èƵ

Trick of the net fends off hackers

HACKER attacks designed to bring down websites for days or weeks on end may have met their match, if an idea being patented by IBM can be made to work.

In what is called a distributed denial of service (DDoS) attack, the hacker infects a large number of PCs with a virus that at a given moment tries to contact the target website. This synchronised bombardment ties up the website and effectively forces it offline.

DDoS attacks exploit the internet’s “three-way handshake”. When working normally, a browser trying to contact a site begins by sending a page request. The site responds with a message to the browser acknowledging the request, and the browser completes the handshake with a final acknowledgment message. If one of these stages fails, the request is abandoned, but it cannot expire immediately, otherwise a slight delay on the net would prevent connections being established.

In a DDoS attack, the virus arranges for the browser to send a phoney address, so when the site sends its acknowledgment to that address it doesn’t get a response. When tens of thousands of virus-infected PCs ask for pages simultaneously, the targeted website becomes swamped with half-open connections and is paralysed. As long as infected PCs continue sending spoofed requests faster than connections can expire, the site will be crippled. Shutting down open connections more quickly might be one answer, but this risks cutting off legitimate requests.

IBM’s plan for defeating DDoS attacks is twin-pronged. First, it makes a web server continually monitor delays on the internet, known as its “latency”, by checking the time stamps in all messages coming in and out. All messages which do not complete the handshake within the current latency time have their connections cut off, as they are likely to be spoof requests.

The second line of defence is to continually change, according to a secret pattern, the data ports on the servers that the browsers can connect to. This pattern is only sent to a browser after it has completed the handshake – and proved itself to be legitimate. Connections switch between ports at a speed which suits the internet latency at any given moment: slowly if the net is highly congested, and fast if traffic is moving quickly.

DDoS attackers cannot keep connections open long enough to swamp the site because their connections are disconnected faster than new requests arrive. Legitimate requests hop ports when they complete the handshake and remain connected.

The damage DDoS attacks can do became apparent in January this year, when the website of software house SCO effectively disappeared after the MyDoom computer worm bombarded it with demands for its home page for a full two weeks. According to D. K. Matai of London-based cyber security analyst Mi2g, a global wave of DDoS attacks could now easily cost $1 billion.