to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
 
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID


You Tell Us:
S
S
L

T
E
C
H
N
O
L
O
G
Y
We use SSL Technology for web data entry points:

Always
Sometimes
Never
What is SSL?

News
Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
:
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

Newsletters
23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Reports
Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from Stopbadware.org
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Legislation
Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for the 21st Century
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
    legislation
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

New Denial of Service Attacks Worry Security Industry

compliance and privacy

Current News Updates

New Denial of Service Attacks Worry Security Industry

There is a new kind of denial-of-service (DoS) attack hitting the Internet these days, and it has the internet security industry very worried.

The unusually powerful attacks strike at the basic structure of the Net, exploiting the computers that manage online traffic and using them to overwhelm Web sites. The effects are similar to more traditional DoS attacks, but the newer technique by hackers is far more potent because it launches using fewer hacked computers and the ensuing attack is easily amplified to be far more overwhelming.

The new form of attacks emerged at the end of December 2005 and accelerated in January before settling down about mid-February, said VeriSign Chief Security Officer Ken Silva.

He said some 1,500 separate Internet domains have been attacked using the new method. Comparing the attacks to those in October 2002 when nine of the 13 computer "root" servers used to manage all Internet traffic were the object of a massive attack, Silva said that the new attacks were "significantly larger than what we saw in 2002, by an order of magnitude."

DNS Servers “Made to do the Attacking”

Before this new threat emerged, DoS attacks relied on a network of computers that were used to swamp servers with a deluge of seemingly legitimate network traffic. When successful, these attacks caused the victim's server to crash as it frantically tried to respond to the overwhelming number of requests. Recent DoS attacks have been used to disrupt the sites of large corporations and extort money from Web site owners.

The latest series of DoS attacks use a set of compromised computers that send out a torrent or queries; however, the difference is that those queries are sent to the domain name system (DNS) servers with a forged return address that ends up directing responses to the intended victim's servers.

Instead of the bots causing havoc, it is the DNS servers themselves that end up attacking the targeted Web sites. The DNS servers are performing their normal function as the directory service for the Internet and ensuring that requests for data are routed to the correct site. The resulting attacks, according to Silva, are therefore stronger and more difficult to stop.

Sites Swamped with Apparently Valid Traffic

Because the returned results contain significantly more information, often up to seventy three times more, than the original request, the victim's network receives thousands of fraudulent messages that amount to gigabytes of information, thus making it far more powerful than a standard DoS attack.

Although it is possible to prevent or stop DoS attacks by blocking the Internet addresses from which the attacks originate, it is not a simple process to block these new DNS attacks, said Frost & Sullivan analyst Rob Ayoub. For the most part, he said, all a business can do is carefully monitor its traffic, have benchmarks in place, check out any spikes, and limit traffic or block specific requests if it needs to.

"These are very difficult to defend against because of the unique method of attack," he said. "Attacking the basic infrastructure we all rely upon is what has made the attacks more effective." However, Ayoub suggested, companies responsible for the DNS servers can reconfigure them to circumvent some of the issues that give rise to the new breed of attack.

"This solution is done manually and is very time-consuming," Ayoub pointed out. "DNS servers are something people don't want to mess with because they control whether people can get to sites on the internet."

A DNS Server in lay terms takes your request to visit (eg) complianceandprivacy.com, and points it at the IP address where that site resides. It's pretty much like an automated, interactive phone book. Without them the internet would be a set of unmemorable numbers, not memorable (or otherwise!) domain names.

Internet users and business owners will see more of these types of attacks, Ayoub predicted, due to the relative ease with which they can be executed. But Ayoub did point out that the attacks might end up having a positive effect on the Internet by forcing engineers to go back and look at some of the basic elements of the Net. The recent spate of attacks, said Ayoub, highlight the fact that the Internet was not designed with security in mind.

Internet Was Never Designed for Security

"We rely on the Internet for so many things and it really wasn't designed for security," Ayoub said. "We will have to get people smarter than us together to change things, and, unfortunately, that probably won't happen until there are more attacks and things get much worse."

Discuss This Article

 


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.