This much firepower has a couple of uses.You can threaten to blow almost any site off the Internet. By February 2002, two years after the original distributed denial-of-service (DDoS) attacks against high-end web sites like CNN and Yahoo, attackers were going after ISPs. In February, when the SANS Institute was funding a webcast about a free new Cisco router security configuration tool, the ISP streaming the webcast, Digital Island, reported it was hit with a denial-of-service attack disrupting the webcast. And, the attackers continued to explore their firepower. As March of 2002 opened, we were seeing test attacks where sites were knocked off the Internet by doing a traceroute, determining the routers the site needed to connect to the Internet and leveling them. They were also beginning to experiment with TCP port 179, BGP. As I write this, I cannot know the future, but from the close of February 2002, my way-out-on-a-limb guesses would be that two things seem likely:

∙The attackers are not going to be able to resist testing out this firepower. Some will just be in it for the money and will try extortion, threatening to disrupt e-business sites like eBay or Amazon. Others will be more interested in a grand stunt, probably against the two exposed services on the Internet, routing and DNS; and if you can take out routing, DNS falls naturally. Our best analysis says you cannot take down the entire Internet, because it is made up of too many independent parts.

∙The government is going to do the only thing it can do—make it a serious criminal penalty to run these kinds of attacks. This has already started with the laws that passed after 9/11, but if the attackers do pull a bold stunt, lawmakers around the globe will probably have to respond.

This is not to say that all is gloom and doom—far from it. The threat might be reaching its highest point in a few months, but there appears to be some natural limits to the growth.

Defending Against the Threat

There are countermeasures and limits to the increasing threat. In this section, we will first discuss the natural limits and then consider the development of skills and tools for defenders. Also, the community is making progress in understanding and implementing defense in depth. We are also deploying intrusion detection in a large-scale mode to be able to see the trends quickly. The good news is they are about ready to hit some limits that ought to slow them down a bit. What limits?

∙The current DDoS type attack tools like Leaves and litmus have their command and control via Internet Relay Chat. This is both their strength and weakness. At some point, the community is going to wise up and start blocking this type of protocol. There are countermeasures that the attackers can and will take, but these can and will be contained.

∙A large number of scans depend on public addresses. Every time an organization switches to a NAT and private addresses, it becomes just a little bit harder for attackers.

∙Many of the attack networks we are currently facing are a result of the Leaves (via