The Bay Area DDoS Working Group, which includes Internet industry giants across the country, will discuss a "best practices" document being drafted that advises sites and Internet service providers (ISPs) how to respond when under a distributed denial-of-service (DDoS) attack. In a DDoS attack, the perpetrator coordinates a flood of bogus queries to a Web server, overloading its capacities.
The group formed when victims of February's DDoS outbreak banded together in a high-tech survivors' support group, advising one another on how to cope with future attacks and calling in experts and allies for help.
Group members participating in today's panel include eBay, Yahoo, Check Point Software, Internet Security Systems (ISS), Network ICE and Recourse Technologies. Others of the working group's more than 60 members include Amazon, E*Trade, Buy.com, Cisco Systems, Lucent Technologies, IBM, Hewlett-Packard, Microsoft, America Online, Exodus, AboveNet, Sprint and UUNet. The panel coincides with this week's NetWorld+Interop trade show in Atlanta but is being held independently at the Ritz-Carlton.
Whatever degree of secrecy the consortium maintains, the diversity of its membership could signal improved cooperation between ISPs and Web sites. Many security analysts fault ISPs for not being sufficiently involved in DDoS prevention and damage control.
"Stopping denial-of-service attacks is hard, but there are certain basic steps that, if all the ISPs took them, would make it so much harder for the bad guys," said Jeff Schiller, a network manager for Massachusetts Institute of Technology who will present a tutorial on network security at N+I.
Schiller and others cited as one example the implementation of ingress and egress filtering, which ensure that packets coming in and out of a network do not carry the spoofed return addresses that DDoS attackers typically use to cover their tracks.
This kind of filtering is the subject of a request-for-comment advisory at the Internet Engineering Task Force (IETF), an influential standards body. That document, written by Cisco, was posted in January 1998.
A related effort at the IETF is the iTrace working group, whose goal is to improve the tracing of Internet packets as they traverse the Internet.
Working-group members sought to downplay expectations in advance of the panel, noting the inherently intractable nature of DDoS attacks and the collective need of the group to keep its defense strategy under wraps.
"Right now, the problem is that we're powerless to stop DDoS attacks," said Robert Graham, chief technology officer of Network ICE, which sells network intrusion-detection systems. "There are ways you can attack machines that cannot be stopped."
The working group is concentrating on less-than-surefire solutions, such as improving methods of tracing the source of DDoS attacks.
Other panelists also sought to minimize expectations for today's event, noting that for strategic reasons the group would be keeping silent about its main findings, as it has kept the organization itself for most of the past seven months.
"There is not going to be blockbuster information revealed at the panel," said eBay representative Kevin Purseglove. "For the most part, the working group will continue to maintain its confidentiality because there is some concern that we do not want to disclose anything that we have learned that would tip our hand to those individuals who would repeat the attacks against eBay and other sites."
The working group meets as one of its members, ISS, warns of new mutations on the original Trinity and Stacheldraht DDoS tools implicated in February's attacks. Two variants, Stacheldraht 1.666+antigl+yps and Stacheldraht 1.666+smurf+yps, along with a variant of Trinity dubbed entitee, have been observed in use on the Internet.
The new versions provide for new types of attacks and come with different encryption, according to ISS. That new encryption has bugs, however, that the company says will facilitate its efforts against it.
In bad news for Web sites--but apparently good news for security firms such as ISS--new versions of DDoS attacks and tools show no signs of letting up.
"It's like computer viruses," said Chris Rouland, in charge of ISS' research and development team. "There are going to be new ones all the time."