DoS attacks: fighting back

The internet statistics compendium published by the E-Consultancy just prior to Christmas suggests that there are now 1.21 billion Internet users worldwide. Many (if not all) use e-mail, of course. A vital tool for almost every business, but it’s one whose development has been rapid and, it must be said, unplanned. Most e-mails flying around cyber space consist not of essential business messages or even personal correspondence, but rather unwanted ‘spam’.

A recent survey conducted by the European Commission suggests that around 80% of inbound e-mail traffic is spam mail. Most conventional spam is purely commercial in its content, but a growing percentage of such mail will be designed to cause maximum damage to a given company and its IT infrastructure.

Denial of Service attacks also commonly referred to as ‘DoS attacks’, ‘mail bombing’ or ‘flooding’ delivered over e-mail attempt to overwhelm a company’s servers by bombarding them with huge volumes of inbound mail that can then bring down the network. Short term inconvenience for the host organisation is overshadowed by the fact that downtime can lead to the loss of vast amounts of revenue, even bringing a company down.

DoS attacks have steadily become more sophisticated in the past few years as the level of attack automation has increased. Sample and fully-functional attack software is readily available on the Internet, while pre-compiled, ready-to-use programs enable novice ‘spammers’ to launch large-scale attacks even though they have little knowledge of the underlying security exploits. Equally, the advent of remote-controlled networks of ‘zombie’ computers has made it more difficult than ever to stop mail bombing.

There was a swathe of attacks in 2006. Last June, for example, UBS IT worker Roger Duronio was charged with using the ‘logic bomb’ computer virus to cause more than $3 million worth of damage to the company’s computer network simply because he was unhappy with his bonus payment!

More recently, having been sacked from his company a teenager then bombarded former bosses with millions of hoax e-mails. At first he was cleared of a DoS attack mostly due to the fact that Judges have been confused about how to charge such miscreants. However, the ruling was overturned last August when the youth became the first person to be convicted for DoS offences under the Computer Misuse Act. With the new Police and Justice Act introduced in November, the teenager faced up to ten years in prison... but was given a two-month curfew.

The Police and Justice Act

If the Police and Justice Act is attempting to counter the growing, malicious and costly threat of DoS attacks, what does it involve and to what extent will it be successful?

The Act has been passed into law to help modify policing measures in the UK while building safer communities and updating existing laws (including the Computer Misuse Act 1990). It now covers DoS attacks, and has increased the maximum sentence for ‘unauthorised access to information’ from six months to two years’ imprisonment. A ten-year sentence has been introduced for the offence of ‘unauthorised acts with intent to impair the operation of a computer’.

In spite of this increase in legal restrictions, such measures will do little to deter the authors of DoS attacks. Legislation is great for easing the minds of organisations that do not possess a strong enough set of tools to defend against DoS attacks. Sadly, that means the majority of today’s businesses. If hit by e-mail DoS attack, company security and IT managers block the sending IP address to prevent the attack... but may end up blocking all incoming mail. Many don’t even know when they have been hit!

The Police and Justice Act has introduced a new offence of ‘making, supplying or obtaining articles for use in computer misuse offences’,which carries a maximum sentence of two years in jail

By their very nature, DoS attacks cannot be prevented at an Internet-wide level. They take on the appearance of legitimate e-mails and, as such, are invisible to many of the information security measures currently offered by Internet Service Providers (or ISPs, as they’re commonly known). One effective method for determining legitimate e-mails is to compare the addressee with entries in a company’s directory. If the addressee is listed, the e-mail could still be spam, but the majority of illegitimate e-mail traffic would remain undelivered.

Understandably, businesses will be reluctant to hand over their directory to third parties, even if this might improve their information security defences. However, companies can deploy solutions at the perimeter of their network(s) that will filter-out malformed SMTP packets and DoS attacks (based on the messages originating from one IP address, or alternatively a small number of them).

So-called ‘edge-based systems’ examine the sender’s IP address and the ‘envelope’ headers of an e-mail message to detect ‘dark’ traffic. If the message is rejected, the content simply never reaches the content filtering systems, let alone the corporate e-mail servers.

As an edge-based system reviews only envelope data, it will typically be five or six times faster than a content filter with a similar configuration. Combining a single content filter system with an edge-based filter should be every bit as effective as six stand-alone content filters. By blocking more illegitimate e-mail, the combined filters will also save on storage and processing needs, further bolstering the Return on Investment. Moreover, only edge-based systems can pick up and block DoS attacks. By the time messages reach the content filters, it’s already too late to stop a ‘bombing’.

The threat from within

Company e-mail security shouldn’t be restricted to inbound traffic. Outbound e-mail is every bit as important. Organisations should never ignore ‘the threat from within’, and the mistakes or deliberate actions employees could make or take that may cause untold damage. In particular, employee use of e-mail and file exchange should be more closely monitored.

Even if there is some form of e-mail security policy in place (which, to be honest, is still a rarity), companies remain at risk from web-based e-mail services including Hotmail that could offer a back door for unchecked data transfer. There also remain many unmanaged, unsecured file transfer services across many companies. This is equivalent to leaving the front door unguarded, allowing visitors to enter and exit at their discretion.

There has been a rise in the type of messaging-related threats to organisations. These range from when an employee routinely sends sensitive information to Hotmail accounts or business information across unsecured communication channels – through to deliberate or unintentional security breaches of FTP traffic. In these cases, highly sensitive information can be compromised.

Every company must have e-mail usage policies and systems in place to manage access and distribution rights. Failure to do so could mean the end of the business altogether.