A new enemy for hackers

Berkeley Software Design will soon provide protection from so-called SYN-flood attacks after weeks of shutdowns caused by such assaults.

CNET News staff
3 min read
Berkeley Software Design will soon provide protection from so-called SYN-flood attacks after weeks of shutdowns caused by a rash of assaults.

The fix, which is free, doesn't stop the "denial of service" attacks but renders them impotent, said Doug Urner, a systems Engineer for Berkeley Software Design.

In the past few weeks, hackers have been attacking a few select Internet sites, such those operated by as The Internet Chess Club and New York Internet service provider Panix.com, virtually shutting them down.

The attacks have alarmed systems providers worldwide. The tactic is viewed as more insidious than previous forms of online sabotage because it is simple to perpetrate--often requiring nothing more than the ability to copy computer code from hacker publications--but has been virtually impossible to stop.

In the assault, the perpetrator sends bogus connection requests to the server, keeping it busy trying to verify each request. Because of memory constraints, the server fills up quickly, leaving legitimate users shut out. (See illustration below)

The Berkeley Software patch basically allows the server to accept thousands more connections at once so that a system can weather an attack with enough space available for legitimate users to get on, Urner said.

"In a space where we could have stored a few hundred incoming connections we can now store 10,000 incomplete connections," he said. "You want to make sure you don't run out of resources while you're riding out a significant attack."

Urner is quick to point out that the only real existing solution on the Interent: for each provider to stop attacks from being perpetrated by filtering packets leaving their systems for forged source addresses. If every provider on the Internet did that, the attacks would stop.

While getting universal cooperation may be impossible, Urner is optimistic about widespread cooperation. "The filtering fix is so easy that I think most vendors of networking hardware and software will start making it a standard feature of their products," he said. "I expect this to happen very soon."

Urner said the patch could be out as early as tomorrow, but programmers at Berkeley Software estimate that it will most likely be released Wednesday. He added that the company is happy to release it for free on its Web pages or FTP site.

"The basic fix is not rocket science," he said. "This isn't the place to try to get proprietary advantage. The thing is, it's bad for the Internet."

In a typical connection, the user sends a message asking the server to authenticate it. The server returns the authentication approval to the user. The user acknowledges this approval and then is allowed onto the server.

In a "denial of service" attack, the user sends several authentication requests to the server, filling it up. All requests have false return addresses, so the server can't find the user when it tries to send the authentication approval. The server waits, sometimes more than a minute, before closing the connection. When it does close the connection, the attacker sends a new batch of forged requests, and the process begins again--tying up the service indefinitely.