help you avoid these problems.

Ironically, while I was interviewing Gibson, he experienced a serious hack that briefly knocked his own site off the Internet. Fortunately you can give yourself a "booster shot" against this threat.

The assault, which Gibson calls a packet bounce attack, takes advantage of "service ports," a group of IP services identified by the numbers 1 through 1023, as opposed to "client ports," services numbering 1024 and up.

The Web site of Gibson Research, www.grc.com, was shut down on Jan. 11 by an overwhelming flood of IP data. Millions of bogus packets were streaming in using mechanisms such as the Border Gateway Protocol (port 179), Telnet (23), Domain Name Service (53), SSH (Secure Shell; 22), and HTTP (80). Because only Gibson's domain and two others that he knows of so far have been hit, it suggests that malicious perps are testing a new weapon before rolling it out against other victims.

Shockingly, "these flooding packets were coming from the Internet's core routers," Gibson says. "Our own ISP's routers were 'attacking' us, as were the routers of other large ISPs, a few of the main DNS root servers, and many of the Web servers belonging to Yahoo.com."

It's important to note that none of these servers were compromised. Yahoo executives did not respond to a request for comment, but there's no indication its servers weren't operating properly.

The author of the attack had falsified the source of the initial packets so they seemed to come from grc.com's own IP address. Each server receiving such a packet, therefore, sent multiple packets in turn back to grc.com, believing that a connection was being requested. None of the servers was overwhelmed or experienced DDoS (distributed denial of service) itself, so the exploit didn't trigger any alarms. The end result, however, was devastating. Gibson says his domain was subjected to more than 1 billion packets during the course of the offensive.

Security consultant David Dittrich says a similar assault, which he calls a reflector attack, crippled Register.com in January 2001, but "there may be a new [D]DoS program 'in the wild' to implement this attack." More on this is at www.staff.washington.edu/dittrich/misc/ddos/grc-syn.txt.

Gibson's solution? When your server is acting as a server, it never needs to receive packets on ports lower than 1024. Configure your router to filter these out. When your server acts as a client -- sending e-mail via SMTP to a remote port 25, for example -- you create rules to allow such traffic.

Details on the attack and Gibson's fix are available at www.grc.com/dos/packetbounce.htm.




RELATED SUBJECTS

Security

MORE >
SUBSCRIBE TO: E-mail Newsletters InfoWorld Mobile InfoWorld Magazine
Home  //  Community //  Opinions //  Article Print Article    Email Article
Back to Top
 ADVERTISEMENT
 

SPONSORED LINKS

Learn to secure your PCs from new and unknown hacker attacks.
Click here to receive a FREE Success Kit from Oracle.
SPEED, PERSONALIZATION AND INTEGRATION: THE KEY TO E-COMMERCE SUCCESS.
Protect Your Data: Get your FREE Enterprise Backup Intelligence Kit from ADIC.
New HP digital projectors click now for limited-time introductory offers.

SUBSCRIBE
E-mail Newsletters
InfoWorld Mobile
Print Magazine
Web-based training
ABOUT INFOWORLD  |  SITE MAP  |  EMPLOYMENT  |  PRIVACY  |   CONTACT US

Copyright 2002 InfoWorld Media Group, Inc.