The Challenge

Denial of service is a complex problem for computer security that has to be addressed, not just in Java, but all over the network infrastructure. Successful denial-of-service attacks have been passed against ISPs by exploiting weaknesses in TCP/IP, which is the life blood of the Internet. Java is not immune to the denial of service problem, either.

One of the biggest ongoing challenges in networking continues to be the struggle against distributed denial of service (DDoS) attacks. Unlike the similarly-named denial of service (DoS) attack, which is easily controlled by filtering all packets from a particular source IP address, a distributed DOS attack usually includes traffic generated by large numbers of host computers. These hosts may be in multiple geographic regions, and often are served by multiple ISPs.

The intent of these attacks is the same to overwhelm Internet sites with so many packets that they lose connectivity, disrupting operations and potentially causing large financial losses. Sites under attack may find all their bandwidth consumed, or simply that their firewalls or servers cannot withstand so much traffic. Occasionally attackers will find an actual weakness or vulnerability in the site, but this is not necessary for a DDoS attack to succeed. Every organization with a public Internet site is a potential DDoS victim.

Reasons behind DDoS attacks may include extortion, market competition, political sabotage or even cyber terrorism. The mechanism is usually the same most attackers use botnets.

Botnets are collections of autonomous software robots or bots, running on multiple infected computers (sometimes called zombies) without the knowledge or consent of those systems owners. Located mostly in Windows PCs, bots wait in hiding until a hacker secretly signals them. Hackers often use Internet relay chat as a way to command botnets, remotely telling them to generate spam, attack a website or infect other computers (and thus add to the size of the botnet and its value to the hacker who controls it).

More than a million bots are estimated to exist on the public Internet, and some botnets consist of more than 20,000 infected PCs. When a botnet of that size targets a single website, even the largest sites with huge servers and prodigious bandwidth may not be able to withstand the attack. According to the Computer Security Institute, corporations such as Amazon, Microsoft, Yahoo, CNN and eBay have been victims of DDoS attacks. And DDoS attacks can be launched against more than just host computers or Web servers as they have been directed at DNS servers, email systems and network routers.

A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or people to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root nameservers.

One common method of attack involves saturating the target (victim) machine with external communications requests, such that it cannot respond to legitimate traffic, or responds so slowly as to be rendered effectively unavailable. In general terms, DoS attacks are implemented by either forcing the targeted computer(s) to reset, or consuming its resources so that it can no longer provide its intended service or obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.

In addition to the vulnerabilities listed above, cyber attacks that impact the performance and availability of the site cannot be tolerated. Distributed Denial of Service (DDoS) is an attack designed to render a computer or network incapable of providing normal services. The most common DDoS attacks will target the computer's network bandwidth or connectivity. A website DDoS attack is executed by flooding one or more of the site's E-commerce servers with so many requests that it becomes unavailable for normal use. If an innocent user makes normal page requests during a DDoS attack, the requests may fail completely, or the pages may download so slowly as to make the website unusable. DDoS attacks typically take advantage of several computers which simultaneously launch hundreds of thousands of requests at the target website. Connectivity attacks flood a computer with such a high volume of connection requests, that all available operating system resources are consumed and the computer can no longer process legitimate user requests (e.g., excessive HTTP Gets or SSL transactions). DDoS attacks are very hard to stop because of the large number of randomly distributed attacking sources, which renders conventional protection mechanisms useless. Connectivity attacks are equally devastating, as the web requests are legitimate in format, but overwhelming in volume.

The Solution

Figure 1. Protecting E-Commerce with Three Dimensional Protection (3DP)

The Industry experts classify network security risks into three major threat categories:

• Malicious content in network traffic, including exploits of Microsoft vulnerabilities, worms, Spyware and other malware;
• Undesired access to networks or systems, including unauthorized or illegal access;
• Rate-based attacks on the infrastructure, such as SYN Floods, and other Denial of Service attacks.

• Content-based IPS protection;
• Stateful firewall filtering;
• And rate-based attack mitigation.

Figure 2. Protecting e-Commerce infrastructures

In order to best combat the threats posed by undesired access, malicious content, and rate-based attacks (and complex hybrid attacks that use multiple elements of these to circumvent static, one-dimensional security tools), enterprises should select and deploy a network IPS solution that addresses all three in an integrated, mutually-reinforcing fashion.